IPv4
IPv4 is one of the core protocols used in standards based internetworking on the Internet and other packet-switched networks. It is succeeded by IPv6.
Packets
IP packets are between 20 and 2^16 bytes in size, comprised of a header and a payload.
The header comprises:
- Version specifies the protocol version (always 4).
- IHL specifies the total length of the header section, or the offset to reach the data.
- DSCP specifies the type of service for packet classification, determining QoS.
- ECN optionally allows end-to-end notification of traffic congestion without dropping packets.
- Total Length defines the size of the entire packet, both header and data.
- Identification uniquely identifies a group of fragments in a single datagram.
- Flags specifies fragmentation control:
0: reserved; must be0.1: DF will cause the packet to be dropped rather than fragmented if fragmentation is required for transmission.2: MF indicates that additional fragments are to be transmitted, and is cleared for non-fragmented packets.
- Fragment Offset specifies the offset of the fragment relative to the first (
0) fragment of the datagram. - Time To Live determines how many routers can be traversed before giving up, to prevent loops.
- Protocol defines the protocol used in the data section of datagram.
- Header Checksum enables CRC against fragment headers.
- Source IP Address defines the IP address of the source.
- Destination IP Address defines the IP address of the destination.
- Options is often unused, but allows setting options, provided the IHL value is large enough to accommodate it:
- The Copied bit determines whether the options should be copied into all fragments of a fragmented packet.
- Option Class sets a general category:
0: "control".1: reserved.2: "debugging and measurement".3: reserved.
- Option Number is a 5-bit number indicating the option.
- Option Length is an 8 bit value indicating the length of the option value.
- Option Data is a variable length, option-specific value.
ARP
The Address Resolution Protocol is used for the discovery of the link layer address (layer 2; e.g. MAC address) for a given network layer (layer 3; IPv4) address. It works by broadcasting "who has" messages to connected hosts, which can then respond with "I have".
Because the protocol is stateless, all nodes on the network are responsible for maintaining their own cache of protocol address to MAC address. On switches these are referred to as MAC Address Tables, and other hosts have an ARP Cache.
ARP packets comprise the following fields:
- Hardware Type specifies the type of the hardware address.
0Reserved1: Ethernet (10Mb)2Experimental Ethernet20Serial Line31IPsec tunnel32InfiniBand258-65534Unassigned65535Reserved
- Protocol Type specifies the internetwork protocol, using a number space shared with EtherType.
- Hardware Address Length specifies the length, in octets, of the hardware address.
- Protocol Address Length specifies the length, in octets, of the protocol address.
- Operation specifies the type of request/reply:
0: Reserved1REQUEST2REPLY26-65534Unassigned65535Reserved
- Sender Hardware Address specifies the hardware address of the sender in a request (the hardware address of the requested host in the response).
- Sender Protocol Address contains the internetwork address of the sender.
- Target Hardware Address contains the hardware address of the intended receiver. Ignored during requests, indicates the address of the originating host of a request during a reply.
- Target Protocol Address contains the
ICMP
ICMP is the protocol used by network devices, e.g. routers, for diagnostics and error reporting. It's rarely used directly by user-facing applications, with the notable exceptions of ping and traceroute.
Addressing
IPv4 addresses are 32-bit numbers, usually represented as a string of 4 decimal numbers representing 8-bit Binary octets.
| IP address | Octet 1 | Octet 2 | Octet 3 | Octet 4 |
|---|---|---|---|---|
| 192.168.1.64 | 1100 0000 | 1010 1000 | 0000 0001 | 0100 0000 |
| 255.255.255.0 | 1111 1111 | 1111 1111 | 1111 1111 | 0000 0000 |
There are three types of IP addresses in each IP network:
- An address with all binary zeroes in its host portion is a network address.
- An address with all binary ones in its host portion is a broadcast address.
- Anything else is a host address.
Classful
Classful addressing was used up until ~1995, and defined the first 3 octets of the address as the Network Portion, and the final octet as the Host Portion. It segmented the address space into a number defined ranges:
| Class | Usage | Routable on public internet? | Range start | Range end | Network Portion | Host Portion |
|---|---|---|---|---|---|---|
| A | Unicast | ✅ | 0.0.0.0 | 127.0.0.0 | Octet 1 | Octets 2-4 |
| B | Unicast | ✅ | 128.0.0.0 | 191.0.0.0 | Octets 1 and 2 | Octets 3 and 4 |
| C | Unicast | ✅ | 192.0.0.0 | 223.0.0.0 | Octets 1-3 | Octet 4 |
| D | Multicast | ❌ | 224.0.0.0 | 239.0.0.0 | Octets 1-4 | None |
| E | Broadcast | ❌ | 240.0.0.0 | 255.255.255.255 | None | None |
Classless
In classless routing, the Host and Network Portions of the address are defined by the subnet mask.
| IP address | Subnet mask | Host Portion | Network Portion |
|---|---|---|---|
| 192.168.1.64 | 255.255.255.0 | 192.168.1 (1100 0000 1010 1000 0000 0001) | 64 (0100 0000) |
CIDR allows us to express the subnet mask as a prefix with the starting address of the network:
| IP address | Subnet mask | Network address |
|---|---|---|
| 192.168.1.64 | 255.255.255.0 | 192.168.1.0/24 |
VLSM
Variable-Length Subnet Mask is a type of subnet design which uses more than one length of subnet mask. Whilst more complex, it allows engineers to make more effective use of the available address space by saving on wasted address space caused by a fixed design.
NAT
Network Address Translation lets us segregate private networks from the public Internet and allows routers to translate route packets between devices on either side.
| RFC1918 name | Classful description | Network address |
|---|---|---|
| 24-bit block | Single class A network | 10.0.0.0/8 |
| 20-bit block | 16 contiguous class B networks | 172.16.0.0/12 |
| 16-bit block | 256 contiguous class C networks | 192.168.0.0/16 |
Carrier-grade NAT
CGNAT, also known as large-scale NAT, is an approach to IPv4 network design in which end sites are configured with private network address that are translated to public IPv4 addresses by middlebox NAt devices in the operator's network. It allows for reuse of the limited IPv4 address space, extending the lifespan of IPv4.
APIPA
APIPA is a "helpful" Windows feature designed to automatically assign IP addresses to nodes in the absence of a functioning DHCP server. It provisions addresses in the network 169.254.0.0/16. The presence of an address in this range on a NIC configuration is usually indicative of a connectivity issue.
Routing
IP routing allows packets to traverse network boundaries. The route that a packet follows is determined by the routing table on each host or gateway (router). The default gateway on each host or gateway is a catch-all for things not matching specific rules in the routing table.
At each hop, the router:
- Extracts the message from the frame
- Reads the destination address
- Looks at its routing table for a matching route
- When found, creates a new frame with that
Dynamic routing
Dynamic (or adaptive) routing allows a set of routers to adjust their routing rules to allow for optimal performance and availability, responding in real-time to changes to the network's logical layout.
They can be grouped into two broad categories based on the data transferred between neighbouring routers:
- Distance vector protocols exchange vectors of all known networks and the transmitter's relative distance from them.
- Link state protocols have routers describe themselves and their interfaces to their neighbours. Routers relay all of these messages to neighbouring routers to give a complete picture of the network to all routers.
| Protocol | Type | |
|---|---|---|
| RIP | Distance vector | old and unused |
| EIGRP | Distance vector | |
| OSPF | Link state | |
| BGP | Hybrid | exterior gateway protocol based on autonomous systems |
Tracing
traceroute (or tracert on Windows) allows tracing the gateway traversals packets make between our host and a destination.
Transmission modes
Unicast
Unicast transmissions take place between exactly one transmitter and exactly one receiver, sent directly to the receiver's IP address.
Broadcast
Broadcast transmissions are between exactly one transmitter and all recipients:
- Limited broadcasts are sent to all devices within the network, not forwarded.
- Directed broadcasts can be sent to an individual IP network's broadcast address, allowing transmission to all clients within a specific subnet.
Multicast
Multicast transmissions are sent between at least one client and zero or more receivers. Multicast groups receive an address in the multicast (class D) address space.
Group membership is managed by the clients, using IGMP. Routers use IGMP to determine which subnets should receive the packets, but don't maintain lists of hosts: they'll be broadcasted to all hosts in these subnets.
Multicast is commonly used for video streaming, where volumes of data make it impractical to unicast to larger numbers of clients.
Backlinks