CS Network Layer
IP - The Internet Protocol
IP is utilized for network communication, not only across physical links but also between router networks. Either IPv4 (“IP Version 4”) or IPv6 (“IP Version 6”) is the addressing scheme in use.
Subnets are the various divisions that make up IP networks. This is achieved by including a netmask—an additional piece of data—along with the IP address. The size of a network and the packets that should be routed inside and outside of it are determined by the netmask.
Slash notation or decimal numbers can be used to express netmasks. The slash follows the system’s IP address when employing slash notation. Here are a few instances:
| IP Address | Slash Notation | Netmask |
| 10.0.0.1 | /8Â Â – Example: 10.0.0.1/8 | 255.0.0.0 |
| 172.16.1.1 | /12 – Example: 172.16.1.1/12 | 255.240.0.0 |
| 192.168.0.1 | /16 – Example: 192.168.0.1/16 | 255.255.0.0 |
| 192.168.0.1 | /24 – Example: 192.168.0.1/24 | 255.255.255.0 |
Certain types of traffic are the only ones allowed on certain IP networks. It is not recommended to route IP addresses listed in the above table across the Internet since they are only intended for internal corporate use. RFC1918 addresses are the standard term for these types of IP addresses.
Different Networks
Let us take a look at different networks within RFC1918 and how large the networks are:
- 10.0.0.0/8 – More than 16 million IP addresses
- 172.16.0.0/12 – About 1 million IP addresses
- 192.168.0.0/16 – 65534 IP addresses
More subdividing of IP segments into more manageable and detailed networks is possible.
The broadcast address is the address that is set aside on each network specifically for broadcasting traffic to all of the hosts within that network. Sending data to all hosts on the network as opposed to only one is known as broadcasting. For many protocols and applications to function, broadcasting traffic is necessary.
The broadcast is always the last IP address in the network for each network segment. For instance, 192.168.0.255 is the broadcast address in the 192.168.0.0/24 network.
The smallest feasible netmask, denoted as /32, is 255.255.255.255. There is just one IP address on this network.
Traffic is sent to the localhost address whenever it needs to be relayed back to the host, such as when communicating between programs. This IP, which is a /8 network, is always 127.0.0.1.
A router directs traffic in IP networks. A networking device that can forward packets between networks that comprehends the IP format is called a router. This is not the same as a switch since a router forwards data between networks, whereas a switch only passes data inside networks.
Many of the crucial details we have already covered in the IP protocol are described in the headers of packets on the network. This is how the IPv4 Header appears:
Image Credits: By Michel Bakni – Postel, J. (September 1981) RFC 791, Internet Protocol, DARPA Internet Program Protocol Specification, The Internet Society, p. 11 DOI: 10.17487/RFC0791., CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=79949694
The Source Address is the IP address of the system who is sending the packet, and destination is to whom the packet is intended. There are also other fields in the header which is used by the many features of the IP protocol, but which are outside the scope of this introduction class.
You can check your IP address on Windows by running the command ipconfig within a Command Line Window. On Linux this is done with the ip addr show or ifconfig command.
When a computer needs to communicate to something which can not be found on the LAN, it sends traffic to the default gateway as per how the system is configured. The default gateway being a router which is capable of forwarding the traffic to the destination IP address.
NAT ("Network Address Translation")
An internal RFC 1918 IP address can be mapped to a system that is accepting connections on a public IP address, or vice versa, thanks to network address translation (NAT). NAT-capable systems are usually firewalls and routers.
The destination port number is used to determine which server the data should be transmitted to when using NAT, and the external IP address is used as a front for several internal IP addresses. This makes it possible for traffic from external systems to reach internal IP addresses.
Permitting internal IP addresses to use an external IP address to access the internet is another widely used technique. Traffic is forwarded over the connections by the NAT, which also maintains track of connections from internal to destination addresses.
There are numerous ways to configure NAT, but we won’t go into more depth about them in this lesson.
Note: Network engineers can be more creative with their installations thanks to NAT, which opens up a wide range of use cases.
IPv6 - IP Version 6
The most recent version of the IP standard, IP version 6, was designed to support additional IP addresses. 128 bits are utilized for IP addresses rather than the standard 32 bits. While IPv4 has already run out, this ensures that there will be adequate IP addresses for the foreseeable future.
Eight groups of four hexadecimal numbers make up an IPv6 address. An IPv6 address look like this: 2a00:1450:400f:80a::200e:. Notice it does not have have the 8 groups of 4 hexadecimal numbers. This is because IPv6 addresses can be shortened via simple rules:
- Leading 0’s can be shortened
- Double colon (::) can be used to represent a continuous string of 0’s.
The expanded IPv6 address is: 2a00:1450:400f:080a:0000:0000:0000:200e.
The localhost can be reduced into ::1 and ::.
IPv6 has networks, i.e. subnets, just like IPv4 has.
This is how the IPv6 header appears:
A far more straightforward header with enough of space for IP addressing is seen.
The usage of IPv6 is growing, and many tools come with built-in support for this protocol. For instance, we can use the -4 and -6 flags in ping to switch between IPv4 and IPv6.
See if any IPv6 addresses are displayed when you run ipconfig. Try pinging -6 and -4 google.com if you have IPv6 configured. Can you see that the command lets us use IPv4 or IPv6?
Note: If you do not currently have IPv6, you can still experiment and explore with public IPv6 addresses provided by a number of public cloud services.
ICMP
ICMP is frequently connected to Traceroute and Ping. In addition to its usual uses, ICMP can also be used to request an ICMP timestamp from a node. A router can simply ask another router to synchronize their time, which is a crucial component of network communications, using an ICMP timestamp request.
Attackers frequently use ping sweeps to see if systems are accessible across a network. Making the target device within a network range respond to ping requests is the aim of this kind of activity, allowing the attacker to determine when the device is available. This strategy is foolish as many systems automatically block incoming ping requests.
Traceroute
Finding out which routers are involved in transmitting a packet from system A to system B can be done via traceroute. Understanding the routers our packets use can help us comprehend our networks and the attack surface more thoroughly. The package must be routed correctly in the direction specified by a router. Think of this like traveling on a road where you are directed to your goal by traffic signs at intersections. Routers are indicated by these markers at intersections. These signs and intersections are recognized by Traceroute, which also provides an estimated distance in milliseconds (ms) between them.
The purpose of the IPv4 TTL and IPv6 Hop Limit headers is the same. Upon routing a packet, each router will subtract 1 from this number. Should the value drop to 0, the router will discard the packet and send back an ICMP Time Exceeded packet to the sender.
To run a traceroute on a Windows computer:
Using these tools to traceroute is a straightforward process:
The operating system sends a packet google.com, the TTL value is set to 1.
The packet is routed on the network, and the first router decrements the TTL by 1, leaving it at 0. This causes the router to drop the packet and send “ICMP Time Exceeded” back to the source.
The client increases the TTL 1, allowing the packet to be routed through one additional hop.
Until the destination is reached, the operation is repeated, increasing the TTL by 1.
DNS ("Domain Name System")
DNS is used to map applications, via names, to IP addresses. For example if you want to use your browser to visit http://google.com, the browser must first make a request to a DNS server to resolve the IP address behind google.com
Systems are typically configured with a primary and secondary domain name server. These settings can be configured manually or be provided by a DHCP server. This allows our computer systems to reach a DNS server for it to resolve for us.
The DNS server is then responsible for resolving the request. It will then proceed to check its own cache to see if it already knows the answer. Each DNS answer can be cached, that is stored temporarily to speed up future requests, for a certain TTL (“Time To Live”). The TTL is typically set to a couple of minutes, for example 10 minutes.
If a DNS server does not have a answer in its cache it will then proceed to check who is responsible for giving the answer. This is done via a recursive process which involves asking a hierarchical system of name servers which inevitably will make the DNS request to end up at the Authoritative Name Server.
Right now, you can attempt a DNS lookup on Linux or Windows. Type nslookup w3schools.com from a Windows command line terminal, or dig w3schools.com from a Linux command line terminal. The output ought to look like this:
The IP address of w3schools.com can be seen in the ;; ANSWER SECTION. When this screenshot was captured, the IP address behind the w3schools.com name was 66.29.212.110.
The DNS server that provides the final response to a query is known as the Authoritative Name Server. For instance, Google’s authoritative name server will respond to an IP address inquiry for google.com. We can find this server by requesting it:
Locating a reliable name server for Windows:
DHCP ("Dynamic Host Configuration Protocol"
The DHCP protocol, as its name suggests, enables any system connected to a network to connect to a server and request a configuration. Usually, this setup entails obtaining the IP address, network range, default gateway, and DNS servers.
DHCP makes it simple to handle new and exiting client connections on a network.
If you are curious if you are using DHCP right now you can type ipconfig /all on a Windows system and look for “DHCP Enabled: Yes” in the output. There could be several network interfaces on your machine.
VPN ("Virtual Private Network")
With the use of a VPN, two systems can create encrypted communication channels, allowing network traffic to be encrypted as it is being transmitted. A client can access numerous services behind the VPN thanks to the client-server design of many VPNs. VPNs hosted by your employer may also grant access to resources that would otherwise be available exclusively internally.
Certain VPN services are made to protect user privacy and encrypt data while it’s being transferred. With the use of these services, users can transport network data through a VPN, essentially disguising their IP address when they browse the web.
While using a VPN to encrypt your network connections is generally a good idea, we shouldn’t utilize any form of VPN service. Sometimes, free VPN services might be harmful, reading, examining, and storing your private information.
