6 min read
On this page

Network Layer

The network layer provides end-to-end packet delivery across multiple networks. Its primary functions are addressing (IP) and routing (finding paths).

IPv4

IPv4 Header

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |Type of Service|          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |         Header Checksum       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source Address                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination Address                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Key fields:

  • TTL (Time to Live): Decremented at each hop. Packet discarded when TTL = 0. Prevents infinite routing loops. Typically starts at 64 or 128.
  • Protocol: Upper-layer protocol (6 = TCP, 17 = UDP, 1 = ICMP).
  • Header checksum: Verifies header integrity (recomputed at each hop since TTL changes).

IPv4 Addressing

32-bit address: 4 octets in dotted-decimal notation (e.g., 192.168.1.100).

Address classes (historical, before CIDR):

| Class | Range | Default Mask | Networks | Hosts/Network | |---|---|---|---|---| | A | 0.0.0.0 - 127.255.255.255 | /8 | 128 | 16M | | B | 128.0.0.0 - 191.255.255.255 | /16 | 16K | 65K | | C | 192.0.0.0 - 223.255.255.255 | /24 | 2M | 254 |

Special addresses: 127.0.0.0/8 (loopback), 0.0.0.0 (unspecified), 255.255.255.255 (broadcast).

Subnetting

Divide a network into smaller subnets using a subnet mask.

Address:  192.168.1.0/24
Subnet:   192.168.1.0/26  (first 26 bits = network, last 6 = host)
            → 192.168.1.0/26:    .0 - .63   (64 addresses, 62 usable)
            → 192.168.1.64/26:   .64 - .127
            → 192.168.1.128/26:  .128 - .191
            → 192.168.1.192/26:  .192 - .255

CIDR (Classless Inter-Domain Routing)

CIDR notation: IP/prefix_length (e.g., 10.0.0.0/8, 172.16.0.0/12).

Eliminates class boundaries. Supports variable-length subnet masks (VLSM) and route aggregation (supernetting).

Route aggregation: 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 → aggregated as 192.168.0.0/22. Reduces routing table size.

Private Address Ranges (RFC 1918)

10.0.0.0/8        (16M addresses)
172.16.0.0/12     (1M addresses)
192.168.0.0/16    (65K addresses)

Not routable on the public Internet. Used with NAT.

NAT (Network Address Translation)

Maps private addresses to public addresses. A single public IP can serve many private hosts.

Internal: 192.168.1.100:5000 → NAT → External: 203.0.113.1:40123 → Internet

NAT table: Maps (internal_IP, internal_port) ↔ (external_IP, external_port).

Types: Static NAT (1:1), dynamic NAT (pool), NAPT/PAT (port-based, many:1) — most common.

Issues: Breaks end-to-end connectivity (external hosts can't initiate connections). Requires special handling for protocols embedding IP addresses (FTP, SIP). NAT traversal techniques: STUN, TURN, ICE (used by WebRTC).

DHCP (Dynamic Host Configuration Protocol)

Automatically assigns IP addresses, subnet mask, default gateway, and DNS servers to devices.

1. DHCP Discover (broadcast): "I need an IP address"
2. DHCP Offer: "Here's 192.168.1.100 for 24 hours"
3. DHCP Request: "I'll take 192.168.1.100"
4. DHCP Acknowledge: "It's yours"

Lease: IP assignment expires after a configurable period. Client must renew.

IPv6

Why IPv6?

IPv4: 2³² = ~4.3 billion addresses. Exhausted (IANA allocated the last /8 blocks in 2011). NAT is a workaround, not a solution.

IPv6: 2¹²⁸ = ~3.4 × 10³⁸ addresses. Enough for every atom on Earth to have billions of addresses.

IPv6 Address Format

128 bits in 8 groups of 4 hex digits:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Abbreviation: Remove leading zeros. Replace longest run of zero groups with :: (once).

2001:db8:85a3::8a2e:370:7334

Link-local: fe80::/10 (auto-configured, not routable). Global unicast: 2000::/3 (routable Internet addresses). Loopback: ::1. Multicast: ff00::/8.

IPv6 Features

  • No NAT needed: Enough addresses for everything. End-to-end connectivity restored.
  • No header checksum: Removed (L2 and L4 have their own checksums). Faster forwarding.
  • Simplified header: Fixed 40-byte header. Extension headers for optional features.
  • Autoconfiguration (SLAAC): Hosts auto-generate addresses from network prefix + MAC address (EUI-64) or random ID.
  • No fragmentation by routers: Only the source fragments. Path MTU Discovery determines the maximum packet size.
  • Mandatory IPsec (originally — now recommended but not strictly required).

Transition Mechanisms

Dual-stack: Run IPv4 and IPv6 simultaneously. The dominant approach.

Tunneling (6to4, Teredo, ISATAP): Encapsulate IPv6 in IPv4 packets to traverse IPv4-only networks.

NAT64/DNS64: Translate between IPv6 and IPv4. Enables IPv6-only clients to reach IPv4 servers.

ICMP (Internet Control Message Protocol)

Error reporting and diagnostic protocol.

Key ICMP Messages

| Type | Message | Use | |---|---|---| | 0 | Echo Reply | ping response | | 3 | Destination Unreachable | Network/host/port unreachable | | 5 | Redirect | Better route available | | 8 | Echo Request | ping | | 11 | Time Exceeded | TTL expired (used by traceroute) |

ping

Send ICMP Echo Request → receive Echo Reply. Measures RTT and packet loss.

traceroute

Send packets with increasing TTL (1, 2, 3, ...). Each router that decrements TTL to 0 sends back ICMP Time Exceeded → reveals the router's IP. Traces the path to the destination.

traceroute (UNIX): Uses UDP to high port numbers. tracert (Windows): Uses ICMP Echo Request.

Routing

Routing vs Forwarding

Routing: Building the routing table (control plane). Runs routing protocols.

Forwarding: Looking up the destination in the routing table and sending the packet to the correct interface/next hop (data plane). Per-packet operation.

Longest Prefix Match

When multiple routes match a destination, the most specific (longest prefix) wins.

Route 1: 10.0.0.0/8     → next hop A
Route 2: 10.1.0.0/16    → next hop B
Route 3: 10.1.1.0/24    → next hop C

Destination 10.1.1.5 → matches all three → use Route 3 (longest: /24)

Distance Vector Routing (RIP)

Each router knows its distance to every destination. Periodically shares its distance vector with neighbors.

Bellman-Ford algorithm: D(x,y) = min over neighbors v of {cost(x,v) + D(v,y)}.

RIP (Routing Information Protocol): Metric = hop count. Max 15 hops. Updates every 30 seconds. Simple but slow convergence. Count-to-infinity problem (mitigated by split horizon, poison reverse).

Each router knows the complete network topology. Uses Dijkstra's algorithm to compute shortest paths.

OSPF (Open Shortest Path First):

  1. Each router discovers neighbors (Hello protocol).
  2. Each router floods Link-State Advertisements (LSAs) to all routers.
  3. Each router builds a complete topology map.
  4. Each router runs Dijkstra independently.

Areas: Large networks divided into areas (Area 0 = backbone). Reduces LSA flooding.

Advantages over RIP: Faster convergence, no hop-count limit, supports ECMP (equal-cost multi-path), hierarchical design.

Path Vector Routing (BGP)

BGP (Border Gateway Protocol): The Internet's inter-domain routing protocol. Exchanges paths (not just distances or link states) between autonomous systems (ASes).

Autonomous System (AS): A network under a single administrative authority (ISP, large enterprise). Each AS has an AS number (ASN).

BGP decisions: Based on policy, not just shortest path. ISPs choose routes based on business relationships (customer, provider, peer).

Covered in depth in advanced networking (topic 36).

Fragmentation and Reassembly

When a packet is larger than the link's MTU (Maximum Transmission Unit):

IPv4: Routers can fragment. Destination reassembles. Fragmentation adds overhead and complexity. DF (Don't Fragment) flag forces Path MTU Discovery.

IPv6: Routers do not fragment. Source must use Path MTU Discovery to determine the maximum packet size, then fragment at the source if needed.

Standard MTU: Ethernet = 1500 bytes. Jumbo frames = 9000 bytes (data center).

IPsec

Security at the network layer. Provides encryption, integrity, and authentication.

Transport mode: Encrypts the payload (end-to-end). Tunnel mode: Encrypts the entire original packet (used in VPNs).

Protocols: AH (Authentication Header — integrity only), ESP (Encapsulating Security Payload — encryption + integrity).

IKE (Internet Key Exchange): Negotiates security parameters and establishes security associations (SAs).

Applications in CS

  • Cloud networking: VPCs use CIDR subnetting, routing tables, NAT gateways, security groups (ACLs at L3/L4).
  • Container networking: Each pod gets an IP. Overlay networks (VXLAN) or direct routing.
  • DNS: Translates names to IP addresses (covered in application layer).
  • VPN: IPsec or WireGuard tunnels encrypt traffic between sites or remote users.
  • Network debugging: ping, traceroute, ip route, tcpdump — all operate at the network layer.
  • Load balancing: Layer 4 load balancers use IP + port for routing decisions.