How does IPv4 work?
IPv4 (Internet Protocol version 4) operates at the Internet layer in the TCP stack (or layer 3 in the OSI model). It has two major responsibilities:
- Logical addressing
- Packet routing.
IP addresses are 'logical' addresses - they aren't permanently connected to any specific device and they can be allocated on a network by an administrator to create any network topology that they see fit.
IP addressing is used to identify source and destination hosts which could be on the same LAN or could be on different networks in different parts of the world. IP routing makes it possible to get from the source to the destination by forwarding packets from hop to hop, regardless of the physical infrastructure in between – potentially the packet will have to travel across many different connected networks to reach its destination.
Basic Routing Process
Typically the process starts with an end-user device, or host, creates an IP with the destination address the packet is for and it sets the source address to its own address.
The host will forward the packet on to its default gateway, probably a router at the edge of the LAN.
Based on the destination IP address, this router will decide who to forward the packet to next, probably a router belonging to the user's ISP (Internet Service Provider).
The router in the ISP will have a big table with routes and it will see which is the best match for the destination of the packet and forward the packet onwards.
The packet will potentially hop around a few more routers which will each find the best next-hop to send it on to based on their routing table.
Eventually, the packet will reach a router which has a route to the specified destination IP address and for forward it on to the recipient.
Although the IP packet will remain pretty much the same all the way through, each router will read and decapsulate (pop off) the lower level header and trailer and encapsulate the packet in a new header and trailer for the next hop. The data could be sent in an Ethernet frame, an HDLC frame or some other link-layer format.
Like a postal address, IP address can be split in up with the first part identifying a general network (like a town or a street) and the second part identifying a specific host (like giving a specific house number). When each router looks up the best route, the route it has may match a portion of the address (like a sorting office identifying the correct town to send the mail to) or it could be for the exact address (like the local post office which knows the exact route to the house).
These routes could be programmed in manually (static routes) or they can be learned from other routers automatically using routing protocols.
IPv4 Packet Header
Data which is sent over IP is broken up into packets, where each packet has an IPv4 header appended to the data being transferred. The header has a total length of 20 bytes if there are no options set made up of different fields which are explained below.
Length: 4 bits
Internet protocol version – for IPv4, this will be 4.
Internet Header Length (IHL)
Length: 4 bits
The length of the packet header in 32-bit words. The minimum value is 5 (5 x 32 gives 160 bits or 20 bytes). If the value is greater than 5, the packet includes additional options and padding.
Type of Service or Differentiated Services Field
Length: 8 bits
This field may be used to indicate the importance of the traffic being carried to give some types of traffic preference over others. Originally this was defined as different ‘types of service’, today there is a differentiated services (Diffserv) definition which is used.
Length: 16 bits
This field specifies the total length of the packet including the header and the payload. It is measured in bytes.
Length: 16 bits
The IPv4 IPID field exists to help reassemble data where it has been fragmented across multiple packets. If the data is not fragmented then the IP ID field is sometimes used for other purposes.
Length: 3 bits
This field is used to define fragmentation properties of the packet. It may specify that the packet must not be fragmented (broken up) and it may also indicate that the packet has been fragmented (unless it is the last fragment). Today it can also be used for path maximum transmission unit (MTU) discovery.
Length: 13 bits
This field is used for specifying how far a fragment packet is offset from the first fragment. The offset of the first fragment will be zero.
Time to Live
Length: 8 bits
This field specifies how long the packet has left to ‘live’ as it travels across networks. In reality, the value of this field is typically decremented by one every time it hits a new network device (such as a router). If it reaches a value of zero then the packet ‘dies’ and gets dropped instead of forwarded. This prevents packets from hopping around a network indefinitely.
Length: 8 bits
The IPv4 protocol field indicates the protocol of the data being carried. For example, TCP data is being encapsulated then the value of the protocol field is 6 but if UDP is being carried then the value is 17.
Length: 16 bits
The checksum is used to make sure that there are no errors in the IP header. When a packet arrives at the router, the router will check whether the checksum is correct for the header and if not then the packet will be dropped. The IP header checksum does not take into account the data being carried, it is just based on the header.
Source IP Address
Length: 32 bits
This field contains the IPv4 address of the source of the packet. It is used to get the reply back to the sender. In some cases, the source address will be changed as the packet moves between networks using ‘network address translation’.
Destination IP Address
Length: 32 bits
This is the IPv4 address of the destination for the packet. Like the source address, this may be changed by ‘network address translation’ in some cases such as crossing network boundaries. It is used to get the packet to the correct recipient.
Options and Padding
IPv4 options are optional and rarely used. If an option is used which doesn’t make up a full 32-bit word then padding is added.
IP addresses provide logical addressing across networks. They may be assigned and reassigned to hosts (and network infrastructure) by users, system administrators or automatically. Deciding what address to assign to a specific interface can be complex and may be based on a series of rules.
IP addresses are 32 bits long. Instead of representing them as 1 big number, we tend to split them up into groups of 8 bits (octets) and write each octet as a decimal number which will be between 0 and 255. For example, 192.168.0.1. Representing IP addresses in this way is known as 'dotted-decimal notation'.
In the same way that a postal address has a portion to specify the right town and a portion to specify the exact house, IP addresses have a portion to specify the network that the host is on and then a portion to identify the individual interface.
IPv4 Address Classes
Early on in the development of the internet (the 1980s), it was decided to have 5 different classes of IP address. Different classes would use a different proportion of bits to represent the network and host. This meant that large organisations could be given an address that allowed them to have lots of hosts and small organisations could have a smaller address space. Unfortunately, in reality, the 5 classes didn’t work – some organisations were allocated far more addresses than they needed and others didn’t have enough.
Within a given network, the network is represented by setting all of the host bits to zero. Setting all of the host bit to 1 gives the broadcast address which can be used to reach all hosts.
Class A Addresses
Network Bits: 8
Host Bits: 24
Total Number of Networks: 128
Total Number of Addresses per Network: 16,777,216
First Address: 0.0.0.0
Class B Addresses
Network Bits: 16
Host Bits: 16
Total Number of Networks: 16,384
Total Number of Addresses per Network: 65,536
First Address: 220.127.116.11
Class C Addresses
Network Bits: 24
Host Bits: 8
Total Number of Networks: 2,097,152
Total Number of Addresses per Network: 256
First Address: 192.0.0.0
Class D Addresses
First Address: 18.104.22.168
Class D is reserved for multicast addresses – addresses which can be used to reach a group of hosts.
Class E Addresses
First Address: 240.0.0.0
Class E addresses were reserved for future use and experiments.
Reserved and Private Addresses
There are some additional special address ranges which you should know about.
Range: 127.0.0.0 to 127.255.255.255
Loopback addresses send data back to the host that the address belongs to. It is commonly used for testing purposes and in reality, hosts only use 127.0.0.1 – the 'localhost' address.
There are several ranges of private IP addresses. These addresses are not publicly routable and can be used on any private networks. The 192.168.x.x range is typically used for home networks.
- 192.168.0.0 - 192.168.255.255 (65,536 addresses)
- 172.16.0.0 - 172.31.255.255 (1,048,576 addresses)
- 10.0.0.0 - 10.255.255.255 (16,777,216 addresses)
We create IP networks which are made up of a group of consecutive IP addresses allocated to devices on that network. The division of addresses is called subnetting. A single group, or subnet, could contain just a couple of IP addresses or thousands depending on what devices will be a part of it. Routers separate different subnets.
Basic Host Routing
When a host wants to send an IP packet, it first checks whether the destination is in the same subnet. If it is, then the host can send the packet directly at layer 2 using Ethernet and associated protocols.
If the destination is not on the same subnet, the host will send the packet to its ‘default gateway’ for sending on to a different network.
Follow On Cyber Learning
Using tcpdump: Options, Filters and Examples
'tcpdump' is a command-line tool available for UNIX based systems (including macOS and Linux) that captures network traffic and displays it on screen or saves it to a file. It is a simple but powerful tool for troubleshooting network problems, understanding protocols, investigating suspicious network activity, and much more.