Internet Protocol (IP)
IPv4 addressing, subnetting, CIDR, IPv6 adoption, ICMP, and dual-stack scenarios
Chapter 4: Internet Protocol (IP)
The Day 3.4 Billion Addresses Werenβt Enough
On February 3, 2011, IANA (the Internet Assigned Numbers Authority) allocated the last blocks of IPv4 addresses to the five Regional Internet Registries. After nearly 30 years, the internet had exhausted its 4.3 billion IPv4 addresses.
The prediction had been made years earlier. In 1992, with only 3% of addresses allocated, experts projected exhaustion within a decade. They were roughly right. The response was IPv6, designed in 1995 with 340 undecillion addresses (3.4 Γ 10^38)βenough to give every atom on Earth its own address. Surely that would be enough.
Yet here we are, decades later, and IPv4 still dominates. Why? Because NAT (Network Address Translation) extended IPv4βs life dramatically, allowing millions of devices to hide behind single public IPs. IPv6 adoption, while growing, remains incomplete. Todayβs network professional must master both protocols and understand how they coexistβsometimes elegantly, sometimes awkwardly.
This chapter explores IP addressing, subnetting, the transition to IPv6, and ICMPβthe protocol that reports when things go wrong.
The Network Layer: Beyond the Local Network
In Chapter 3, we explored how data travels within a local network using MAC addresses and Ethernet frames. But the internet isnβt one big local networkβitβs millions of networks interconnected worldwide. When you send data to a server across the globe, that data traverses many different networks, each with its own Layer 2 technology.
The Internet Protocol (IP) solves this challenge by providing:
- Universal addressing: IP addresses identify devices globally (or within an organization)
- Routing foundation: Routers use IP addresses to forward packets hop by hop toward their destination
- Technology independence: IP works over any Layer 2 technologyβEthernet, WiFi, cellular, satellite
This layer of abstractionβlogical addresses independent of physical hardwareβis what makes the internet possible.
IPv4: The Workhorse of the Internet
IPv4 Address Structure
An IPv4 address is a 32-bit number, providing approximately 4.3 billion unique addresses (2^32). While that seemed enormous in the 1980s, it proved insufficient for the modern worldβleading to the development of IPv6. Nevertheless, IPv4 remains the backbone of most networks today.
IPv4 addresses are written in dotted decimal notation: four decimal numbers (0-255) separated by dots, each representing 8 bits (one octet).
IPv4 Address Structure
IPv4 Address Structure:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
IPv4 Address: 192.168.1.100
Dotted Decimal: 192 . 168 . 1 . 100
β β β β
Binary: 11000000 10101000 00000001 01100100
β β β β
8 bits 8 bits 8 bits 8 bits
ββββββββββββ΄βββββββββββ΄βββββββββββββ
32 bits total
Each octet ranges from 0 (00000000) to 255 (11111111)Network and Host Portions
Every IP address has two components:
- Network portion: Identifies which network the device belongs to
- Host portion: Identifies the specific device within that network
The division between network and host portions is determined by the subnet mask.
Network vs Host Portions
Network vs Host Portions:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
IP Address: 192.168.1.100
Subnet Mask: 255.255.255.0
Binary breakdown:
IP: 11000000.10101000.00000001.01100100
Mask: 11111111.11111111.11111111.00000000
ββββββββββββββββββββββββββββββββββββ
Network portion Host portion
(where mask = 1) (where mask = 0)
Network Address: 192.168.1.0 (all host bits = 0)
Broadcast Address: 192.168.1.255 (all host bits = 1)
Usable Host Range: 192.168.1.1 - 192.168.1.254
All devices with IPs in 192.168.1.x are on the same networkPRO TIP
The network address (all host bits 0) and broadcast address (all host bits 1) are reserved and cannot be assigned to devices. This is why a /24 network has 254 usable addresses, not 256.
CIDR Notation
CIDR (Classless Inter-Domain Routing) provides a compact way to specify the subnet mask by indicating how many bits are used for the network portion.
CIDR Notation
CIDR Notation:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
192.168.1.100/24
The /24 means:
βββ First 24 bits are the network portion
βββ Remaining 8 bits (32-24) are the host portion
βββ Equivalent to subnet mask 255.255.255.0
Converting CIDR to Subnet Mask:
/8 β 255.0.0.0 (11111111.00000000.00000000.00000000)
/16 β 255.255.0.0 (11111111.11111111.00000000.00000000)
/24 β 255.255.255.0 (11111111.11111111.11111111.00000000)
/25 β 255.255.255.128 (11111111.11111111.11111111.10000000)
/30 β 255.255.255.252 (11111111.11111111.11111111.11111100)Common CIDR ranges:
| CIDR | Subnet Mask | Total IPs | Usable Hosts | Typical Use |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Large ISPs, cloud providers |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Large enterprises |
| /24 | 255.255.255.0 | 256 | 254 | Small networks, home LANs |
| /27 | 255.255.255.224 | 32 | 30 | Small subnets |
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point links |
| /31 | 255.255.255.254 | 2 | 2 | Point-to-point (RFC 3021) |
| /32 | 255.255.255.255 | 1 | 1 | Single host route |
Subnetting
Subnetting divides a larger network into smaller subnetworks. This provides:
- Better organization and management
- Reduced broadcast traffic (broadcasts donβt cross subnets)
- Improved security (traffic between subnets can be controlled)
- More efficient IP address allocation
Subnetting Example
Subnetting Example:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Given: 192.168.1.0/24 - Need to create 4 subnets
Original: 192.168.1.0/24 (254 hosts)
Borrow 2 bits from host portion (/24 β /26):
Subnet 1: 192.168.1.0/26 (192.168.1.1 - 192.168.1.62) 62 hosts
Subnet 2: 192.168.1.64/26 (192.168.1.65 - 192.168.1.126) 62 hosts
Subnet 3: 192.168.1.128/26 (192.168.1.129 - 192.168.1.190) 62 hosts
Subnet 4: 192.168.1.192/26 (192.168.1.193 - 192.168.1.254) 62 hosts
Visual breakdown:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β 192.168.1.0/24 β
ββββββββββββββββββ¬βββββββββββββββββ¬βββββββββββββββββ¬βββββββββββββββ€
β .0/26 β .64/26 β .128/26 β .192/26 β
β Engineering β Sales β HR β Guest β
ββββββββββββββββββ΄βββββββββββββββββ΄βββββββββββββββββ΄βββββββββββββββTRY IT YOURSELF
Practice subnetting with this exercise: Given 10.0.0.0/8, create subnets for:
- Data Center: Needs 500 hosts
- Office A: Needs 100 hosts
- Office B: Needs 50 hosts
- Management: Needs 10 hosts
What CIDR blocks would you assign to each?
Special IPv4 Addresses
Certain address ranges have special meanings:
| Address/Range | Purpose | Notes |
|---|---|---|
| 0.0.0.0/8 | This network | Used during boot (DHCP) |
| 10.0.0.0/8 | Private (Class A) | 16M+ addresses |
| 127.0.0.0/8 | Loopback | localhost (127.0.0.1) |
| 169.254.0.0/16 | Link-local (APIPA) | Auto-assigned when no DHCP |
| 172.16.0.0/12 | Private (Class B range) | 172.16.0.0 - 172.31.255.255 |
| 192.168.0.0/16 | Private (Class C range) | Most common home networks |
| 224.0.0.0/4 | Multicast | 224.0.0.0 - 239.255.255.255 |
| 240.0.0.0/4 | Reserved | Historically βClass Eβ |
| 255.255.255.255 | Limited broadcast | Local network only |
Private addresses (RFC 1918) are not routable on the public internet. Theyβre used within organizations and homes, with NAT providing internet access. This greatly extended the life of IPv4 by allowing millions of private networks to share public addresses.
Private Address Ranges
Private Address Ranges:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββ¬βββββββββββββββββββββββββββ¬ββββββββββββββββββββ
β Range β CIDR β # of Addresses β
βββββββββββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββββββββ€
β 10.0.0.0 - β 10.0.0.0/8 β 16,777,216 β
β 10.255.255.255 β β (One Class A) β
βββββββββββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββββββββ€
β 172.16.0.0 - β 172.16.0.0/12 β 1,048,576 β
β 172.31.255.255 β β (16 Class Bs) β
βββββββββββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββββββββ€
β 192.168.0.0 - β 192.168.0.0/16 β 65,536 β
β 192.168.255.255 β β (256 Class Cs) β
βββββββββββββββββββ΄βββββββββββββββββββββββββββ΄ββββββββββββββββββββ
These addresses can be used by anyone internally
They CANNOT be routed on the public internetSecurity Note: Understanding private vs. public addresses is crucial for security. Internal network reconnaissance often reveals private addresses that indicate network structure. Improperly configured NAT or firewalls can expose internal addresses. See Part II, Chapter 9 for reconnaissance techniques.
The IPv4 Header
The IPv4 header contains all the information routers need to forward packets. Understanding its structure helps in packet analysis and crafting.
IPv4 Header Format (20 bytes minimum, up to 60 with options)
IPv4 Header Format (20 bytes minimum, up to 60 with options):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
βββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββ€
βVersionβ IHL β DSCP βECNβ Total Length β
βββββββββ΄ββββββββΌββββββββββββ΄ββββΌββββββββββββββββββββββββββββββββ€
β Identification βFlagsβ Fragment Offset β
βββββββββββββββββΌββββββββββββββββΌββββββ΄ββββββββββββββββββββββββββ€
β TTL β Protocol β Header Checksum β
βββββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββββββββββββββββββ€
β Source IP Address β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Destination IP Address β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Options (if IHL > 5) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββKey fields:
| Field | Size | Description |
|---|---|---|
| Version | 4 bits | IP version (4 for IPv4) |
| IHL | 4 bits | Header length in 32-bit words (min 5 = 20 bytes) |
| DSCP/ECN | 8 bits | QoS markings and congestion notification |
| Total Length | 16 bits | Entire packet size in bytes (max 65,535) |
| Identification | 16 bits | Fragment identification |
| Flags | 3 bits | DF (Donβt Fragment), MF (More Fragments) |
| Fragment Offset | 13 bits | Position in fragmented packet |
| TTL | 8 bits | Maximum hops before discard (0-255) |
| Protocol | 8 bits | Upper layer protocol (6=TCP, 17=UDP, 1=ICMP) |
| Header Checksum | 16 bits | Error detection for header only |
| Source IP | 32 bits | Senderβs IP address |
| Destination IP | 32 bits | Recipientβs IP address |
Time to Live (TTL):
TTL prevents packets from looping forever. Each router decrements TTL by 1; when it reaches 0, the packet is discarded and an ICMP βTime Exceededβ message is sent. This is how traceroute worksβit sends packets with increasing TTL values to discover the path.
TTL in Action
TTL in Action:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Packet starts with TTL=64
[Source] βββΊ [Router 1] βββΊ [Router 2] βββΊ [Router 3] βββΊ [Dest]
TTL=64 TTL=63 TTL=62 TTL=61
Common default TTL values:
Linux/Unix: 64
Windows: 128
Cisco: 255
Security implication: TTL can help identify OS (fingerprinting)Security Note: The source IP address can be forged (IP spoofing). IP has no built-in authentication mechanism. This enables various attacks including denial of service with spoofed sources and certain MITM scenarios. See Part II, Chapter 3.
IP Fragmentation
If a packet is larger than the Maximum Transmission Unit (MTU) of a network link (typically 1500 bytes for Ethernet), it must be fragmented into smaller pieces. The receiving host reassembles the fragments.
IP Fragmentation
IP Fragmentation:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Original Packet (4000 bytes data):
βββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IP Header β Data (4000 bytes) β
βββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
After fragmentation for MTU 1500:
Fragment 1 (1500 bytes):
ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββ
βIP Header β Data (1480 bytes) β MF=1
βID=12345 β Offset=0 β Offset=0
ββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββ
Fragment 2 (1500 bytes):
ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββ
βIP Header β Data (1480 bytes) β MF=1
βID=12345 β Offset=1480 β Offset=185
ββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββ
Fragment 3 (1060 bytes):
ββββββββββββ¬ββββββββββββββββββββββββββ
βIP Header β Data (1040 bytes) β β MF=0
βID=12345 β Offset=2960 β β Offset=370
ββββββββββββ΄ββββββββββββββββββββββββββ
Fragmentation fields:
- Identification: Same value (12345) for all fragments
- More Fragments (MF): 1 if more coming, 0 for last
- Fragment Offset: Position in original packet (Γ·8)** COMMON MISTAKE**
Fragment offset is in 8-byte units, not bytes. So offset=185 means byte position 1480 (185 Γ 8).
Security Note: Fragmentation has been exploited in attacks like the βPing of Deathβ (oversized ping causing buffer overflow) and βTeardropβ (overlapping fragments causing crashes). Modern systems are patched against these classic attacks, but fragmentation-based evasion of security devices remains relevant. See Part II, Chapter 3.
IPv6: The Next Generation
Why IPv6?
IPv4βs 4.3 billion addresses seemed inexhaustible in the early internet days. As the internet grew exponentially, address exhaustion became a real crisis. NAT extended IPv4βs life, but introduced complexity and broke the end-to-end connectivity model.
IPv6 addresses this with 128-bit addressesβproviding 3.4 Γ 10^38 unique addresses. Thatβs roughly 340 undecillion, or enough to assign an IP to every grain of sand on Earth.
IPv6 Address Format
IPv6 addresses are written as eight groups of four hexadecimal digits, separated by colons:
IPv6 Address Format
IPv6 Address Format:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Full IPv6 address (128 bits):
2001 : 0db8 : 85a3 : 0000 : 0000 : 8a2e : 0370 : 7334
ββββ¬ββββββββ¬ββββββββ¬ββββββββ¬ββββββββ¬ββββββββ¬ββββββββ¬ββββββββ¬ββββ
16bit 16bit 16bit 16bit 16bit 16bit 16bit 16bit
8 groups Γ 16 bits = 128 bits
Simplification rules:
1. Remove leading zeros in each group:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
β 2001:db8:85a3:0:0:8a2e:370:7334
2. Replace ONE consecutive group of all zeros with ::
2001:db8:85a3:0:0:8a2e:370:7334
β 2001:db8:85a3::8a2e:370:7334
(:: can only be used ONCE per address)
Examples:
Full: 2001:0db8:0000:0000:0000:0000:0000:0001
Simplified: 2001:db8::1
Loopback:
Full: 0000:0000:0000:0000:0000:0000:0000:0001
Simplified: ::1IPv6 Address Types
| Type | Prefix | Description | Example |
|---|---|---|---|
| Global Unicast | 2000::/3 | Publicly routable (like public IPv4) | 2001:db8::1 |
| Link-Local | fe80::/10 | Auto-configured, single link only | fe80::1 |
| Unique Local | fc00::/7 | Private addresses (like RFC 1918) | fd00::1 |
| Multicast | ff00::/8 | One-to-many delivery | ff02::1 |
| Loopback | ::1/128 | Localhost | ::1 |
| Unspecified | ::/128 | Like 0.0.0.0 in IPv4 | :: |
IPv6 Address Types Visual
IPv6 Address Types Visual:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Global Unicast (2000::/3) - Internet routable
βββββββ¬ββββββββββββββββββββββββ¬ββββββββββββ¬βββββββββββββββββββββββ
β 001 β Global Routing Prefix β Subnet ID β Interface ID β
β3 bitβ 45 bits β 16 bits β 64 bits β
βββββββ΄ββββββββββββββββββββββββ΄ββββββββββββ΄βββββββββββββββββββββββ
Link-Local (fe80::/10) - Local network only, auto-generated
ββββββββββββββ¬ββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ
β 1111111010 β 0 β Interface ID β
β 10 bits β 54 bits β 64 bits β
ββββββββββββββ΄ββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββ
fe80::MAC-derived-ID
Every IPv6 interface has a link-local address automatically!IPv6 Header
IPv6 simplified the header compared to IPv4:
IPv6 Header Format (40 bytes fixed)
IPv6 Header Format (40 bytes fixed):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
βββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββΌββ€
βVersionβ Traffic Class β Flow Label β
βββββββββ΄ββββββββββββββββΌββββββββββββββββ¬ββββββββββββββββββββββββ€
β Payload Length β Next Header β Hop Limit β
βββββββββββββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββββββββββ€
β β
β Source Address (128 bits) β
β β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Destination Address (128 bits) β
β β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββKey differences from IPv4:
- No header checksum: Relies on Layer 2 and Layer 4 checksums (faster processing)
- No fragmentation fields: Fragmentation handled by source only (Path MTU Discovery)
- Fixed 40-byte header: Simpler processing
- Next Header field: Allows extension headers for optional features
- Flow Label: Can identify traffic flows for QoS
IPv6 Neighbor Discovery Protocol (NDP)
IPv6 replaces ARP with Neighbor Discovery Protocol (NDP), which uses ICMPv6:
NDP Functions (ICMPv6)
NDP Functions (ICMPv6):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββ¬ββββββββββββββββββ¬βββββββββββββββββββββββ
β Function β IPv4 Equivalent β ICMPv6 Type β
βββββββββββββββββββββββββΌββββββββββββββββββΌβββββββββββββββββββββββ€
β Router Solicitation β N/A β Type 133 β
β Router Advertisement β DHCP (partial) β Type 134 β
β Neighbor Solicitation β ARP Request β Type 135 β
β Neighbor Advertisementβ ARP Reply β Type 136 β
β Redirect β ICMP Redirect β Type 137 β
βββββββββββββββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββββββββ
Neighbor Solicitation Example (Like ARP):
βββββββββββββββββββββββββββββββββββββββββ
Host A wants to reach Host B (2001:db8::2)
[Host A] [Host B]
β β
β Neighbor Solicitation β
β "Who has 2001:db8::2?" β
β Dst: ff02::1:ff00:0002 (solicited-node mcast) β
βββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β β
β Neighbor Advertisement β
β "2001:db8::2 is at MAC xx:xx:xx:xx:xx:xx" β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β βSecurity Note: NDP has similar vulnerabilities to ARPβspoofing attacks are possible. Secure Neighbor Discovery (SEND) was designed to address this but is rarely deployed. RA Guard and ND Inspection provide practical mitigations.
IPv6 Security Considerations
IPv6 was designed with security in mind:
- IPsec support: Originally mandatory, now recommended
- No broadcast: Uses multicast instead, reducing certain attack surfaces
- Larger address space: Harder to scan (2^64 addresses per subnet!)
However, IPv6 introduces new security considerations:
| Concern | Description | Mitigation |
|---|---|---|
| Dual-stack | Running both IPv4 and IPv6 doubles attack surface | Monitor both protocols |
| Security tool maturity | Many tools focus on IPv4 | Ensure IPv6 visibility |
| Extension headers | Can be used to evade firewalls | Deep packet inspection |
| Privacy extensions | Randomized addresses can help or hinder | Understand your environment |
| Rogue RA | Fake router advertisements | RA Guard |
| NDP spoofing | Like ARP spoofing | ND Inspection |
IPv6 Transition Mechanisms
The internet is slowly transitioning from IPv4 to IPv6. Several mechanisms facilitate coexistence:
Dual Stack: Devices run both IPv4 and IPv6 simultaneously
Application
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Application β
ββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββ€
β IPv4 β IPv6 β
ββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββ€
β Network Interface β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββTunneling: IPv6 packets encapsulated in IPv4 for transport across IPv4-only networks
- 6to4, 6rd, ISATAP, Teredo (mostly deprecated)
- IPv6 over IPv4 GRE tunnels (still common)
Translation: Converting between IPv4 and IPv6 at network boundaries
- NAT64/DNS64: Allow IPv6-only hosts to reach IPv4 servers
- SIIT: Stateless IP/ICMP Translation
Security Note: Transition mechanisms introduce complexity and potential vulnerabilities. Tunneled traffic may bypass IPv4 security controls. Security teams must monitor both protocol versions.
ICMP: The Networkβs Diagnostic Tool
What ICMP Does
The Internet Control Message Protocol (ICMP) is IPβs companion for error reporting and diagnostics. When something goes wrong in IP communicationβa host is unreachable, a packetβs TTL expires, or a route doesnβt existβICMP delivers the bad news.
ICMP is also the foundation of familiar diagnostic tools like ping and traceroute.
ICMP Message Types
| Type | Code | Description | Use |
|---|---|---|---|
| 0 | 0 | Echo Reply | Ping response |
| 3 | 0 | Network Unreachable | Routing failure |
| 3 | 1 | Host Unreachable | Host offline/filtered |
| 3 | 3 | Port Unreachable | Service not running |
| 3 | 4 | Fragmentation Needed | MTU issue (Path MTU Discovery) |
| 3 | 13 | Communication Administratively Prohibited | Firewall blocked |
| 5 | x | Redirect | Use a different route |
| 8 | 0 | Echo Request | Ping |
| 11 | 0 | TTL Exceeded in Transit | Traceroute |
| 11 | 1 | Fragment Reassembly Time Exceeded | Fragment timeout |
Ping: Echo Request/Reply
The ping utility sends ICMP Echo Request messages and listens for Echo Replies:
$ ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=15.4 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=14.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=15.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=15.0 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 14.9/15.1/15.4/0.2 msWhat ping tells you:
- Host is reachable (or not)
- Round-trip time (latency)
- Packet loss percentage
- TTL value (hints at hop count, OS fingerprint)
Traceroute: Mapping the Path
traceroute exploits TTL to discover the path packets take:
Traceroute Mechanism
Traceroute Mechanism:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. Send packet with TTL=1
β First router decrements to 0, sends ICMP TTL Exceeded
2. Send packet with TTL=2
β First router decrements to 1, forwards
β Second router decrements to 0, sends ICMP TTL Exceeded
3. Continue until destination responds or max hops reached
Example output:
$ traceroute google.com
traceroute to google.com (142.250.80.46), 30 hops max
1 192.168.1.1 (192.168.1.1) 1.234 ms 0.987 ms 1.001 ms
2 10.0.0.1 (10.0.0.1) 8.432 ms 8.234 ms 8.567 ms
3 72.14.215.85 (72.14.215.85) 9.123 ms 9.234 ms 9.111 ms
4 * * * β Router didn't respond (filtered)
5 142.250.80.46 (142.250.80.46) 10.234 ms 10.111 ms 10.345 msNote: * * * indicates a hop that didnβt respondβoften firewalls blocking ICMP or routers configured not to respond.
PRO TIP
Different traceroute tools use different protocols:
traceroute(Linux/macOS): UDP by defaulttraceroute -I(Linux): ICMPtracert(Windows): ICMPtraceroute -T(Linux): TCP (often works when others are blocked)
ICMP Security Considerations
ICMP is essential for network operation but presents security risks:
Reconnaissance:
- Ping sweeps identify live hosts
- Traceroute reveals network topology
- ICMP responses can fingerprint operating systems
- Destination Unreachable messages reveal firewall rules
Attacks:
- Smurf Attack: Spoofed ping to broadcast address causes amplification
- Ping of Death: Oversized ping causing buffer overflow (historical)
- ICMP Tunneling: Hiding data in ICMP payloads to bypass firewalls
- ICMP Redirect Attacks: Malicious redirect messages altering routing
- Flood attacks: ICMP flood can overwhelm targets
Smurf Attack (Historical)
Smurf Attack (Historical):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacker
β
1. ICMP Echo Request β Source: Victim's IP (spoofed)
to broadcast β Destination: 192.168.1.255
192.168.1.255 βΌ
βββββββββββββββββ
β Network β
β (100 hosts) β
βββββββββββββββββ
β
2. All 100 hosts β
send ICMP Echo β
Reply to victim βΌ
βββββββββββββββββ
β Victim β β Flooded with 100 replies
β β for every 1 request
βββββββββββββββββ
Amplification factor: 100x (or more on larger networks)
Mitigation: Disable directed broadcast (default on modern routers)Security Note: Many organizations filter ICMP at network boundaries. While this improves security, it can break legitimate diagnostics and Path MTU Discovery. ICMP-based attacks are detailed in Part II, Chapter 3.
ICMPv6
IPv6 has its own ICMP version (ICMPv6, protocol number 58) thatβs more integral to IPv6 operation:
- Neighbor Discovery: Replaces ARP, discovers other nodes on the link
- Router Discovery: Finds routers and obtains configuration
- Path MTU Discovery: Determines optimal packet size
- Multicast Listener Discovery: IPv6 multicast management
ICMPv6 cannot be completely blocked without breaking IPv6 functionality.
Practical Commands
# View IP configuration
ip addr # Linux
ifconfig # macOS/older Linux
ipconfig /all # Windows
# View routing table
ip route # Linux
netstat -rn # macOS/older Linux
route print # Windows
# Test connectivity
ping <host>
ping -c 4 8.8.8.8 # Linux/macOS (4 packets)
ping -n 4 8.8.8.8 # Windows (4 packets)
ping6 <ipv6_host> # IPv6 ping
# Trace route
traceroute <host> # macOS/Linux (uses UDP)
traceroute -I <host> # Use ICMP
traceroute -T -p 443 <host> # Use TCP
tracert <host> # Windows (uses ICMP)
# View neighbor cache (ARP for IPv4, NDP for IPv6)
ip neigh # Linux
arp -a # All platforms
ndp -a # macOS IPv6
# Path MTU discovery
tracepath <host> # Linux (discovers MTU along path)
# Check your public IP
curl ifconfig.me
curl ipinfo.ioTRY IT YOURSELF
Compare traceroute behavior:
# Standard (UDP) traceroute google.com # ICMP (more likely to reach destination) traceroute -I google.com # TCP on port 443 (often works through firewalls) sudo traceroute -T -p 443 google.comNotice how different protocols may reveal different paths or more hops!
Key Takeaways
-
IPv4 uses 32-bit addresses written in dotted decimal notation, providing ~4.3 billion addresses
-
Subnetting divides networks logically using subnet masks; CIDR notation compactly represents this
-
Private addresses (10.x, 172.16-31.x, 192.168.x) and NAT extend IPv4βs lifespan
-
IPv6 provides 128-bit addresses, solving address exhaustion with 340 undecillion addresses
-
The IPv4 header contains routing information including TTL, which prevents infinite loops
-
ICMP provides diagnostics (ping, traceroute) and error reporting, but can be exploited for reconnaissance and attacks
-
Dual-stack environments running both IPv4 and IPv6 are common and require security attention for both protocols
Self-Assessment
-
Comprehension: If you have a /26 network, how many usable host addresses are available? Why?
-
Application: You can ping a server by IP (8.8.8.8) but not by name (google.com). At which layer is the problem likely occurring?
-
What if: If IPv6 were universally deployed tomorrow, what network security controls would become obsolete? Which would remain important?
Review Questions
- What is the purpose of the subnet mask?
- How does NAT allow private addresses to access the internet?
- What happens when a packetβs TTL reaches zero?
- Why was IPv6 developed, and what are its main advantages?
- How could an attacker use ICMP for reconnaissance?
- What is the difference between IPv4 ARP and IPv6 NDP?
Key RFCs
- RFC 791 - Internet Protocol (IPv4)
- RFC 8200 - Internet Protocol, Version 6 (IPv6) Specification
- RFC 792 - Internet Control Message Protocol (ICMP)
- RFC 4443 - ICMPv6 for IPv6 Specification
- RFC 1918 - Address Allocation for Private Internets
- RFC 4632 - CIDR: The Internet Address Assignment and Aggregation Plan
- RFC 4861 - Neighbor Discovery for IPv6