Network Layer Protocols

While IP handles the primary task of packet delivery and routing protocols determine paths, a group of control protocols provides essential supporting functions. These protocols handle error reporting, diagnostics, address resolution, and operational feedback that make IP networking practical and manageable.

Without control protocols, network administrators would have no visibility into why packets don't reach destinations, IP addresses couldn't be resolved to hardware addresses for actual transmission, and network troubleshooting would be nearly impossible. These protocols are the unsung heroes that make IP's simplicity viable in practice.

The Internet Control Message Protocol (ICMP) is arguably the most important control protocol at the Network Layer. Despite IP's design as a best-effort protocol with no error reporting, networks need feedback mechanisms. ICMP provides this feedback.

ICMP's Purpose:

ICMP carries control messages about network conditions—not user data. It provides:

1. Error Reporting: Notify senders when packets can't be delivered
2. Diagnostics: Enable testing of connectivity and path discovery
3. Network Information: Report conditions like MTU changes or redirects

ICMP's Position:

ICMP is technically a Network Layer protocol, but it's encapsulated inside IP packets (Protocol number 1). This creates an interesting relationship: ICMP uses IP for delivery, but reports problems with IP delivery.

Key ICMP Message Types:

ICMP messages are categorized by Type and Code. The most important ones include:

Type 0 / Type 8: Echo Reply / Echo Request

• Used by ping utility
• Type 8: Request ("Are you there?")
• Type 0: Reply ("Yes, I'm here")
• Round-trip time measurement

Type 3: Destination Unreachable

• Most important error message
• Codes specify why unreachable:
  • Code 0: Network unreachable (routing failure)
  • Code 1: Host unreachable (final hop failure)
  • Code 2: Protocol unreachable (transport protocol unavailable)
  • Code 3: Port unreachable (application not listening)
  • Code 4: Fragmentation needed but DF set (MTU problem)

Type 11: Time Exceeded

• TTL expired in transit (Code 0)
• Fragment reassembly time exceeded (Code 1)
• Essential for traceroute operation

Type 5: Redirect

• Router suggests a better next hop
• Security concern (disabled in many networks)

Several essential network diagnostic tools are built on ICMP. Understanding how they work reveals ICMP's practical importance.

Ping (Packet Internet Groper):

The simplest and most commonly used network diagnostic tool, ping sends ICMP Echo Request messages and waits for Echo Replies.

What ping reveals:

• Reachability: Can packets reach the destination?
• Round-Trip Time (RTT): How long does a round trip take?
• Packet Loss: What percentage of packets are lost?
• Consistency: Is latency stable or variable (jitter)?

Traceroute (tracert on Windows):

While ping tests end-to-end connectivity, traceroute reveals the path packets take. It leverages ICMP Time Exceeded messages in a clever way:

1. Send packet with TTL=1
2. First router decrements TTL to 0, discards packet, sends ICMP Time Exceeded
3. Traceroute records responding router's IP
4. Send packet with TTL=2, repeat process
5. Continue until destination reached (ICMP Echo Reply) or max hops

The result shows each hop on the path, with latency measurements:

Path MTU Discovery:

Another critical ICMP application is Path MTU Discovery. This process determines the largest packet size that can traverse a path without fragmentation:

1. Sender sets DF (Don't Fragment) flag in IP header
2. If a router can't forward due to MTU limits, it sends ICMP Destination Unreachable (Code 4: Fragmentation Needed)
3. ICMP message includes the next-hop MTU
4. Sender reduces packet size and retries
5. Process continues until packets can traverse entire path

Why this matters:

• Avoids fragmentation overhead
• Prevents black holes (firewalls blocking ICMP that breaks PMTUD)
• Improves throughput by sending largest possible packets

IPv6 includes an updated version of ICMP called ICMPv6 (RFC 4443). While serving similar purposes to ICMP for IPv4, ICMPv6 is significantly more important because it absorbs functions that were separate protocols in IPv4.

ICMPv6 Expanded Role:

In IPv4, ARP (Address Resolution Protocol) was a separate Layer 2 protocol. In IPv6, address resolution is performed by ICMPv6 through Neighbor Discovery Protocol (NDP) messages:

Neighbor Discovery Protocol (NDP):

NDP, which runs on top of ICMPv6, provides several critical functions:

1. Address Resolution: Mapping IPv6 addresses to MAC addresses (replaces ARP)
2. Duplicate Address Detection (DAD): Ensuring address uniqueness before use
3. Router Discovery: Finding available routers on the link
4. Prefix Discovery: Learning which prefixes are on-link
5. Parameter Discovery: Learning link MTU and other parameters
6. Redirect: Informing hosts of better paths

Security Implications:

NDP, like ARP, is vulnerable to spoofing attacks. SEND (SEcure Neighbor Discovery) was developed but isn't widely deployed due to complexity. In practice, networks rely on switch-level security (like IPv6 RA Guard) to mitigate risks.

The Address Resolution Protocol (ARP) solves a fundamental problem: IP addresses are logical, but frames on a local network require hardware (MAC) addresses. How does a host find the MAC address corresponding to a destination IP on the same network?

The ARP Process:

1. Host A wants to send to IP 192.168.1.100
2. Host A checks its ARP cache—is there already a MAC for this IP?
3. If not, Host A broadcasts an ARP Request: "Who has 192.168.1.100? Tell 192.168.1.50"
4. All hosts on segment receive the broadcast
5. Host with 192.168.1.100 responds with ARP Reply: "192.168.1.100 is at AA:BB:CC:DD:EE:FF"
6. Host A caches the mapping and can now send frames

Important ARP Behaviors:

ARP Cache:

• Mappings are cached to avoid repeated lookups
• Entries have a TTL (typically 20+180 seconds)
• Stale entries can cause connectivity issues after IP/MAC changes

Gratuitous ARP:

• Host broadcasts its own IP-to-MAC mapping
• Used when IP address changes (to update others' caches)
• Used in high-availability failover (new MAC takes over IP)
• Can detect IP address conflicts

Proxy ARP:

• Router answers ARP on behalf of hosts on other networks
• Creates appearance of single flat network
• Considered legacy practice but still encountered

ARP is Layer 2.5: ARP operates between Layers 2 and 3—it's neither purely a data link protocol (uses IP addresses) nor a network protocol (resolves to MAC, uses broadcast frames). This hybrid nature is important for understanding where it fits.

While ARP resolves IP-to-MAC, the opposite problem also exists: a host knows its MAC but needs an IP address. This launched a family of protocols.

RARP: Reverse Address Resolution Protocol

RARP (RFC 903) was the original solution to the reverse problem:

1. Diskless workstation boots with only MAC address
2. Broadcasts RARP Request: "What is the IP for MAC AA:BB:CC:DD:EE:FF?"
3. RARP server responds with assigned IP address

RARP Limitations:

• Operates at Layer 2—can't cross routers
• Only provides IP address—no other configuration
• Requires RARP server on every network segment
• No mechanism for dynamic address pools

BOOTP: Bootstrap Protocol

BOOTP (RFC 951) improved on RARP:

• Uses UDP, so can be relayed across routers
• Provides additional configuration (subnet mask, gateway, boot file)
• But still requires manual IP-to-MAC mappings on server

DHCP: Dynamic Host Configuration Protocol

DHCP (RFC 2131) evolved from BOOTP and is the modern standard:

• Dynamic address allocation from pools
• Lease-based—addresses are temporary, can be reused
• Rich configuration options (DNS, gateway, domain, NTP, etc.)
• Works with BOOTP relay agents
• Supports reservations for specific MACs

DHCP's Importance:

DHCP is essential for practical networking:

• Scalability: Thousands of devices can be configured automatically
• Mobility: Devices moving between networks get appropriate addresses
• Address Conservation: Addresses return to pool when not in use
• Central Management: Configuration policies controlled from DHCP server
• Error Reduction: Eliminates manual configuration mistakes

DHCP operates at the Application Layer (using UDP ports 67/68), but its function—providing network layer configuration—places it in the network layer discussion.

Several additional control protocols operate at or near the Network Layer, each serving specific purposes:

IGMP: Internet Group Management Protocol

IGMP manages multicast group membership:

1. Host joins multicast group (e.g., 224.1.1.1)
2. Host sends IGMP Membership Report to the group address
3. Local router learns that someone on this segment wants group traffic
4. Router ensures multicast traffic for that group is forwarded here
5. Host sends IGMP Leave when done (or just stops responding to queries)

IGMP enables efficient multicast delivery—routers only forward to segments with interested receivers, not everywhere.

MLD: Multicast Listener Discovery

MLD is the IPv6 equivalent of IGMP. It's defined as part of ICMPv6 (types 130-132) and serves the same purpose—allowing routers to discover which hosts want which multicast groups.

IPCP: IP Control Protocol

In PPP (Point-to-Point Protocol) links, IPCP negotiates IP parameters between peers, including IP address assignment, DNS server addresses, and compression options. While less common with Ethernet dominance, PPP/IPCP remains relevant in some WAN and DSL scenarios.

Routing Protocols?

Note that routing protocols (RIP, OSPF, BGP) are also control plane protocols, but they handle path computation specifically. We covered them in the previous page. The protocols here focus on operational support functions rather than routing table population.

Control protocols provide the essential infrastructure that makes IP networking practical. While IP carries data and routing protocols determine paths, control protocols handle the operational details that enable actual communication.