Network layer addresses, such as
IP addresses, are used on different types of media and can be handled similarly in all cases.
Forwarding FIBs are optimized for fast lookup of destination addresses and can improve performance of forwarding compared to using the
routing information base (RIB) directly. The RIB is optimized for efficient updating by
routing protocols and other
control plane methods, and contain the full set of routes learned by the router. Earlier implementations cached only a subset of the routes most frequently used in actual forwarding, and this worked reasonably well for enterprises where there is a meaningful most-frequently-used subset. Routers used for accessing the entire Internet, however, experienced severe performance degradation in refreshing routes cached in a small FIB, and various implementations moved to having FIBs in one-to-one correspondence with the RIB.
Ingress filtering against denial of service FIBs can also play a role in an Internet
best current practice (BCP) of
ingress filtering. Though the simplest form of ingress filtering is to use
access-control lists to drop packets with improper source addresses, the use of access lists becomes difficult on routers with a large number of adjacent networks, and traditional access lists are not used in high-performance router forwarding paths. While the
IETF document BCP 38 on ingress filtering does not specify a method of implementing source address filtering, some router vendors have implemented a mechanism that employs
reverse-path forwarding lookups in the router's tables to perform this check. This is often implemented as a lookup in the FIB of the
source address of the packet. If the interface has no route to the source address, the packet is assumed to be part of a denial of service attack, using a
spoofed source address, and the router discards the packet. When the router is
multihomed, ingress filtering becomes more complex. There are perfectly reasonable operational scenarios in which a packet could arrive on one interface, but that specific interface might not have a route to the source address. For the routers near the edge of the Internet, packet filters can provide a simpler and more effective solution than methods that employ routing information lookup, though this approach can be challenging when managing routers that are reconfigured often. Ingress filtering for multihomed routers will accept the packet if there is a route back to its source address from
any interface on the router. For this type of filtering, the router may also maintain an
adjacency table, also organized for fast lookup, that keeps track of the router interface addresses that are on all directly connected routers.
Quality of service Differentiated services provides an additional method to select outgoing interfaces, based on a field that indicates the forwarding priority of the packet, as well as the preference of the packet to be dropped in the presence of congestion. Routers that support differentiated service not only have to look up the output interface for the destination address, but need to send the packet to the interface that best matches the differentiated services requirements. In other words, as well as matching the destination address, the FIB has to match differentiated services code points (DSCP).
Access control and accounting Specific router implementations may, when a destination address or other FIB criterion is matched, specify another action to be done before forwarding (e.g., accounting or encryption), or apply an
access control list that may cause the packet to be dropped. == Attacks ==