Or how the hell windows selects a network interface and an ip address from that interface (if it has more than one) for outbound packets ?

This excellent and easy to understand post from the Microsoft Network Team explain it all, along with differences between Win3K/XP and Win2K8/Vista.

Read it there: http://blogs.technet.com/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx

I repro it here:

Source IP address selection on a Multi-Homed Windows Computer

There is often confusion about how a computer chooses which adapter to use when sending traffic.

This blog describes the process by which a network adapter is chosen for an outbound connection on a multiple-homed computer, and how a local source IP address is chosen for that connection.

What is Source IP address selection

Source IP address selection is the process by which the stack chooses an IP address.

Windows XP and Windows Server 2003 are based on the weak host model.

When a Windows Sockets program binds to a socket, one of the parameters that is passed in the bind() call is the local (source) IP address that should be used for outbound packets. Most programs do not have any knowledge of network topology, so they specify IPADDR_ANY instead of a specific IP address in their bind() call. IPADDR_ANY tells the stack that the program is going to let the stack choose the best local IP address to use;

Windows XP behavior

KB175396 - Windows Socket Connection from a Multiple-Homed Computer

The TCP/IP component of all Microsoft Windows operating systems prior to Windows Vista is based on a Weak Host model. This model gives program developers the greatest amount of leeway when they design programs that use the network and are compatible with Microsoft products. This model also puts the responsibility of the behavior of the networking program on the developers, because the developers specify how the program accesses the TCP/IP stack and responds to incoming and outgoing frames.

On a computer that has one network adapter, the IP address that is chosen is the Primary IP address of the network adaptor in the computer. However, on a multiple-homed computer, the stack must first make a choice. The stack cannot make an intelligent choice until it knows the target IP address for the connection.

When the program sends a connect() call to a target IP address, or sends a send() call to a UDP datagram, the stack references the target IP address, and then examines the IP route table so that it can choose the best network adapter over which to send the packet. After this network adapter has been chosen, the stack reads the Primary IP address associated with that network adapter and uses that IP address as the source IP address for the outbound packets.

Example:
Source supplied in the call: IPADDR_ANY
Target IP:192.168.1.5
Route Table:
Nic 1 - 192.168.1.10/32
Nic 1 - 192.168.1.11/32
Nic 2 - 10.0.0.10/32
Nic 2 - 10.0.0.11/32
The chosen source IP:192.168.1.10
The chosen source NIC: Nic 1

If the program specifies a source IP address to use in the bind() call, that IP address is used as the source IP address for connections sourced from that socket. However, the route table is still used to route the outbound IP datagrams, based on the target IP address. As a result of this behavior, the source IP address may not be the one associated with the network adapter that is chosen to send the packets.

Example:
Source supplied in the call:10.0.0.10
Target IP:192.168.1.5
Route Table:
Nic 1 - 192.168.1.10/32
Nic 1 - 192.168.1.11/32
Nic 2 - 10.0.0.10/32
Nic 2 - 10.0.0.11/32
The chosen source IP:10.0.0.10
The chosen source Nic: Nic 1 <- Note this is not the Nic the source IP is on.

Summary

If a source IP is not given the Primary IP address of the adapter with a route that most closely matches the target IP address is used to source the packet and the adapter that the Primary IP is associated with is used as the source adapter.

If the source IP is specified the adapter that is used to send the packet is the one with a route that most closely matches the target IP address and this may not be the adapter that is associated with the source IP.

Windows Vista/Windows Server 2008 behavior

Windows Vista and later are based on the strong host model. In the strong host model, the host can only send packets on an interface if the interface is assigned the source IP address of the packet being sent. Also the concept of a primary IP address does not exist.

Similar to XP when if a program doesn't specify a source IP, the stack references the target IP address, and then examines the entire IP route table so that it can choose the best network adapter over which to send the packet. After the network adapter has been chosen, the stack uses the address selection process defined in RFC 3484 and uses that IP address as the source IP address for the outbound packets.

Example:

Source supplied in the call: IPADDR_ANY
Target IP:192.168.1.5
Route Table:
Nic 1 - 192.168.2.10/32
Nic 1 - 192.168.1.11/32
Nic 2 - 10.0.0.10/32
Nic 2 - 10.0.0.11/32
The chosen source IP:192.168.1.11
The chosen source NIC: Nic 1

If the program specifies a source IP address, that IP address is used as the source IP address for connections sourced from that socket and the adapter associated with that source IP is used as the source interface. The route table is searched but only for routes that can be reached from that source interface.

Example:
Source supplied in the call:10.0.0.10
Target IP:192.168.1.5
Route Table:
Nic 1 - 192.168.1.10/32
Nic 1 - 192.168.1.11/32
Nic 2 - 10.0.0.10/32
Nic 2 - 10.0.0.11/32
The chosen source IP:10.0.0.10
The chosen source Nic: Nic 2 <- Note this is the Nic the source IP is on.
Note: the packet would be sent to the default gateway associated with Nic 2.

RFC 3484 and Source IP address selection

The last thing I want to talk about is RFC 3484.

Even though RFC 3484 says it only applies to IPV6 in Windows implementations IPV4 does follow the same rules when possible.

Windows Source IP V4 address selection:
Rule 1 Prefer same address (applies)
Rule 2 Prefer appropriate scope (applies)
Rule 3 Avoid deprecated addresses (applies)
Rule 4 - Prefer home addresses - does not apply to IP v4
Rule 5 Prefer outgoing Interfaces (applies)
Rule 6 Prefer matching label - does not apply to IP v4
Rule 7 Prefer public addresses - does not apply to IP v4
Rule 8a: Use longest matching prefix with the next hop IP address. (not in RFC!)
"If CommonPrefixLen(SA, D) > CommonPrefixLen(SB, D), then prefer SA. Similarly, if
CommonPrefixLen(SB, D) > CommonPrefixLen(SA, D), then prefer SB. "
This says that the IP with the most high order bits that match the destination of
the next hop will be used.
Note: Rule 8 - Use longest matching Prefix is similar to rule 8a except the match
is with the destination IP address rather than the next hop IP address.

For example, consider the following addresses:

Client machine
IP Address
192.168.1.14 /24
192.168.1.68 /24
Default Gateway
192.168.1.127

The server will use the 192.168.1.68 address because it has the longest matching prefix.

To see this more clearly, consider the IP addresses in binary:

11000000 10101000 00000001 00001110 = 192.168.1.14 (Bits matching the gateway = 25)11000000 10101000 00000001 01000100 = 192.168.1.68 (Bits matching the gateway = 26)11000000 10101000 00000001 01111111 = 192.168.1.127