One of my favorite topics, routing. Routing is the logic behind how things get from point A to point B. From a super top level view routing can be divided up into 2 categories, static and dynamic. We’ll explore in depth the differences between the two and some of the protocols behind how it works.

First let’s figure out where routing comes into play as far as the traffic flow goes. Routing lives at layer 3 of the OSI model, also called the Network layer. This is where some real magic happens. In a typical home network set up you’ll have a router on the edge of your network, and a switch connected to that router (most home routers have a switch built in). We will go over switching in another talk, but we should know that it lives on layer 2, the Data Link layer.

So let’s say you have your PC plugged into the switch and traffic leaves your pc bound for the internet. The traffic would hit the switch and the switch would determine that the destination is on the same network or on a different one. Once it sees that it is bound for a different network it will send it on the the router, and the router will figure out how best to send the traffic.


A Router is basically just a low powered computer with two network cards that are connected to two different networks running software that figures out how traffic should go. There are many kinds of routers, but most are pretty similar in construction. Most have one interface for the WAN (internet) and one interface for the LAN. Most home routers this interface is internal and logical instead of physical and connects to both the integrated switch, and probably the wifi radio. The router’s job is to connect two different networks together and follow rules on how data is allowed to flow.

The Process of Routing

So how do routers know where to send the traffic? With a table of course! The routing table is very important to the routing process, hence the name. The main parts of the routing table are the destination network IP addresses, and the interfaces it should send traffic to get to those networks. Remember back in the subnetting post when we talked about the network portion and the host portion of IP addresses and how to use the subnetmask to determine which part is which? Here is where that becomes very important.

We’ll go over how the routing table works when we get to static routing, but let’s review the basic routing process real quick.

Data comes in, the router looks at the destination address and compares it to it’s routing table then sends it out the interface the table tells it to.

Static Routing

So how do things get entered into the routing table? Well that’s where the difference between static and dynamic routing come into play. Static routing is exactly what it sounds like, a route that doesn’t change. Generally with Static routing you are manually entering things into the routing table. Saying things like network is available through interface X, or to a next hop address. Routers are smart enough to know what network each of its interfaces are in based on their IP and subnetmask. Ok but what if a packet comes in and the destination address isn’t in the routing table? There are two options, either the packet is dropped or it gets sent out according to a special route entry called a default route. This works very similarly to the default gateway on your computer. If no specific entry fits this traffic send it here.

Most of the time the default route will be set and that’s really all you need on a home router, but if you have multiple networks at home separated by different routers then some additional static routes will be required. Example

Lets say you had a server network and a host network at home and both were hooked up to the internet through an edge router. Lets say the network looks like below:

Servers =
Hosts =
Router network =

the edge router would need to know the following: if dest = 192.168.2.x send out LAN interface if dest = 192.168.3.x send out LAN interface it will already know that 192.168.1.x is connected to its LAN interface based on the LAN interface IP and subnetmask.

the other routers will just need default routs to the edge router, and the edge router will need a default route to your ISP. This way all communication can take place.

But why would you do this, why wouldn’t you set it up so that everything was on the same network with one router?

Well on most routers you can put Access rules, or firewall rules to allow or disallow some traffic. For instance if your servers will only ever need traffic from the hosts network and nothing originating from the internet you can set that up. You could also say these are web servers so only port 80 is allowed inside. It helps make you more secure.

Dynamic Routing

Yeah static is all well and good, but what if you have a corporate network with many networks to route between and many different paths to take? And what happens if a path along a static route goes down for some reason?

Very good questions! This is where dynamic routing comes in. Dynamic routing has a few advantages to static routing 1. It will automatically lean routes from its neighbors 2. IF a link goes down or gets slow it will automatically adjust to a different route if available

There are many different protocols that go along with Dynamic routing. One of the first, if not the first, is RIP (Routing Information Protocol). RIP was a simple protocol, it shared hop counts with it’s partners. No other metric was calculated just how many routers will we pass through. This sounds great if all else is equal, but of course its not. For example if one route had just 3 hops, but all of the links were 10kb/s links, and another route was 4 hops and all the links were 1gb/s obviously the second way would be faster, but RIP doesn’t take that into consideration. Which is why other protocols were created. OSPF

OSPF stands for Open Shortest Path First, and is the most popular routing protocol to use in internal networks today. OSPF takes several things into account when it decides routes. For one thing link speed does matter, as well as hop count, and what priority you want to set it. OSPF works on the concept of areas and neighbors. There are several different kinds of areas, but this is not important to understand static routing in general. We can go into these areas if you wish, but that would be a talk all on its own. It is safe to say that OSPF is the protocol of choice for most enterprises when setting up a large enough network that would require a more robust routing protocol. EIGRP

EIGRP is alot like OSPF, it uses a metric like OSPF does that takes several factors into account when determining route score. The biggest difference here is OSPF is an open standard, and EIGRP is a proprietary Cisco protocol. Both are valid options when deciding on a dynamic routing protocol, and offers similar feature, normally just called something else. BGP

The Border Gateway Protocol is the protocol that runs the internet. It really deserves it’s own talk so we won’t go into it here, but just know that it does indeed run the internet.

Bringing it all together

So to recap, a router is just a computer with 2 or more network cards that can handle the logic to forward traffic from one network to another. Routers use routing tables to know where to send what traffic. Static routes are routes that are added to the table automatically. Dynamic routing is a way for routers to automatically learn routs from their peers. And there are several different Dynamic routing protocols to choose from. How does all of this work together though?

So a router has a routing table, and all the routs it knows about have to go in that table, if there are multiple ways for traffic to flow to the same place in the table how does it choose which one to use? Routers give different priorities to different kinds of routes. The basic hierarchy goes as follows:

  1. static routes to specific networks (not default routes)
  2. Routes learned by Dynamic routing protocols
  3. default routs

The default route will always have the lowest priority because its is meant as a last resort, if we don’t know anything about this destination send it this way.

Bringing it back to Hacking

If you get root on a router you own that routers table. You can add static routes that might be evil, like sending all traffic through a specific place to sniff, or dropping all traffic to deny service to the entire network. That’s an obvious attack method though, but we are hackers, we can’t stop at the obvious. Some neat hacks include the dynamic routing protocols. Let’s take OSPF for example OSPF trusts it’s neighbors to tell it information about routs. Let that sync in. OSPF trusts its neighbors for information on its routes. So what happens if you own one such neighbor? You control the information another router - one that you might not even own - is basing its routing logic on. I’m sure you can see where this could be very useful. Basically execute the above attack, but remotely from your own OSPF enable router. Its definitely an intriguing idea.

That being said OSPF does include a method for verifying neighbors. MD5 Hashing with a shared secret helps keep it “safe”. However if you can crack the secret, or if you get root on an existing neighbor you can own the routing table for all routers in the area. Which is quite the exciting opportunity.


I feel like this one was a bit longer. Thank you for coming along with me on this journey though that strange and wonderful layer 3 of the OSI model. Feel free to ping me on LHC if you have questions comments or want to chat for a bit, I’ll usually answer within a day or two max if I get busy, or feel free to drop me a DM and we can chat that way too. And remember kiddos, always play with fire, no matter what your mother tells you. It’s fun.