Loading learning content...
The Internet Layer is where the 'inter' in 'Internet' comes from. While the Network Interface Layer handles communication within a single network segment, the Internet Layer enables communication across multiple, heterogeneous networks. It provides the logical addressing and routing mechanisms that allow a packet to travel from a smartphone in Tokyo, through dozens of routers, across undersea cables, and arrive at a server in Virginia—all within milliseconds.
This layer is dominated by a single, remarkably successful protocol: the Internet Protocol (IP). Originally designed in the 1970s for a research network of a few hundred hosts, IP now addresses billions of devices and handles exabytes of traffic daily. Understanding the Internet Layer is understanding the core of how the global Internet functions.
By the end of this page, you will master IP addressing for both IPv4 and IPv6, understand IP packet structure and fragmentation, comprehend how routers make forwarding decisions, explore ICMP and network diagnostics, and appreciate the design principles that enable Internet-scale routing.
The Internet Layer's primary mission is host-to-host delivery across network boundaries. Unlike the Network Interface Layer, which only handles local delivery, the Internet Layer provides an abstraction that spans the entire global Internet. Any device with an IP address can (theoretically) communicate with any other device, regardless of the physical networks between them.
The Critical Abstraction
The Internet Layer's genius lies in its abstraction: from the Transport layer's perspective, the network between source and destination is a 'black box' that accepts packets and (usually) delivers them. The Transport layer doesn't need to know:
This abstraction enables the remarkable flexibility of the Internet: new networks can be added, old technologies can be replaced, and routing can change dynamically—all without applications being aware.
IP provides 'best-effort' delivery—packets may be lost, duplicated, delayed, or delivered out of order. The Transport layer (TCP or application protocols) handles reliability. This design choice keeps the network core simple and fast, pushing complexity to the edges where it can be tailored to application needs.
IPv4, specified in RFC 791 (1981), uses 32-bit addresses, providing approximately 4.3 billion unique addresses. While this seemed vast in 1981, address exhaustion became critical by the 2010s, driving the transition to IPv6. Despite this, IPv4 remains the dominant protocol on the Internet today.
Address Notation
IPv4 addresses are written in dotted-decimal notation: four decimal numbers (0-255) separated by dots, each representing one byte of the 32-bit address.
Binary: 11000000.10101000.00000001.00001010
Decimal: 192 .168 .1 .10
Network and Host Portions
Every IP address is divided into two parts:
The boundary between these portions is defined by the subnet mask (or prefix length in CIDR notation).
| CIDR | Subnet Mask | Network Bits | Host Bits | Addresses |
|---|---|---|---|---|
| /24 | 255.255.255.0 | 24 | 8 | 256 (254 usable) |
| /16 | 255.255.0.0 | 16 | 16 | 65,536 (65,534 usable) |
| /8 | 255.0.0.0 | 8 | 24 | 16,777,216 |
| /25 | 255.255.255.128 | 25 | 7 | 128 (126 usable) |
| /30 | 255.255.255.252 | 30 | 2 | 4 (2 usable) |
| /32 | 255.255.255.255 | 32 | 0 | 1 (host route) |
Special IPv4 Addresses
| Address/Range | Purpose |
|---|---|
0.0.0.0/8 | This network (default route, DHCP requests) |
10.0.0.0/8 | Private addresses (RFC 1918) |
127.0.0.0/8 | Loopback (localhost) |
169.254.0.0/16 | Link-local (APIPA) |
172.16.0.0/12 | Private addresses (RFC 1918) |
192.168.0.0/16 | Private addresses (RFC 1918) |
224.0.0.0/4 | Multicast |
255.255.255.255 | Limited broadcast |
Private vs. Public Addresses
The RFC 1918 private address ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) are not globally routable. They're used within organizations, with Network Address Translation (NAT) providing access to the public Internet. This dramatically extends IPv4's usable lifetime by allowing billions of private devices to share limited public addresses.
For quick subnet calculations: each additional prefix bit halves the address space. /24 = 256 addresses; /25 = 128; /26 = 64; /27 = 32; /28 = 16; /29 = 8; /30 = 4; /31 = 2 (point-to-point links); /32 = 1 (host route). Subtract 2 for network and broadcast addresses where applicable.
IPv6, standardized in RFC 2460 (1998) and updated in RFC 8200 (2017), uses 128-bit addresses—providing 340 undecillion (3.4 × 10³⁸) addresses. This is enough to assign trillions of addresses to every human on Earth, eliminating the address exhaustion problem and enabling end-to-end connectivity without NAT.
Address Notation
IPv6 addresses are written as eight groups of four hexadecimal digits, separated by colons:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
Simplification Rules:
Leading zeros can be omitted in each group:
2001:db8:85a3:0:0:8a2e:370:7334
One sequence of consecutive all-zero groups can be replaced with :::
2001:db8:85a3::8a2e:370:7334
:: can only appear once to avoid ambiguity
Examples:
::1 (full: 0000:0000:0000:0000:0000:0000:0000:0001)::ffff:192.168.1.1fe80::1 (automatically configured on every interface)| Prefix | Address Type | Description |
|---|---|---|
| ::1/128 | Loopback | Equivalent to 127.0.0.1 in IPv4 |
| fe80::/10 | Link-local | Automatically configured, not routable |
| fc00::/7 | Unique Local | Private addresses (like RFC 1918) |
| 2000::/3 | Global Unicast | Globally routable addresses |
| ff00::/8 | Multicast | One-to-many delivery |
| ::ffff:0:0/96 | IPv4-mapped | IPv4 addresses embedded in IPv6 |
IPv6 Address Structure (Global Unicast)
A typical global unicast address (2000::/3) is structured:
| Bits | Component | Description |
|---|---|---|
| 48 | Global Routing Prefix | Assigned by ISP |
| 16 | Subnet ID | Organization's internal subnets |
| 64 | Interface ID | Host identifier (often EUI-64 or random) |
The 64-bit Interface ID is often derived from the MAC address using the EUI-64 method (inserting FF:FE in the middle and flipping the 7th bit), or generated randomly for privacy.
Key IPv6 Features
As of 2024, IPv6 handles approximately 40%+ of traffic for major providers like Google. Adoption varies by region—Belgium leads with 70%+, while others lag. Dual-stack (running both IPv4 and IPv6) remains the common transition mechanism, though IPv6-only networks are increasingly viable.
The IP packet (or datagram) is the fundamental unit of communication at the Internet layer. Understanding its structure is essential for packet analysis, troubleshooting, and understanding protocol behavior.
Key IPv4 Header Fields
Version (4 bits): IP version (4 for IPv4, 6 for IPv6)
IHL (4 bits): Internet Header Length in 32-bit words. Minimum 5 (20 bytes), maximum 15 (60 bytes with options)
DSCP/ECN (8 bits): Differentiated Services and Explicit Congestion Notification for QoS
Total Length (16 bits): Entire packet size including header and data. Maximum 65,535 bytes
Identification (16 bits): Unique ID for fragmentation/reassembly
Flags (3 bits): Control fragmentation. DF (Don't Fragment) and MF (More Fragments)
Fragment Offset (13 bits): Position of this fragment within the original packet
TTL (8 bits): Time To Live. Decremented by each router; packet discarded when reaching 0 (prevents infinite loops)
Protocol (8 bits): Upper-layer protocol. 1=ICMP, 6=TCP, 17=UDP
Header Checksum (16 bits): Error detection for header only (not payload)
Source/Destination IP (32 bits each): Sender and receiver IP addresses
IPv6 Header Simplification
IPv6's header is a fixed 40 bytes—simpler despite larger addresses:
| Field | Bits | Description |
|---|---|---|
| Version | 4 | Always 6 |
| Traffic Class | 8 | QoS marking |
| Flow Label | 20 | Mark packets belonging to same flow |
| Payload Length | 16 | Size of data (not header) |
| Next Header | 8 | Next header type (TCP, UDP, extension) |
| Hop Limit | 8 | Same as IPv4 TTL |
| Source Address | 128 | Sender's IPv6 address |
| Destination Address | 128 | Receiver's IPv6 address |
Notice what's removed: fragmentation fields (handled by extension headers), header checksum (upper layers and link layer provide this), IHL (fixed header size), and options (replaced by extension headers).
Different operating systems use different default TTL values: Linux uses 64, Windows uses 128, and some network devices use 255. When analyzing packets, TTL can hint at the source OS and the number of hops traversed. 'TTL exceeded' ICMP messages indicate routing loops or unexpectedly long paths.
Routing is the process of selecting paths for packets to travel from source to destination across interconnected networks. Routers—devices that operate at the Internet layer—examine each packet's destination address and forward it toward its destination based on their routing tables.
Routing Table Essentials
A routing table entry typically contains:
Destination Gateway Genmask Iface
192.168.1.0 0.0.0.0 255.255.255.0 eth0 # Directly connected
10.0.0.0 192.168.1.1 255.0.0.0 eth0 # Via gateway
0.0.0.0 192.168.1.254 0.0.0.0 eth0 # Default route
Routing Process:
Interior Gateway Protocols (IGPs) like OSPF and EIGRP route within an organization (autonomous system). Exterior Gateway Protocols (EGPs)—specifically BGP—route between autonomous systems on the global Internet. BGP is what makes the Internet a network of networks.
The Internet Control Message Protocol (ICMP), defined in RFC 792, provides error reporting and diagnostic capabilities for IP networks. ICMP messages are carried within IP packets (protocol number 1 for IPv4, 58 for ICMPv6) but are considered part of the Internet layer, not an upper-layer protocol.
| Type | Name | Description |
|---|---|---|
| 0 | Echo Reply | Response to ping request |
| 3 | Destination Unreachable | Packet couldn't be delivered (various codes) |
| 4 | Source Quench | Congestion control (deprecated) |
| 5 | Redirect | Router suggesting a better route |
| 8 | Echo Request | The 'ping' request |
| 11 | Time Exceeded | TTL expired (used by traceroute) |
Destination Unreachable Codes
The Type 3 (Destination Unreachable) message includes a code specifying why:
| Code | Meaning |
|---|---|
| 0 | Network unreachable |
| 1 | Host unreachable |
| 2 | Protocol unreachable |
| 3 | Port unreachable |
| 4 | Fragmentation needed but DF set |
| 13 | Communication administratively prohibited |
Ping: Echo Request/Reply
The ping utility sends ICMP Echo Request messages and measures the time until Echo Reply returns. This verifies:
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=14.2 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=13.8 ms
Traceroute: Mapping the Path
Traceroute exploits ICMP Time Exceeded messages to discover the path to a destination:
Each Time Exceeded reveals a router along the path:
$ traceroute google.com
1 192.168.1.1 (192.168.1.1) 1.234 ms
2 10.20.30.1 (10.20.30.1) 5.678 ms
3 core-rtr.isp.com (198.51.100.1) 12.345 ms
4 ....
Note: Some routers drop ICMP or deprioritize it, causing timeouts (* * *) in traceroute output.
ICMP can be used for reconnaissance (mapping networks with ping sweeps) and attacks (ping floods, ICMP redirect attacks). Many firewalls block some ICMP types. However, blocking all ICMP breaks Path MTU Discovery and essential diagnostics. Security policy should be nuanced, not simply 'block all ICMP.'
Different link-layer technologies have different maximum frame sizes. Ethernet's MTU is typically 1500 bytes, but some WAN links may be smaller. When an IP packet is larger than the outgoing link's MTU, it must be fragmented into smaller pieces that can traverse the link.
IPv4 Fragmentation
In IPv4, any router along the path can fragment packets:
All fragments share the same Identification field. The destination host reassembles them.
Fragmentation Header Fields:
Problems with Fragmentation:
Path MTU Discovery (PMTUD)
To avoid fragmentation, hosts can discover the path's minimum MTU:
This discovers the path MTU without relying on router fragmentation.
IPv6 Changes:
IPv6 takes a stricter approach:
If ICMP is blocked, PMTUD fails silently—large packets disappear without error messages. This creates 'black holes' where small packets work but large ones fail mysteriously. Common symptoms: SSH login works but large file transfers hang. Fix: ensure ICMP Type 3 Code 4 is allowed through firewalls.
We've explored the Internet Layer in depth. Let's consolidate the key insights:
What's Next
With the Internet Layer understood, we ascend to the Transport Layer—where process-to-process communication, reliable delivery, and flow control become possible. You'll learn how TCP provides reliable, ordered byte streams; how UDP enables efficient datagram delivery; and how port numbers multiplex connections between applications.
You now understand the Internet Layer's role as the heart of internetworking, including IP addressing, packet structure, routing fundamentals, ICMP diagnostics, and fragmentation. This knowledge is essential for network design, troubleshooting, and understanding how global Internet connectivity is achieved.