IP Routing and Longest Prefix Match: Why the Most Specific Route Always Wins

A routing table is not a dictionary. You cannot look up a destination IP and pull out one entry. The IP belongs to many entries at once.

Take a packet headed for 10.0.5.42. The table might hold three matching routes: 0.0.0.0/0 pointing at a default gateway, 10.0.0.0/16 pointing at a regional gateway, and 10.0.5.0/24 pointing at a local one. All three contain the destination address. The router has to pick. It always picks the longest matching prefix, the /24 in this case, because a longer prefix means a more specific claim of authority over that block.

That is why routers are implemented as tries, not hash maps. A trie keyed on prefix bits lets you walk down to the deepest matching node in a single traversal. Modern silicon does this in hardware with TCAMs that match prefix-and-mask in parallel.

The whole internet runs on this rule plus BGP. Each autonomous system announces the prefixes it controls. Its neighbors propagate those announcements to their neighbors. When traffic to your /24 shows up at any router on the path, that router walks its table, finds your prefix as the longest match, and forwards along the AS path you advertised.

The catch is that BGP trusts the announcer. There is no built-in mechanism that says "you do not actually own this prefix." If someone announces a route that is more specific than the real owner's, every router that hears the announcement will prefer the impostor. Longest match is mechanical, not moral.

This is the failure mode behind most of the headline routing incidents of the last decade. Someone misconfigures a BGP session, leaks a /24 that lives inside a peer's /16, and now half the internet is sending that block's traffic to the wrong AS. The AWS us-east-1 disruption in 2021 had a routing component along these lines. CDNs have repeatedly been hijacked by accidental or deliberate more-specific announcements. The fix is layered: route origin authorization via RPKI so neighbors can validate that the announcer is allowed to own the prefix, BGP communities to constrain propagation, and prefix-length filters that simply drop suspiciously specific routes from unexpected peers.

The same rule shows up inside your VPC, just at a smaller blast radius. An AWS route table that adds a /32 static route for one instance will pull that traffic away from a /16 peering route, even if you only meant the override to be temporary. Cleanup matters because the routing decision is permanent until someone deletes the more-specific entry.

Routing's elegance and its fragility come from the same rule. The most specific match wins, and the network has no opinion on who deserves to be specific. That is a property worth holding in your head every time you write a route.