/Network Layer

Table of Contents

Learning Outcomes [Top]

After completing these activities you should be able to:

Discussion [Top]

Introduction to the Network Layer

NIPRNet

"Nippernet" is the colloquial name for the DoD subset of the Internet that carries sensitive but UNCLASSIFIED IP data. Access to the NIPRNet is tightly controlled: all data crossing the NIPRNet/Internet boundary must pass through a DoD-owned router, and hosts on the NIPRNet resolve names using DNS servers operated by the DoD Network Information Center. The DoD also owns and operates the SIPRNet (pronounced Sippernet), for classified data.

The Internet, NIPR, and SIPR

Both the NIPRNet (Non-secure Internet Protocol Routed Network) and SIPRNet (Secret Internet Protocol Routed Network) use the TCP/IP Stack that you are learning about. So, best practices from the Internet apply to the NIPRNet and SIPRNet, but vulnerabilities from the Internet also apply to the NIPRNet and SIPRNet. Ships and other war fighting platforms are connected to the NIPRNet, and SIPRNet.

So, the Data Link Layer provides a local network, but how do Alice and Bob talk if they are on different networks? That is the exact problem that the Network Layer solves. Within the TCP/IP Stack the Network Layer interconnects local networks, forming interconnected networks; i.e. an internet. An internet is simply a collection of interconnected networks. Just like there are different types of local networks, different Data Link Layer protocols, there are different Network Layer protocols. However, in practice there is one vastly dominate (usage wise) Network Layer protocol the Internet Protocol (IP). The Internet Protocol was named because it is used to interconnect networks. The Internet is the largest, public, global collection of interconnected networks; actually the Internet is interplanetary, the Curiosity Rover on Mars has a Twitter feed.

Network Layer Basics

IP address. On the Internet, hosts are identified by their IP addresses, Internet Protocol (IP) address. They may or may not have a name as well, but always an IP address. IPv4 (IP version 4) addresses are usually written down as four numbers with dots in between, like 146.145.5.67, though more on that later.

Packets. Information travels around the Internet like notes being passed in class. Suppose Host A has a message to send to Host B. Host A breaks his message into small chunks and sends each chunk, prefaced with Host B's address, across the Internet. This address information + message chunk is called a packet. Each packet gets passed from one host to another (again, like a note passed in class) until it finally reaches Host B.

Routers. The intermediate packet-passing hosts in this process are called routers. Hosts normally live at the end points of communication, and routers live along the communication links in the middle. When passing notes in class, when a note gets passed to you, you can't usually hand it directly to the recipient, instead you can only hand it to one of your neighbors — and you choose a neighbor that gets the packet closer to the recipient. Routers work the same way. A router's neighbors are the routers (or hosts) it has direct connections to (e.g. connected by a cable). The diagram below depicts two local, edge networks interconnected via two routers; no Data Link Layer hardware devices (like a switch) are depicted in the diagram. Host 0 and Host 1 are on one local network, and Host 2 and Host 3 are on a separate local network. Router 0 and Router 1 are connected, and thus able to interconnect the two edge local networks.

Local Networks Connected via Routers

A router uses a packet's IP Address to choose a neighbor host that gets the packet closer to the recipient (destination IP Address), and passes the packet on to that neighbor. The process of forwarding a packet to the next closer network performed by a router is known as routing. Basically, routers are the networking devices that interconnect separate local networks. The largest public global collection of such interconnected networks is known as ... drum roll ... the Internet. Since a router interconnects multiple local networks, it has to be on (be a member of each local network). If a router interconnects two local networks, then it will be a member of each local network. So, looking back at the diagram above, there are actually three local networks:

  1. Network 0: Host 0, Host 1, Router 0
  2. Network 1: Host 2, Host 3, Router 1
  3. Network 2: Router 0, Router 1

Internet Protocol version 4

With some of the basics covered, we will now take a deeper look at IPv4 (Internet Protocol version 4). Being a Network Layer protocol, IPv4 interfaces with the Data Link Layer and the Transport Layer; we will talk about the Transport Layer in the next discussion. Recall, that ARP translates between a Data Link Layer address and a Network Layer address (see diagram below). The Internet Address column is the Network Layer address, in the case below the IPv4 addresses of the hosts on the local network. ARP is one of the protocols that binds the Data Link Layer and the Network Layer together; i.e. ARP is part of the interfacing between the Data Link Layer and the Network Layer.

Windows 7 arp -a

So, beyond interconnecting local networks, what else does IPv4 do? What services does IPv4 provide? Well, unfortunately IPv4 like Ethernet is a best effort protocol, so there is no guarantee of delivery. That being said, the technologies, IPv4 being one of them, that make up the Internet are quite robust, and resilient.

IPv4 provides a mechanism for large amounts of data from upper layers to be broken down into smaller chunks of data, a process called fragmenting. This allows the data in a packet to be fit into the associated size of the frame at the Data Link Layer, different Data Link Layer protocols support difference frame sizes, as the packet traverses across different types of local networks. In IPv4 the fragmenting of packets is done by routers, this allows the data to traverse across networks with out involving the sending (source) host. Fragmented packets are then reassembled at the receiving (destination) end.

Like Ethernet, IPv4 has a way to detect data transmission errors from the lower layers, at least errors within the IP header. Remember the concepts of encapsulation and de-encapsulation (see below).

TCP/IP Data Encapsulation/De-encapsulation

IPv4 does have a companion protocol, called Internet Control Message Protocol (ICMP), that it uses to report errors back to source address. For example, if a router does not know who to get to the destination network, then the router will send a specific ICMP message back to the source host letting them know that there is no route to the destination.

It is important to point out a couple other aspects of best effort. Think back to the passing notes in class example. Just like in class, on the Internet a packet may be dropped, or lost; if there is too much interference at the Physical Layer than a frame may not be reconstructed, and therefore the associated packet will not make it to the next router, or destination host. Similarly, one packet of a message make take a different route between the interconnected networks than the next packet and arrive out of order (Janet left the message in her pocket overnight). Since IPv4 does not solve these problems, it is up to layers higher in the protocol stack to address those issues, or not.

One of the key problems that IPv4 does solve is identifying hosts across all of the interconnected networks. That seemingly easy sounding problem, is actually a challenging problem in and of itself; a problem that has had to be readdressed multiple times over the decades. Just like Ethernet, all IP packets have a source and destination address. But instead of a MAC address, IPv4 uses IP addresses.

Dotted Quad Notation. An IP Address is a 32-bit number. A 32-bit number can be viewed as four 8-bit pieces (four bytes) and we usually write IPv4 Addresses as four 8-bit numbers, separated by dots. This is called a dotted quad notation. For example:

          146.145.5.67
       ___/    /   \  \____
      /       /     \      \
10010010.10010001.00000101.01000011 → 10010010100100100000010101000011 → 2458977603

The reason we prefer dotted quad notation is a) they're generally easier to remember than a string of 32 bits, and b) the first two to three bytes are often the same for all hosts on the same local network. For example, IP Addresses in Michelson Hall often begin with 10.53.*.* or 10.22.*.*. The similarity is harder to see when addresses are written out as a single 32-bit number.

Enter an IPv4 Address in either a dotted-quad, decimal, or binary and press Enter:
Dotted-quad: Decimal: Binary:

UNIX Version of Windows ipconfig

In UNIX, ifconfig (Interface Configure) is used to get information, and configure network interfaces much like the Windows equivalent ipconfig.

Your IP Address. You can determine the IP Address of your Windows laptop using the utility ipconfig in the shell.

  1. Open a Windows shell
  2. Enter the command: C:>ipconfig
  3. There will be a line in the output that looks like:
    IPv4 Address. . . . . . : 10.22.88.124
    which is the IPv4 Address of your computer
Just like in other warfare domains, we need to classify entities within the domain as friendly, neutral, or hostile. Network Layer addresses are one of the ways in which we identify players on the cyber battlefield. In cyber operations it is important to know the IP addresses of friendly forces, neutral forces, and hostile forces. Also, just like other warfare domains identifying who the hostiles are is a challenge in and of itself. Attribution in the cyber domain is a challenge, but often times there are indicators that serve as sources of attribution.

Network Address. The subnet mask is used to reveal a network address within an IP address. The network address is common to all IP addresses on the same network. Every host on the same network shares the same network address. If you were to apply a network's subnet mask to every IP address on that network, each one would reveal the same network address.

You will not need to calculate a host's network address by hand (although it is easy to do since you know binary and basic boolean logic), but you need to understand the concept that determining whether a host is on your network or not is crucial to communicating with hosts in and out of your network.

Subnet Mask. As we know, each host has an IP address. Two hosts on the same network have the same initial chunk of bits within their IP addresses. How big that initial chunk of bits is is defined by a 32-bit number called the subnet mask. If you write it out a subnet mask in binary it looks like a sequence of 1's followed by a sequence of 0's. The sequence of 1's defines the bits that are identical for every host in the network. You can see your subnet mask by looking in the output from ipconfig, or ifconfig.

Is Host X on my network? A host uses its own subnet mask to determine if a remote host is on its own local network or not. For example, Host Alice wants to send a message to Host Bob. Alice knows her own IP address, and can lookup the IP address of Bob since he's connected to the Internet. Alice bit-wise AND's, boolean logic operation (you remember your true/false values right?), her subnet mask with her IP address to determine what network she own. Alice then bit-wise AND's her subnet mask with the IP address of Bob. Alice compares the results (there's if statement again) of her network address and what she calculated Bob's network address to be. If the two network addresses match, then Alice and Bob are on the same network. Hmm, if Alice and Bob are on the same network, then Bob should be in Alice's ARP table, and we know about local network communications from the Data Link Layer.

But if Alice and Bob are on different networks, what does Alice do? Well, what device interconnects different networks? Right, a router interconnects different local networks. Since Alice's router is on her network, Alice transmits a frame to her router at the Data Link Layer because Alice and her router are directly connected (on the same network). The data inside that frame includes the IPv4 header information, but at the Network Layer the packet is addressed to Bob not Alice's router. By keeping the source address as Alice, and the destination address as Bob in the IP header the packet can hop between networks, still reach Bob, and Bob knows who the packet came from so he can reply.

Each network has two special addresses which cannot be used by a host. They are the network address and the broadcast address. The broadcast address is used to send a packet to all hosts on the network and is characterized by the network address followed by all 1's.

Routing: Hardware and Software

Routers. Routers are special devices that are connected to multiple networks and make decisions on where next to forward, or route, the packets they receive. In addition to forwarding packets for others, routers also generate their own packets used to communicate with other routers. Routers communicate using a routing protocol, which is used to maintain accurate routing information for the Internet, and to determine where the best next hop is for a packet based on its destination network. All routers must be connected to at least two different networks to actually route packets. A hop is a unit of measure at the Network Layer, each router that a packet passes through en route to its destination is considered a hop. A hop is unit less; i.e. it is simply a counter.

A router is considered a Network Layer device since it processes packets based on IP addresses. A router additionally performs the same functions of a switch (a router reads and writes MAC addresses) and a hub (detects signals and collisions). Since a router has multiple IP addresses, so it can perform the interconnections, a router also has multiple MAC addresses. Again routers are hosts on networks, where as hubs and switches are not hosts on a network.

When determining where to send a packet, the originating host first must calculate if the destination IP and its source IP are on the same network (as defined above). If the destination IP is on the same network, the packet will be sent to the destination host directly. If the destination IP address is on a different network, the packet will be sent out via the local network's router, which will then forward the packet out a different network connection.

When a packet is sent to another host on the same network (as defined above), the frame's destination MAC address is set to the MAC address of the destination host. When a packet is sent to another host on a different network, the frame's destination MAC address is set to the MAC address of the local network's router.

Demo. Local Network/Inter-Network Demo (credit: Aaron Herber, USNA 2012): This demo illustrates how packets are sent within a single network and between hosts on different networks. Additionally, it has a nice animation for ARP requests, which is how a host builds up an ARP table, the table that matches IP addresses to MAC addresses for host on the same network.

The Story About Ping continues to be a valuable early introduction to the UNIX networking utility even though it pre-dates formal UNIX implementations by decades (see reviews).

ping. One of the most fundamental questions you might ask involving IP networking is this: is there a host at a given IP address? The shell utility ping is designed to answer this question. ping makes use of a part of the Internet Control Message Protocol (ICMP), specifically echo request and echo reply. ICMP is a companion protocol to IPv4, ICMP operates at the Network Layer just like IPv4. ping takes an IP address (or a host name, MTF) and sends an ICMP "echo request" packet to the destination address. ping waits for a response for a while, then tries again. ping prints out statistics about how many packets were received, round trip time, etc. Here are the results of two pings:

$ ping 10.1.83.17
PING 10.1.83.17 (10.1.83.17) 56(84) bytes of data.
64 bytes from 10.1.83.17: icmp_seq=1 ttl=255 time=0.269 ms
64 bytes from 10.1.83.17: icmp_seq=2 ttl=255 time=0.363 ms
64 bytes from 10.1.83.17: icmp_seq=3 ttl=255 time=0.229 ms
64 bytes from 10.1.83.17: icmp_seq=4 ttl=255 time=0.243 ms
^C
--- 10.1.83.17 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 0.229/0.276/0.363/0.052 ms
$ ping 131.122.88.244
PING 131.122.88.244 (131.122.88.244) 56(84) bytes of data.
From 131.122.90.156 icmp_seq=1 Destination Host Unreachable
From 131.122.90.156 icmp_seq=2 Destination Host Unreachable
From 131.122.90.156 icmp_seq=3 Destination Host Unreachable
From 131.122.90.156 icmp_seq=4 Destination Host Unreachable
From 131.122.90.156 icmp_seq=5 Destination Host Unreachable
From 131.122.90.156 icmp_seq=6 Destination Host Unreachable
^C
--- 131.122.88.244 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6032ms
, pipe 3

In the first case, the destination host was "up" (responding) and responded with an echo reply for each echo request received. In the second case, there was no host at that address. ping is useful for debugging network problems; e.g. rona is not refreshing ... is the server down/unreachable right now, or is it something else? It's also used as a tool for network reconnaissance, as we'll see later in this course. You could ping every address in a range in order to find out what hosts there are on a given network. Another nefarious use for ping is to have a group of computers send lots and lots of ping requests to a given server, hoping to keep it so busy answering the stupid pings that it can't do any useful work. This is a simple Denial of Service (DoS) attack, which we'll see more of later. Not all hosts reply to a ping request, mainly because the tool is sometimes abused by malicious people and programs. Still, it is a useful tool.

Windows also has a traceroute shell command: tracert. Open a shell and try it from your laptop.

Routes. We know that each host on the Internet has a n IP Address, and we learned that information is communicated between hosts in packets. We can use software tools to get an idea of the path a network packet takes as it transits from source to destination. There's a shell utility called traceroute that shows the path a single packet travels from a source host to a destination host on the Internet. The following output from traceroute shows the route from a host here at USNA to a host (in this case, a web server) in Austria.

$ traceroute www.risc.uni-linz.ac.at  # Host names are used here, we will discuss host names when we get to the Application Layer

1  michelson-3a-as1-v401.gw.usna.edu (10.53.33.1)  1.779 ms  1.180 ms  1.167 ms
2  michelson-1a-ag1-v2x05.net.usna.edu (10.48.1.93)  1.200 ms  1.274 ms  0.904 ms
3  yard-d2-v3x60.net.usna.edu (10.48.2.81)  0.776 ms  0.681 ms  0.734 ms
4  usna-c2-v2x14.net.usna.edu (10.0.2.25)  0.922 ms  0.786 ms  0.805 ms
5  border-d2-v2x18.net.usna.edu (10.0.2.34)  1.533 ms  0.992 ms  1.011 ms
6  border-f2-gi0_8s3001.net.usna.edu (10.4.16.2)  1.506 ms  1.044 ms  1.230 ms
7  maryland-r1-po1s2001.net.usna.edu (136.160.88.4)  1.335 ms  1.714 ms  1.487 ms
8  gig1-8.umab-core.net.ums.edu (136.160.255.49)  2.477 ms  2.763 ms  12.486 ms
9  balt-usm.maxgigapop.net (206.196.177.17)  4.015 ms  3.218 ms  3.271 ms
10  i2-newy-rtr.maxgigapop.net (206.196.177.51)  11.083 ms  11.311 ms  12.932 ms
11  198.71.45.237 (198.71.45.237)  110.292 ms  110.289 ms  109.886 ms
12  ae3.mx1.ams.nl.geant.net (62.40.98.115)  97.495 ms  110.193 ms  97.360 ms
13  ae0.mx1.fra.de.geant.net (62.40.98.128)  91.859 ms  95.822 ms  104.412 ms
14  ae0.mx1.pra.cz.geant.net (62.40.98.52)  98.401 ms  98.421 ms  101.505 ms
15  ae2.mx2.bra.sk.geant.net (62.40.98.55)  103.908 ms  125.384 ms  114.995 ms
16  ae0.mx1.vie.at.geant.net (62.40.98.63)  116.916 ms  130.063 ms  117.406 ms
17  aconet-gw.rt1.vie.at.geant.net (62.40.124.2)  117.472 ms  119.264 ms  129.666 ms
18  vlan73.wien21.aco.net (193.171.23.41)  129.450 ms  116.790 ms  116.867 ms
19  vlan71.wien1.aco.net (193.171.23.17)  116.849 ms  135.726 ms  117.317 ms
20  vlan311.linz1.aco.net (193.171.15.2)  132.574 ms  119.865 ms  132.131 ms
21  jku-gw.edvz.uni-linz.ac.at (193.171.22.26)  132.455 ms  120.046 ms  120.938 ms
22  jkuc3hb1.edvz.uni-linz.ac.at (140.78.200.225)  120.389 ms  120.000 ms  120.348 ms
23  router.risc.uni-linz.ac.at (140.78.222.31)  120.341 ms  120.172 ms  120.265 ms
24  crow.risc.uni-linz.ac.at (193.170.37.138)  132.354 ms  132.261 ms  120.308 ms

Examine the sample output above. In the command, we gave the name of the server instead of its IP Address. Usually we use names, but we could just as easily have used the IP Address instead. Below the command, each numbered row lists the name of the hosts, the host's IP Address, and some data about how long it takes the packet to travel that far along the route. We say that a move from one host to the next host along the way (whether that host is a router or computer) is one "hop". The packet takes a large number of hops on its way to Europe! Occasionally, we will see * * * in our traceroute output. This usually means that one of the hosts along the way is not responding to our request, possibly due to a firewall setting. Once we hit such a roadblock, unfortunately, that particular trace won't succeed. There are ways to modify our traceroute request to increase its chances of success, but that's beyond the scope of this discussion.

What traceroute provide us is not just IP Addresses, but also a list of names for the hosts along the way, and those names actually tell a story. The packet travels from usna.edu (that's us!) to ums.edu (USNA's internet access is provided through the University of MD, Eastern Shore) to maxgigapop.net, then across the Atlantic Ocean to the Netherlands (.nl), Germany (.de), Czech Republic (.cz), Slovak Republic (.sk), then finally to some routers in Austria (.at), and to the city of Linz, to uni-linz.ac.at, which is the University of Linz. Notice that in several places we have a few consecutive host with similar IP Address. For example, there are three consecutive 62.40.98.x addresses. This tells a story too, though exactly what it means will have to wait. It's important to note that packets don't always follow the same route from the same host A to the same host B. Once again, it's like note passing: there are many possible ways to the same destination.

The following listings show the outputs of ipconfig, tracert, and arp from the same host (mich300csd01w).
Windows 7 ipconfig /all

Notice that the host (mich300csd02w) on the same local network (Link Layer) is a single hop away, or directly connected from the perspective of the Network Layer, and that the host (mich392csd02w) on a separate network is multiple hops away (Network Layer).
Windows 7 tracert Other Network

Additionally, notice that the host (mich300csd02w) on the same local network (Link Layer) is in the host's (mich300csd01w) own ARP table, and how the host (mich392csd02w) on a separate network is not in the host's own ARP table.
Windows 7 arp -a

IPv4 Address Space: Classes and Limitations

Why only 32 bits?

At this 2008 conference sponsored by Google, Vinton Cerf tells us why. Listen to the discussion at 13:00 - 14:35. Vinton Cerf, Project Director for the TCP/IP research program at DARPA in 1976, is at the podium. Bob Hinden, who is seated, helped develop the first Internet routers.

[Embedded by permission of the YouTube Terms of Service]

The IPv4 address space is divided up into different blocks, or classes, of IP addresses. There are five classes of public IP addresses:

  1. Class A: Networks in the class can have the most number of hosts in them; only the first octet (first byte) is used to identify the network. Networks range from 1.*.*.* to 127.*.*.* (the * indicates the host portion of the IP address; i.e. the unique part to each host on the local network)
  2. Class B: The first two octets identify the network. Networks range from 128.0.*.* to 191.255.*.*
  3. Class C: The first three octets identify the network. Networks range from 192.0.0.* to 223.255.255.*.
  4. Class D: IP addresses in this class are used for multicasting; i.e. broadcast traffic, like a live stream. The IP addresses (note not network) range from 224.0.0.0 to 239.255.255.255. Each multicast IPv4 address represents a unique broadcast group.
  5. Class E: IP addresses in this class are experimental, and used for IPv4 research and development. The IP addresses range from 240.0.0.0 to 255.255.255.254

Beyond the classful IP blocks there are some IPv4 address blocks that are not routed across the public Internet. Besides the loopback block (see below) all the non-routable address blocks are called private address block because routers are the public Internet should be configured to drop packets destined for or coming from a private IP space.

  1. Class A Private: The 10.0.0.0 network; IP addresses take on the form 10.*.*.*
  2. Class B Private: Networks range from 172.16.*.* to 172.31.*.*., there are 16 such private networks.
  3. Class C Private: Networks range from 192.168.0.* to 192.168.255.*
  4. Loopback: The 127.0.0.0, IP addresses take on the form 127.*.*.*. The loopback network is internal to the local host; i.e. network traffic destined for the localhost does not exit the host.

North America Out of IPv4 Addresses

The limited availability of IPv4 addresses has been coming for a while (years in fact). ... Well the day has finally come for North America. ARIN (American Registry for Internet Numbers) recently reported (retrieved 28 Sep 2015) that they do not have any more IPv4 addresses. ArsTechnica also discusses the status of transitioning from IPv4 to IPv6.
The first rule of the Internet is that you don't talk about IPv5. The second rule of the Internet is that you don't talk about IPv5.

The IP addresses that we talk about in this course are IPv4 addresses. With 32 bits, there are a little over four billion such addresses possible (232). When an organization wants to set up a network, it needs to ask for some IP addresses for web servers, e-mail servers, etc. There are agencies responsible for allocating blocks of addresses to organizations, and they'd say something like "you get block 131.122.88.0/24", which means you get all addresses whose first 24-bits (3 bytes) are the same as 131.122.88.0 — i.e. addresses of the form 131.122.88.*, where "*" means anything. That's why addresses within an organization usually share a common prefix. Check out this visualization of how /8 blocks (i.e. the blocks 1.*.*.*, 2.*.*.*, ..., 255.*.*.*) were allocated.

Despite having over four billion addresses, the IPv4 Address space has essentially been exhausted. There's a newer standard, IPv6, that uses 128-bit addresses. That gives about 3.4 × 1038 addresses (specifically 2128), which ought to be enough for all eternity, right? Well, that's what we said with IPv4 ...

We will only use IPv4 Addresses in this course, but it's good to be aware that the IPv6 standard is being slowly adopted worldwide. Your laptop knows both IPv4 and IPv6


xkcd.com

++ [Top]

References [Top]

  1. Network Working Group. RFC 1918 - Address Allocation for Private Internets. Internet Engineering Task Force. Feb 1996. retrieved 25 Jan 2017.