Chapter 7: Routing and Network Infrastructure

The Two-Hour Internet Hijack of a Cryptocurrency Exchange

On April 24, 2018, attackers executed a sophisticated BGP hijack targeting MyEtherWallet, a popular cryptocurrency wallet service. For approximately two hours, traffic destined for Amazon’s Route 53 DNS servers was rerouted through an attacker-controlled network in Russia.

Users attempting to access MyEtherWallet were served a phishing site with a stolen SSL certificate. The site looked identical to the real thing. Victims who entered their credentials had their cryptocurrency wallets drained—approximately $150,000 was stolen.

How did attackers redirect traffic meant for one of the world’s largest cloud providers? They exploited BGP, the protocol that determines how traffic flows across the entire internet. BGP is built on trust—routers believe what other routers tell them about which networks they can reach. There’s no built-in verification that an announcement is legitimate.

This incident wasn’t unique. BGP hijacks happen regularly, sometimes accidentally (a misconfiguration in Pakistan once took down YouTube globally), sometimes maliciously. Understanding routing—how it works and how it can fail—is essential for anyone working in network security.

---

Finding the Path

When you send a packet to a server halfway around the world, how does it get there? This might seem like a simple question, but the answer involves one of the most elegant and critical systems in all of computer networking.

Your computer doesn’t know the complete path—it only knows to send packets to its default gateway (router). From there, each router along the way makes independent decisions about where to forward the packet next, based on routing tables that describe the network topology.

Routing is the process of selecting paths through a network. It’s what makes the internet—a network of networks—function as a coherent whole.

Think of it like asking for driving directions before GPS existed. You might know how to get to the highway, but you don’t know every turn to reach your destination. Instead, you follow signs, ask for directions at key points, and trust that each segment of guidance will get you closer. The internet works similarly—each router only needs to know the next step, not the entire journey.

In this chapter, we’ll build up from the basics of how individual routers make forwarding decisions, to the protocols that let routers share information with each other, to the global BGP system that ties it all together. We’ll also explore NAT, which enables the modern internet despite IPv4 address exhaustion, and SD-WAN, which represents the latest evolution in enterprise networking.

---

Routing Fundamentals

Let’s start with the basics: how does a single router decide where to send a packet? Understanding this foundation is essential before we can explore how routers learn about networks they’ve never seen.

How Routing Works

Routers examine the destination IP address of each packet and consult their routing table to determine the next hop—the next router in the path toward the destination. This process repeats at each router until the packet reaches its destination network.

Routing Example

Routing Example:
═══════════════════════════════════════════════════════════════════

Source: 192.168.1.100 → Destination: 8.8.8.8 (Google DNS)

   [Your PC]                                            [Google]
   192.168.1.100                                        8.8.8.8
       │                                                   ▲
       │ 1. "8.8.8.8 not local,                            │
       │    send to default gateway"                       │
       ▼                                                   │
   [Home Router]                                           │
   192.168.1.1                                             │
       │                                                   │
       │ 2. "8.8.8.8 → send to ISP"                        │
       ▼                                                   │
   [ISP Router]                                            │
       │                                                   │
       │ 3. "8.8.8.8 → route to upstream"                  │
       ▼                                                   │
   [Tier 2 ISP] ──► [Tier 1 ISP] ──► [Google Edge] ────────┘
       
Each router only knows the NEXT hop, not the full path!

Routing Table Structure

A routing table maps destination networks to next-hop addresses and outgoing interfaces:

$ ip route     # Linux
$ netstat -rn  # macOS

Example Routing Table:
═══════════════════════════════════════════════════════════════════

Destination        Gateway         Interface   Metric  Flags
───────────        ───────         ─────────   ──────  ─────
0.0.0.0/0          192.168.1.1     eth0        100     UG   (Default)
192.168.1.0/24     0.0.0.0         eth0        0       U    (Direct)
10.0.0.0/8         192.168.1.254   eth0        50      UG   (Static)
172.16.0.0/16      192.168.1.253   eth0        50      UG   (Static)

Key:
- Destination: Network prefix being routed to
- Gateway: Next hop (0.0.0.0 = directly connected)
- Interface: Which network interface to use
- Metric: Cost/preference (lower is better)
- Flags: U=Up, G=Gateway (not direct)

Longest Prefix Match

When multiple routes match a destination, routers use longest prefix match—the most specific route wins.

Longest Prefix Match

Longest Prefix Match:
═══════════════════════════════════════════════════════════════════

Routing Table:
10.0.0.0/8       via 192.168.1.1    (matches 16M addresses)
10.10.0.0/16     via 192.168.1.2    (matches 65K addresses)
10.10.10.0/24    via 192.168.1.3    (matches 256 addresses)

Packet destined for 10.10.10.50:
├── Matches 10.0.0.0/8?  (but only /8)
├── Matches 10.10.0.0/16?  (but only /16)
├── Matches 10.10.10.0/24?  ← WINNER! (most specific, /24)
└── Forward to 192.168.1.3

Why this matters:
- More specific routes override less specific ones
- Default route (0.0.0.0/0) is least specific, used as fallback
- Attackers can hijack traffic by announcing more specific routes!

Now that we understand how a router uses its routing table, an important question arises: how does that routing table get populated in the first place? There are two fundamentally different approaches.

---

Static vs Dynamic Routing

Networks can be configured in two ways: you can manually tell each router exactly where to send traffic, or you can let routers figure it out automatically by talking to each other. Each approach has trade-offs that make it suitable for different situations.

Static Routing

In static routing, administrators manually configure routes. This is simple and predictable but doesn’t adapt to network changes.

# Add static route (Linux)
ip route add 10.0.0.0/8 via 192.168.1.254

# Add static route (Windows)
route add 10.0.0.0 mask 255.0.0.0 192.168.1.254

# Persistent route (Linux, in /etc/network/interfaces or netplan)
up ip route add 10.0.0.0/8 via 192.168.1.254

Advantages	Disadvantages
Simple to understand	Doesn’t adapt to failures
No protocol overhead	Doesn’t scale well
Predictable behavior	Administrative burden
Slightly more secure	Manual updates required

Use cases: Small networks, default routes, specific traffic engineering, security (forcing traffic paths)

Dynamic Routing

Dynamic routing protocols automatically discover network topology and calculate optimal paths. Routers exchange information with neighbors, building a network-wide view.

Advantages	Disadvantages
Automatically adapts to failures	Protocol overhead (CPU, bandwidth)
Scales to large networks	Convergence time during changes
Reduces administrative overhead	Potential security issues

Most networks larger than a home or small office use dynamic routing. But dynamic routing isn’t one-size-fits-all—different protocols exist for different purposes. The most fundamental distinction is between protocols used within an organization versus protocols used between organizations.

---

Interior Gateway Protocols (IGPs)

Interior Gateway Protocols route within a single organization (Autonomous System). When your company’s routers need to share information about which networks exist and how to reach them, they use an IGP.

Think of an IGP as the internal navigation system of a large building complex—it helps you move between rooms and floors within the building, but it doesn’t concern itself with how to reach other buildings across the city.

Different IGPs use different strategies to share routing information. Understanding these strategies helps you appreciate why networks behave the way they do—and where vulnerabilities might exist.

RIP (Routing Information Protocol)

RIP is one of the oldest routing protocols, using a distance-vector algorithm based on hop count. While rarely used in new deployments, understanding RIP illuminates how distance-vector protocols think.

Characteristics:

• Metric = hop count (maximum 15; 16 = unreachable)
• Shares full routing table with neighbors every 30 seconds
• Simple but limited scalability
• Slow convergence (minutes)

RIP Hop Count Example

RIP Hop Count Example:
═══════════════════════════════════════════════════════════════════

         ┌─────────┐        ┌─────────┐        ┌─────────┐
Network ─┤ Router A├────────┤ Router B├────────┤ Router C├─ Network
   X     │ Hops: 1 │        │ Hops: 2 │        │ Hops: 3 │    Y
         └─────────┘        └─────────┘        └─────────┘

From Network X to Network Y: 3 hops
RIP chooses path with fewest hops (ignores bandwidth!)

Problem: 
Path A-B-C might be 10 Mbps each
Path A-D-E-F-C might be 1 Gbps each
RIP chooses slower path because fewer hops!

Versions:

• RIPv1: Classful (no subnet mask in updates), broadcast
• RIPv2: Classless (includes subnet mask), supports authentication, multicast

OSPF (Open Shortest Path First)

OSPF is a modern link-state protocol widely used in enterprise networks. It builds a complete map of the network topology.

OSPF Operation

OSPF Operation:
═══════════════════════════════════════════════════════════════════

1. NEIGHBOR DISCOVERY
   Routers send Hello packets on each interface
   Establish adjacencies with neighbors

2. DATABASE SYNCHRONIZATION
   Exchange Link-State Advertisements (LSAs)
   Each router builds complete topology database

3. SPF CALCULATION
   Dijkstra's algorithm calculates shortest paths
   Build routing table from SPF tree

4. ONGOING
   Monitor links for changes
   Flood LSA updates when topology changes
   Re-run SPF if needed

OSPF Topology Database (same on all routers):
┌─────────────────────────────────────────────────────────────────┐
│ Router A: Connected to B (cost 10), C (cost 5)                  │
│ Router B: Connected to A (cost 10), D (cost 20)                 │
│ Router C: Connected to A (cost 5), D (cost 15)                  │
│ Router D: Connected to B (cost 20), C (cost 15)                 │
└─────────────────────────────────────────────────────────────────┘

SPF calculation finds shortest path from each router to all others

Key concepts:

• Areas: OSPF divides networks into areas to limit LSA flooding
• Area 0 (Backbone): All other areas must connect to Area 0
• Router Types: Internal, ABR (Area Border Router), ASBR (AS Boundary Router)
• Cost Metric: Based on bandwidth (configurable): 100 Mbps = cost 1, 10 Mbps = cost 10

OSPF security features:

• MD5 authentication of OSPF messages (deprecated)
• SHA-based authentication (OSPF cryptographic authentication)
• However, within a compromised network, OSPF can still be manipulated

EIGRP (Enhanced Interior Gateway Routing Protocol)

Cisco-proprietary (though now partially open), EIGRP combines distance-vector and link-state features.

Characteristics:

• Uses Diffusing Update Algorithm (DUAL)
• Fast convergence (sub-second)
• Supports unequal-cost load balancing
• Lower overhead than OSPF for some topologies

IGP Comparison

Feature	RIP	OSPF	EIGRP
Algorithm	Distance-vector	Link-state	Hybrid
Metric	Hop count (max 15)	Cost (bandwidth)	Composite
Convergence	Slow (minutes)	Fast (seconds)	Very fast
Scalability	Small networks	Large networks	Large networks
Updates	Periodic (30s)	Event-triggered	Event-triggered
CPU/Memory	Low	Higher	Medium
Vendor	Open standard	Open standard	Cisco (mostly)

IGPs handle routing within an organization, but the internet is made up of thousands of independent organizations, each running their own networks. How do these separate networks learn how to reach each other? That’s where BGP comes in—the protocol that glues the entire internet together.

---

Exterior Gateway Protocol: BGP

If IGPs are the navigation systems inside individual buildings, BGP is the road map of an entire country. It’s how major networks—ISPs, cloud providers, large enterprises—tell each other what parts of the internet they can reach. And as we saw in the opening story, it’s also one of the most critical security weak points on the internet.

The Internet’s Routing Protocol

BGP (Border Gateway Protocol) is how the internet works. It routes between Autonomous Systems (AS)—independent networks operated by different organizations (ISPs, large enterprises, content providers).

BGP is fundamentally different from IGPs:

• Policy-based: Routes based on business relationships, not just shortest path
• Path-vector: Announces complete AS paths, enabling loop detection
• Incremental updates: Only changes are advertised, not full tables

BGP Peering Between Autonomous Systems

BGP Peering Between Autonomous Systems:
═══════════════════════════════════════════════════════════════════

            AS 65001                          AS 65002
         (Your Company)                     (ISP Alpha)
    ┌───────────────────────┐         ┌───────────────────────┐
    │                       │         │                       │
    │   ┌─────────────┐     │  eBGP   │     ┌─────────────┐   │
    │   │ BGP Router  │─────┼─────────┼─────│ BGP Router  │   │
    │   └─────────────┘     │         │     └─────────────┘   │
    │         │             │         │           │           │
    │       iBGP            │         │         iBGP          │
    │         │             │         │           │           │
    │   ┌─────────────┐     │         │     ┌─────────────┐   │
    │   │ Internal    │     │         │     │ Internal    │   │
    │   │ Router      │     │         │     │ Router      │   │
    │   └─────────────┘     │         │     └─────────────┘   │
    └───────────────────────┘         └───────────────────────┘

eBGP: External BGP (between ASes) - typically one hop
iBGP: Internal BGP (within AS) - distributes external routes internally

BGP Path Selection

BGP uses multiple attributes to select the best path. Order of preference (simplified):

1. Highest Weight (Cisco-specific, local preference)
2. Highest LOCAL_PREF (prefer certain exit points)
3. Locally originated routes
4. Shortest AS_PATH (fewer ASes traversed)
5. Lowest origin type (IGP < EGP < Incomplete)
6. Lowest MED (Multi-Exit Discriminator)
7. eBGP over iBGP
8. Lowest IGP metric to next hop
9. Oldest route (stability)
10. Lowest router ID

BGP Security: A Critical Weakness

BGP fundamentally trusts what peers announce. This trust model creates serious vulnerabilities:

BGP Hijacking Example

BGP Hijacking Example:
═══════════════════════════════════════════════════════════════════

NORMAL OPERATION:
─────────────────
AS 65001 legitimately owns 203.0.113.0/24
Announces: "I can reach 203.0.113.0/24"
Internet routes traffic to AS 65001 

BGP HIJACK ATTACK:
──────────────────
Attacker (AS 99999) announces: "I can reach 203.0.113.0/24"

Other ASes now have two routes:
├── Via AS 65001 (legitimate)
└── Via AS 99999 (attacker)

If AS 99999 appears to be a shorter/better path...
Traffic gets redirected to attacker!

WORSE - MORE SPECIFIC PREFIX ATTACK:
────────────────────────────────────
Legitimate: 203.0.113.0/24
Attacker announces: 203.0.113.0/25 AND 203.0.113.128/25

More specific prefixes ALWAYS win (longest prefix match)!
ALL traffic now goes to attacker, regardless of path length.

Real-world BGP incidents:

Year	Incident	Impact
2008	Pakistan Telecom hijacked YouTube	Global YouTube outage
2017	Russia hijacked Google/Apple/Facebook briefly	Traffic routed through Russia
2018	Attacker hijacked AWS Route 53 for crypto theft	$150K stolen
2019	China Telecom hijacked European traffic	Traffic rerouted through China
2020	Rostelecom hijacked 200+ prefixes	Major websites affected

BGP Security Solutions

RPKI (Resource Public Key Infrastructure):

RPKI provides cryptographic verification of route origins. Route Origin Authorizations (ROAs) are signed statements that AS X is authorized to originate prefix Y.

RPKI Route Origin Validation

RPKI Route Origin Validation:
═══════════════════════════════════════════════════════════════════

ROA Record (cryptographically signed):
┌─────────────────────────────────────────────────────────────────┐
│ Prefix: 203.0.113.0/24                                          │
│ Max Length: /24                                                 │
│ Origin AS: 65001                                                │
│ Signature: [Verified by Regional Internet Registry]            │
└─────────────────────────────────────────────────────────────────┘

When router receives BGP announcement:
1. Check: Is there an ROA for this prefix?
2. Check: Does announcing AS match ROA?
3. Check: Is prefix length within max-length?

Results:
- VALID: ROA exists and matches → Accept
- INVALID: ROA exists but doesn't match → REJECT!
- NOT FOUND: No ROA exists → Accept (for now, transitional)

Other BGP security measures:

• Prefix filtering: Validate announcements against IRR databases
• BGPsec: Full path validation (not widely deployed yet)
• Monitoring services: Detect suspicious announcements (BGPStream, RIPE RIS)
• Peer agreements: Contractual requirements for filtering

Security Note: BGP hijacking is covered in Part II, Chapter 3. At scale, it can intercept traffic for millions of users.

---

Network Address Translation (NAT)

We’ve covered how routing moves packets across the internet, but there’s a problem we’ve glossed over: IP addresses are a limited resource. The internet was designed when no one imagined billions of connected devices. How do we make it work?

The answer is NAT—a technique that lets many devices share a single public IP address. If you’re reading this at home, your laptop, phone, smart TV, and IoT devices probably all share one public IP address from your ISP. NAT makes this possible.

Understanding NAT is essential because it’s everywhere—and because it’s often confused with security (it isn’t).

The IPv4 Address Crisis Solution

With only 4.3 billion IPv4 addresses and billions of internet-connected devices, we ran out of public addresses. NAT (Network Address Translation) extends IPv4’s life by allowing many devices to share a single public IP address.

How NAT Works

NAT modifies IP addresses (and sometimes ports) as packets traverse a router.

NAT Translation (PAT/NAPT Most Common)

NAT Translation (PAT/NAPT - Most Common):
═══════════════════════════════════════════════════════════════════

OUTBOUND (Private → Public):
────────────────────────────

Device A: 192.168.1.100:5000 → google.com:443
Device B: 192.168.1.101:5001 → google.com:443

        ┌──────────────────┐
        │   NAT Router     │
        │   Public: 1.2.3.4│
        │   NAT Table:     │
        │ ┌──────────────┐ │
        │ │Int    │Ext   │ │
        │ │.100:50│:30001│ │
        │ │.101:50│:30002│ │
        │ └──────────────┘ │
        └──────────────────┘

After NAT:
Device A appears as: 1.2.3.4:30001 → google.com:443
Device B appears as: 1.2.3.4:30002 → google.com:443

INBOUND (Public → Private):
───────────────────────────

Response to 1.2.3.4:30001 → Translated to 192.168.1.100:5000
Response to 1.2.3.4:30002 → Translated to 192.168.1.101:5001

Router maintains NAT translation table to match responses!

NAT Types

Type	Description	Use Case
Static NAT	1:1 mapping (public ↔ private)	Servers needing inbound access
Dynamic NAT	Pool of public IPs assigned as needed	Uncommon now
PAT/NAPT	Many private IPs share one public IP using ports	Most common (home routers)
Carrier-Grade NAT	ISP does NAT for customers	IPv4 exhaustion workaround

Port Forwarding

NAT breaks the end-to-end model—external hosts can’t initiate connections to internal hosts. Port forwarding creates exceptions:

Port Forwarding Configuration

Port Forwarding Configuration:
═══════════════════════════════════════════════════════════════════

NAT Router (Public IP: 1.2.3.4)
Port Forward Rules:
┌───────────────────────────────────────────────────────────────┐
│ External Port │ Internal IP      │ Internal Port │ Protocol   │
├───────────────┼──────────────────┼───────────────┼────────────┤
│ 80            │ 192.168.1.10     │ 80            │ TCP        │
│ 443           │ 192.168.1.10     │ 443           │ TCP        │
│ 22            │ 192.168.1.20     │ 22            │ TCP        │
│ 25565         │ 192.168.1.30     │ 25565         │ TCP        │
└───────────────────────────────────────────────────────────────┘

External request to 1.2.3.4:80 → Forwarded to 192.168.1.10:80
External request to 1.2.3.4:22 → Forwarded to 192.168.1.20:22

NAT Security Implications

Benefits	Drawbacks
Hides internal network structure	Breaks some protocols (SIP, FTP)
Implicit firewall (inbound blocked by default)	Complicates logging/forensics
Conserves public IP addresses	Not actual security (just obscurity)
Can’t directly attack internal hosts	Makes peer-to-peer difficult

** COMMON MISTAKE**

NAT is not a firewall and not a security measure. It provides obscurity, not protection. A compromised internal host behind NAT can still be controlled by an attacker via outbound connections. Always use proper firewalls.

---

SD-WAN: Software-Defined Wide Area Network

So far, we’ve discussed how routing works at a protocol level. But how do organizations actually connect their offices, data centers, and cloud resources? Traditionally, this meant expensive dedicated circuits. But the rise of cheap internet bandwidth and sophisticated software has created a new option: SD-WAN.

SD-WAN represents a major shift in enterprise networking, and understanding it helps you appreciate how modern networks are architected—and where new security considerations arise.

Traditional WAN Challenges

Traditional enterprise WANs use expensive MPLS circuits for reliable connectivity between sites. As cloud applications grew, traffic patterns changed—users needed internet access, not just data center access.

SD-WAN abstracts WAN connectivity, using multiple transport types (MPLS, broadband, LTE) intelligently.

Traditional WAN vs SDWAN

Traditional WAN vs SD-WAN:
═══════════════════════════════════════════════════════════════════

TRADITIONAL WAN:
────────────────
                              ┌────────────┐
                    MPLS      │  Data      │
Branch A ─────────────────────│  Center    │
              (Expensive)     │            │
Branch B ─────────────────────│  All       │
              (Single path)   │  Traffic   │
Branch C ─────────────────────│  Backhauled│
                              └────────────┘

Cloud apps? Traffic goes: Branch → Data Center → Internet → Cloud
                         (Inefficient "trombone" routing)


SD-WAN:
───────
                              ┌──────────┐
              MPLS (critical) │  Data    │
Branch A ─────────────────────│  Center  │
         ╲   Broadband        │          │
          ╲  (bulk traffic)   └──────────┘
           ╲
            ╲   Direct to cloud!
             ╲  ┌──────────┐
              ╲ │  Cloud   │
               ╲│  Apps    │
                └──────────┘

SD-WAN controller decides best path per application!

SD-WAN benefits:

• Use cheaper internet links alongside MPLS
• Direct cloud access (no backhaul)
• Application-aware routing
• Centralized management
• Built-in encryption across links

SD-WAN security considerations:

• Encryption quality varies by vendor
• Direct internet access bypasses data center security
• Need cloud-based security (SASE) or branch firewalls
• Controller becomes single point of compromise

---

Firewalls and Access Control

Throughout this chapter, we’ve discussed how routers move traffic based on destination addresses. But what about controlling which traffic is allowed to flow in the first place? This is the job of firewalls—the gatekeepers of network security.

While not strictly a routing topic, firewalls are so integral to network infrastructure that we need to cover them here. Every network professional needs to understand how firewall rules work and the critical importance of rule ordering.

Firewall Basics

A firewall controls network traffic based on defined rules. It examines packets and decides to allow, block, or log them.

Firewall Types

Type	OSI Layers	Capabilities	Performance
Packet Filter	3-4	IP/port filtering, stateless	Fast
Stateful	3-4	Track connection state	Fast
Application/Proxy	7	Deep content inspection	Slower
Next-Gen (NGFW)	3-7	IPS, AV, app awareness, SSL inspection	Varies

Firewall Rules

Rules are evaluated in order; first match wins:

Firewall Rule Examples

Firewall Rule Examples:
═══════════════════════════════════════════════════════════════════

Rule#  Action   Proto  Source           Dest           Port   Notes
─────  ──────   ─────  ──────           ────           ────   ─────
1      ALLOW    TCP    any              10.0.0.5       22     SSH to jump
2      ALLOW    TCP    any              10.0.0.10      443    HTTPS to web
3      ALLOW    TCP    10.0.0.0/24      any            any    LAN outbound
4      ALLOW    UDP    any              any            53     DNS allowed
5      ALLOW    TCP    any              any            80,443 Web allowed
6      DENY     TCP    any              any            25     Block SMTP
7      DENY     any    any              any            any    Default deny

IMPORTANT: Order matters!
- Rule 3 allows LAN to any port
- Rule 6 blocks SMTP
- If someone from LAN tries SMTP, Rule 3 matches first → ALLOWED!
- Should move Rule 6 BEFORE Rule 3

Stateful firewall understands:
- If outbound connection allowed, related inbound responses allowed
- Tracks TCP state (SYN, ESTABLISHED, etc.)
- Can allow "ESTABLISHED,RELATED" for responses without explicit rule

Common firewall approaches:

• Default deny: Block everything, explicitly allow what’s needed (more secure)
• Default allow: Allow everything, explicitly block what’s dangerous (easier but risky)

PRO TIP

When troubleshooting firewall issues, check rules in order. The most common mistake is having a broad “allow” rule before a specific “deny” rule you expected to block traffic.

---

Practical Commands

# View routing table
ip route                    # Linux
netstat -rn                 # macOS, older Linux
route print                 # Windows

# Add/delete routes
ip route add 10.0.0.0/8 via 192.168.1.254        # Linux
ip route del 10.0.0.0/8                           # Linux
route add 10.0.0.0 mask 255.0.0.0 192.168.1.254  # Windows

# Trace route through internet
traceroute -A google.com    # Show AS numbers
mtr google.com              # Combined ping+traceroute

# Check BGP routes (requires looking glass or BGP router)
# Public BGP looking glasses: https://www.bgp4.as/looking-glasses
# Hurricane Electric: https://lg.he.net/

# Check if IP has valid RPKI ROA
# https://rpki-validator.ripe.net/
# Or use bgp.tools, e.g., https://bgp.tools/prefix/8.8.8.0/24

# View NAT translations (Linux)
conntrack -L                # Connection tracking table
iptables -t nat -L -n -v    # NAT rules

# Firewall rules
iptables -L -n -v           # Linux
pfctl -sr                   # macOS/BSD
netsh advfirewall show allprofiles  # Windows

TRY IT YOURSELF

See the AS path to a destination:

traceroute -A google.com

Each line shows the AS number. You can look up AS owners at bgp.tools or peeringdb.com.

---

Key Takeaways

1. Routing tables map destinations to next hops; longest prefix match determines which route is used

2. Static routing is simple but doesn’t adapt; dynamic routing automatically handles failures but adds complexity

3. IGPs (RIP, OSPF, EIGRP) route within organizations using different algorithms and metrics

4. BGP routes between autonomous systems and is the critical internet infrastructure—built on trust with significant security implications

5. RPKI provides cryptographic verification of route origins, helping prevent BGP hijacking

6. NAT allows address sharing but provides obscurity, not security

7. SD-WAN modernizes enterprise WANs with software-defined intelligence across multiple transport types

8. Firewalls enforce access control; rule order matters, and default-deny is more secure

---

Self-Assessment

1. Comprehension: Why does longest prefix match make BGP hijacking with more-specific prefixes so effective?

2. Application: An organization has both MPLS and internet circuits to each branch. How would SD-WAN help them use both effectively?

3. What if: If RPKI were universally deployed and enforced, what BGP attacks would still be possible?

---

Review Questions

1. What is the difference between static and dynamic routing?
2. How does OSPF differ from RIP in its approach to routing?
3. What is BGP hijacking, and why is it possible?
4. How does RPKI help secure BGP, and what are its limitations?
5. How does NAT allow many devices to share one public IP?
6. Why is NAT not considered a security measure?

---

Key RFCs

• RFC 4271 - A Border Gateway Protocol 4 (BGP-4)
• RFC 6480 - An Infrastructure to Support RPKI
• RFC 6811 - BGP Prefix Origin Validation
• RFC 2328 - OSPF Version 2
• RFC 2453 - RIP Version 2
• RFC 3022 - Traditional IP Network Address Translator (NAT)

---