What are symmetric and asymmetric IP routing

By on 1 Aug 2022

Category: Tech matters

Tags: ,

1 Comment

Blog home

Symmetric and asymmetric IP routing are ideas that I’m familiar with from working on firewalls and networking, but it’s not necessarily common knowledge in the broader community. We can approach what they are from two directions — I’m going to start with how conventional IP routing works.

Asymmetric routing

The traditional/normal way that your IP stack decides where an outgoing IP packet should be sent is based (only) on the destination IP address. If the destination IP is in a directly attached network, your system sends it to the relevant interface. If there’s a specific route that applies to the destination IP, the packet is sent to the gateway the route lists. And if all else fails, the packet is sent to your default route’s gateway (or dropped, if you have no default route).

However, if you have a multi-homed host, a host with multiple interfaces and IP addresses, this approach to routing outgoing traffic can create a situation where outgoing and incoming packets for the same connection (or flow) use different interfaces. For this to happen, you normally need at least two of your networks to be routable, which is to say that hosts not on those networks can reach them and hosts on those networks can reach other networks.

To use an example, let’s say you have a host with two interfaces and IP addresses on each, with 10.20.0.10 on 10.20.0.0/16 and 192.168.100.1 on 192.168.100.0/24. Your default route is 192.168.100.254 and you have no other special routes. Two situations will create a difference between incoming and outgoing packets. First, if any host not on 10.20.0.0/16 pings your 10.20.0.10 IP address, your replies will use your default route and go out your 192.168.100.0/24 network interface (despite coming from 10.20.0.10). Second, if a host on 10.20.0.0/16 pings your 192.168.100.1 IP address, your replies will go directly out of your 10.20.0.0/16 interface despite coming from 192.168.100.1.

Both of these situations are examples of asymmetric routing, where packets in one direction take a different path through the network than packets in the other direction.

In a completely reliable network with no special features, asymmetric routing is things working as intended, with IP packets taking what your system believes is the most efficient available path to their destinations. However, in a network with firewalls and faults along some paths, asymmetric routing can cause artificial connectivity failures (or hide them). It’s especially a problem with stateful firewalls because such a firewall will be seeing only one-half of the conversation and will normally block it.

Symmetric routing

In symmetric routing, we arrange (somehow) for packets to take the same path in both directions in all of these situations. If you’re pinged at 192.168.100.1, your replies always go out on 192.168.100.0/24 even if they’re from a host in 10.20.0.0/16. If you’re pinged at 10.20.0.10 by some random IP, your replies always go out on 10.20.0.0/16 even if your normal default route is through 192.168.100.254 (you’ll need a second default route for 10.20.0.0/16 to make this work).

This also extends to traffic that your host originates. If you ping a host in 10.20.0.0/16 with the source IP of 192.168.100.1, your pings should go to 192.168.100.0/24’s default gateway of 192.168.100.254, not directly out your 10.20.0.0/16 interface. If your ‘source IP 192.168.100.1’ pings did go out of your 10.20.0.0/16 interface, the ICMP replies from the innocent 10.20.0.0/16 host would take a different return path and create asymmetric routing.

There are a variety of ways to create a situation with symmetric routing. One approach is to create separate network worlds, each with only one (routed) network interface and to confine packets (and connections) to their appropriate world. Another approach is policy-based routing, which is the broad idea of using more than just the destination IP to decide on packet routing. To do symmetric routing through policy-based routing, you make routing choices depending on the source IP as well as the destination IP.

(Policy-based routing is potentially much more general than mere symmetric routing, and I believe that it originates from the world of routers, not hosts. Sophisticated routing environments may have various complex rules, such as ‘traffic from these networks can only use these links’. Symmetric routing itself is mostly a host issue.)

I hope this gives you a basic understanding of what symmetric and asymmetric routing are.

Adapted from original post which appeared on Wandering Thoughts.

Chris Siebenmann is a Unix herder. He also writes too much Python, much of it not as good quality as it should be.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

Leave a Reply

Your email address will not be published.

Top