Module 12 of 21 · Applied

How routing and forwarding really differ

17 min read 3 outcomes Scenario quiz

By the end of this module you will be able to:

  • Explain the difference between the control plane (routing) and the data plane (forwarding)
  • Describe longest prefix match and how a router selects between overlapping routes
  • Explain what BGP hijacking is and why it is possible
Server rack with colour-coded network cables feeding into a core router

Real-world incident · February 24, 2008

Pakistan Telecom BGP hijack: how a routing announcement took YouTube offline globally

On February 24, 2008, Pakistan Telecom (PTCL) was instructed by the Pakistan Telecommunications Authority to block YouTube within Pakistan. To implement the block, PTCL announced a BGP (Border Gateway Protocol) route for YouTube's IP prefix, 208.65.153.0/24, redirecting traffic to a null route inside Pakistan.

The problem was that PTCL's upstream provider, PCCW, accepted the announcement and propagated it to the global routing table. Within minutes, routers around the world had a route to 208.65.153.0/24 pointing toward Pakistan. The /24 prefix was more specific than YouTube's own /22 announcement. Longest prefix match rules meant the /24 won everywhere. YouTube's traffic globally was redirected to Pakistan, where PTCL discarded it.

The incident lasted approximately two hours before the route was withdrawn. It illustrates a fundamental property of BGP: the protocol is built on trust. Any autonomous system that announces a prefix can, if its upstream accepts it, attract traffic for addresses it does not own.

YouTube's servers were running. The internet was functioning. Pakistan Telecom accidentally took the site offline for two hours worldwide. What mechanism could allow that?

12.1 Control plane and data plane

The distinction between routing and forwarding is a distinction between two planes in a network device: the control plane and the data plane.

The control plane is where routing decisions are made. It builds and maintains the routing table by running routing protocols (BGP, OSPF, static configuration) or receiving external route information. The control plane operates on minutes to seconds timescales. It is computationally expensive and relatively slow.

The data plane (also called the forwarding plane) handles individual packets. For each packet, the router reads the destination IP address, looks it up in the forwarding table (derived from the routing table), and sends the packet out the appropriate interface. The data plane operates on microsecond timescales and is often implemented in dedicated hardware (ASICs) for line-rate performance.

Routing is how the router learns what it knows. Forwarding is what the router does with that knowledge for each packet. A routing protocol problem and a forwarding table problem are not the same fault.

12.2 Static routes and dynamic routing protocols

A static route is manually configured: the network administrator tells the router "to reach network X, send packets to next hop Y." Static routes are simple and predictable but do not respond to topology changes. If the next hop fails, the static route remains in the table and packets continue being sent to a dead path.

Dynamic routing protocols allow routers to discover, share, and update routes automatically. Two major protocol families are relevant for this module.

OSPF (Open Shortest Path First), defined in RFC 2328, is a link-state interior gateway protocol. Routers using OSPF exchange Link State Advertisements (LSAs) describing their connected networks and link costs. Each router builds a complete map of the network and runs Dijkstra's algorithm to compute the shortest path to each destination. OSPF is used within a single organisation's network.

BGP (Border Gateway Protocol), defined in RFC 4271, is the exterior gateway protocol that interconnects autonomous systems across the internet. An autonomous system (AS) is a network under a single administrative control with a unique AS number. BGP carries path attributes, not just metrics. Route selection considers factors including AS path length, local preference, and origin type.

The Border Gateway Protocol (BGP) is an inter-Autonomous System routing protocol. The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems.

RFC 4271 - Section 1, Introduction

BGP's word 'reachability' is important. BGP does not optimise for speed or quality. It exchanges information about which networks are reachable via which path. A BGP speaker can advertise routes for any prefix it wishes, subject only to the policies of its peers accepting those advertisements.

12.3 Longest prefix match

When a router's forwarding table contains multiple entries that could match a destination address, it uses the most specific match: the entry with the longest prefix (the most bits specified). This is longest prefix match.

Consider a router with two entries for the 10.0.0.0 space: one for 10.0.0.0/16 via interface A, and one for 10.0.1.0/24 via interface B. A packet for 10.0.1.5 matches both entries (10.0.1.5 is within 10.0.0.0/16 and within 10.0.1.0/24). The /24 entry is more specific, so the router forwards the packet via interface B.

This rule is why the Pakistan Telecom incident worked. YouTube's own /22 route was less specific than PTCL's /24 announcement. Every router in the world with both routes in its table chose the /24, because that is the rule, regardless of which announcement was legitimate.

The quiz at the end of this module asks: two routes to 10.0.0.0, one via /16 and one via /24. The answer is always the /24. More specific always wins in longest prefix match, regardless of which path is "better" by other measures.

12.4 The default gateway and default route

The default gateway is the router a host sends packets to when it has no more specific route for the destination. On a home network, this is typically your router. Your laptop has routes for the local subnet and a default route pointing at the router for everything else.

In routing tables, the default route is written as 0.0.0.0/0. It matches every destination address (since every address starts with zero matching bits), but it is also the least specific possible prefix. Any more specific route will override it via longest prefix match. The default route only handles destinations with no other match.

Common misconception

Routers choose the best path for each packet.

Routers forward each packet using a forwarding table built by the routing protocol. The routing protocol runs on the control plane and selects paths based on protocol-specific metrics and policies. For each individual packet, the router simply does a forwarding table lookup and sends it out the matching interface. The per-packet decision is a lookup, not a fresh route calculation.

12.5 Check your understanding

A router has two routes: 10.0.0.0/16 via interface A and 10.0.0.0/24 via interface B. A packet arrives for 10.0.0.5. Which interface does the router use?

What is the difference between a routing table and a forwarding table?

In the 2008 Pakistan Telecom incident, PTCL announced a /24 prefix for YouTube's IP space. YouTube had previously announced the same addresses as a /22. Why did PTCL's route win globally?

Key takeaways

  • Routing (control plane) builds and updates the routing table. Forwarding (data plane) uses the forwarding table to make per-packet decisions. These are distinct operations on different timescales.
  • Longest prefix match selects the most specific entry. A /24 always beats a /16 for matching addresses, regardless of other route characteristics.
  • BGP connects autonomous systems across the internet. It is built on trust: any AS can announce any prefix, and upstream providers decide whether to accept and propagate the advertisement.
  • The default route (0.0.0.0/0) matches everything but wins only when no more specific route exists. It is always the least specific possible match.

Standards and sources cited in this module

  1. RFC 4271, A Border Gateway Protocol 4 (BGP-4)

    Section 1, Introduction; Section 9, UPDATE Message Handling

    Defines BGP. Quoted in Section 12.2 for the description of BGP as an inter-AS routing protocol. Section 9 is the basis for understanding how routes are accepted and propagated.

  2. RFC 2328, OSPF Version 2

    Section 1, Introduction; Section 4.1, Routing Protocol Overview

    Defines OSPF for IPv4. Referenced in Section 12.2 for the link-state protocol description and LSA mechanism.

  3. RIPE NCC: YouTube Hijacking: A RIPE NCC RIS case study

    Published February 2008

    Technical analysis of the Pakistan Telecom BGP hijack. Used as the opening case study and for the /22 versus /24 prefix details.

  4. Cisco CCNA 200-301 v1.1 Exam Topics

    Section 3.0: IP Connectivity, routing protocols

    Longest prefix match and routing protocol distinctions are examined in the CCNA IP Connectivity objective.

Routing gets the packet to the right network. Module 13 covers what happens at the border: NAT rewrites addresses, tracks state, and breaks the end-to-end principle that the internet was designed around. Understanding NAT state explains why idle connections drop and peer-to-peer fails.

Previous: UDP and QUICNext: How NAT uses state

Module 12 of 21 · Applied stage