IP Explained: IPv4, IPv6, Subnetting, and Routing thumbnail

IP Explained: IPv4, IPv6, Subnetting, and Routing

⏱ approx. 24 min views 60 likes 0 LOG_DATE:2026-05-09
TOC

Internet Protocol (IP) #

Internet Protocol (IP) is the communications protocol that assigns addresses to hosts on a network and forwards packets to their destinations. It sits at the core of the TCP/IP stack: every flow of traffic on the Internet — Web, email, APIs, streaming, gaming — is ultimately routed as IP packets. In the OSI reference model it occupies Layer 3 (the Network layer) and provides connectionless, best-effort, one-way datagram delivery.

1. The history of IP #

1.1 The limits of the ARPANET era #

ARPANET, which appeared in 1969, originally ran on a proprietary protocol called NCP (Network Control Program). NCP assumed communication within a single homogeneous network and was never designed to interconnect different kinds of networks (say, a satellite network with a wired one). As research networks diversified through the 1970s, the need for a common protocol that could bridge heterogeneous networks became unavoidable.

1.2 The design of TCP/IP (1974) #

In 1974, Vint Cerf and Bob Kahn published "A Protocol for Packet Network Intercommunication" and introduced the prototype of TCP (RFC 675). Their original design lumped both addressing and reliable delivery into TCP, but the design was later split: addressing and routing were moved into IP, while reliability stayed in TCP. This two-layer separation became the foundation that TCP/IP is still built on today.

1.3 IPv4 standardization (RFC 791, 1981) #

IPv4 was formally standardized in RFC 791 in 1981. With its 32-bit addresses (about 4.3 billion combinations) it was, for the era, treated as effectively infinite. On January 1, 1983, ARPANET performed a "flag day" cutover from NCP to TCP/IP — locking in the foundation of the modern Internet.

1.4 Address exhaustion and the arrival of IPv6 #

In the 1990s the explosion of the commercial Internet turned IPv4 address exhaustion into a real problem. As short-term mitigations, CIDR (RFC 1519, 1993) introduced more efficient allocation, and NAT (RFC 1631, 1994) allowed many hosts to share a single public address via private IP. As a long-term fix, IPv6 (RFC 2460) was standardized in 1998; the current standard is RFC 8200 (2017). Its 128-bit addresses (2^128 ≈ 3.4×10^38) provide an effectively inexhaustible space and a simplified header.

1.5 The reality of address exhaustion #

IANA's central pool of IPv4 addresses ran out in 2011. Each Regional Internet Registry (RIR) ran out shortly after, and we've since been getting by on resale and redistribution of already-allocated addresses. IPv6 migration is the only long-term answer: as of 2026, Google's statistics show roughly 45% of clients worldwide reaching them over IPv6.

2. The role of IP and its OSI position #

+----------------------+
| Application layer    | HTTP / SSH / DNS / SMTP ...
+----------------------+
| Transport layer      | TCP / UDP / QUIC
+----------------------+
| Network layer        | ★ IP (this article) / ICMP
+----------------------+
| Data Link layer      | Ethernet / Wi-Fi / PPP
+----------------------+
| Physical layer       | copper / fiber / radio
+----------------------+

Three properties characterize IP:

  • Connectionless: packets are sent without prior session establishment, and each is handled independently.
  • Best-effort: there are no guarantees of delivery, ordering, or non-duplication. Those are TCP's job (UDP guarantees nothing either).
  • Routing: routers along the path choose the best next hop based on the destination IP.

IP is essentially "write the address on an envelope and let each post office relay it onward." There's no guarantee it arrives, but it's simple, easy to extend, and works at planetary scale.

3. IPv4 #

3.1 Address structure #

An IPv4 address is 32 bits (4 octets = 4 bytes). By convention it's written in dotted-decimal.

IPv4 address: 32 bits = 8 bits × 4 octets Example: 192.168.1.10 expanded to its bit pattern 192 octet 1 (8 bits) . 168 octet 2 (8 bits) . 1 octet 3 (8 bits) . 10 octet 4 (8 bits) Binary representation (raw 32 bits) 11000000 = 192 10101000 = 168 00000001 = 1 00001010 = 10 Theoretical address count: 2^32 ≈ 4.29 billion (real-world space is smaller after Class A/B/reserved ranges) Range: each octet runs 0–255 → 0.0.0.0 through 255.255.255.255 The dotted notation is for humans; the CPU treats it as a single 32-bit integer

3.2 Address types and Private IP (RFC 1918) #

In practice, IPv4 has several reserved ranges set aside for specific uses.

Range Purpose Example
0.0.0.0/8 Reserved for "this host / this network" 0.0.0.0
10.0.0.0/8 Private IP (RFC 1918) Large enterprise LAN
127.0.0.0/8 Loopback 127.0.0.1
169.254.0.0/16 Link-local (auto-assigned when DHCP fails) APIPA
172.16.0.0/12 Private IP (RFC 1918) Mid-size enterprise LAN
192.168.0.0/16 Private IP (RFC 1918) Home / SOHO
224.0.0.0/4 Multicast RIP / OSPF / mDNS
255.255.255.255 Limited broadcast DHCP DISCOVER

Private IP addresses are the ranges defined by RFC 1918 that are "never used on the Internet"; they're handed out freely inside corporate LANs and home routers. When traffic leaves for the Internet, NAT rewrites the private IP to the router's public IP.

3.3 Subnet masks and CIDR #

An IPv4 address is split into a "network part" + "host part", with the subnet mask marking the boundary.

192.168.1.10 / 24
  ↓
Network part = 192.168.1.0/24  (top 24 bits)
Host part    = .10             (bottom 8 bits, max 254 hosts)

The /24 notation is CIDR (Classless Inter-Domain Routing, RFC 1519). Originally, IP addresses were handed out in fixed Class A (8 bits), B (16 bits), and C (24 bits) blocks. CIDR (1993) replaced that with arbitrary bit lengths, which dramatically improved address utilization.

Common CIDR notations and host counts:

CIDR Subnet mask Usable hosts Use case
/8 255.0.0.0 16.7 M Very large network
/16 255.255.0.0 65,534 Mid-size
/24 255.255.255.0 254 Typical LAN
/28 255.255.255.240 14 Small
/30 255.255.255.252 2 Router-to-router P2P
/32 255.255.255.255 1 Single host

3.4 IPv4 header structure #

An IPv4 packet consists of a fixed 20-byte header (up to 60 bytes if Options are present) plus data.

IPv4 Header — 20 bytes standard (RFC 791) Five rows × 32 bits, 4 bytes per row. With Options, up to 60 bytes bit 0 8 16 24 31 Version 4 bits IHL 4 bits ToS / DSCP+ECN 8 bits Total Length 16 bits (full packet length) row 1 Identification 16 bits (fragment ID) Flags 3 Fragment Offset 13 bits row 2 TTL 8 bits (hop limit) Protocol 8 bits (1=ICMP 6=TCP 17=UDP) Header Checksum 16 bits row 3 Source IP Address 32 bits (sender IP) row 4 Destination IP Address 32 bits (target IP) row 5 Options (optional, only if present) Up to 40 bytes — Record Route, Strict Source Route, etc. row 6+ Payload TCP / UDP / ICMP segments etc., variable length variable Total Length − IHL × 4 = payload length (max 65,515 B) How to read the major fields • Version = 4 (or 6 for IPv6) • IHL (Internet Header Length) = number of 32-bit words in the header → ×4 gives bytes (usually 5 = 20 bytes) • Total Length = total bytes of header + payload (max 65,535) • TTL = decremented by 1 at each forwarding router → on 0, packet is dropped and an ICMP Time Exceeded is returned (this is what traceroute exploits) • Protocol = upper-layer protocol number (1: ICMP / 6: TCP / 17: UDP / 41: IPv6 / 47: GRE / 50: ESP) • Flags = DF (Don't Fragment) / MF (More Fragments). With DF=1, oversize packets cause an ICMP Fragmentation Needed • Header Checksum = error detection over the header only (TCP/UDP cover the payload with their own checksum) Total: 20 bytes = 160 bits, laid out as five 4-byte (32-bit) "cards" stacked in rows

3.5 Fragmentation and TTL #

The length of an IP packet is bounded by the MTU (Maximum Transmission Unit, 1500 bytes on Ethernet) of the path it travels. Anything larger has to be fragmented (split) by the sender or by an intermediate router and reassembled at the destination. In modern practice, however:

  • Path MTU Discovery (PMTUD) lets the sender learn the smallest MTU on the path up front so it can split packets at source.
  • Fragmentation is easy to abuse for attacks, so the dominant approach is now: set the Don't Fragment (DF) flag, and on a too-large packet receive an ICMP "Fragmentation Needed" and resend smaller.

TTL (Time To Live) is decremented by 1 at every router that forwards the packet. Whichever router takes it to 0 drops the packet and returns an ICMP Time Exceeded to the source (exactly what traceroute uses). It's a safety belt against routing loops running away forever.

3.6 NAT (Network Address Translation) #

Private IPs in homes and offices (192.168.x.x and friends) can't go straight to the Internet. As packets pass outward, the router rewrites the source IP/port to "its public IP + a dynamic port" — that's NAT (RFC 1631). Replies are reverse-translated and routed back to the original inside host.

NAT lets one public IP serve hundreds of devices and turned out to be the decisive band-aid that kept IPv4 alive far past its theoretical limits. The downsides: it breaks peer-to-peer connectivity (workarounds: STUN/TURN/ICE) and violates the end-to-end principle.

4. IPv6 #

4.1 Address structure (128 bits) #

A 128-bit (16-byte) address, written as eight groups of four hex digits separated by colons.

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Compression rules:

  • Leading zeros in a group can be dropped: 2001:db8:85a3:0:0:8a2e:370:7334
  • A run of all-zero groups can be replaced once with :: : 2001:db8:85a3::8a2e:370:7334

The total address space is 2^128 ≈ 3.4×10^38 — enough to assign an IP to every grain of sand on Earth and have plenty left.

Major address types:

  • Global Unicast (2000::/3): globally unique addresses on the Internet
  • Link-Local (fe80::/10): valid only within the same link, auto-assigned via SLAAC etc.
  • Unique Local (fc00::/7): the IPv6 equivalent of IPv4 private IPs (RFC 4193)
  • Multicast (ff00::/8): for multiple receivers
  • Loopback (::1): equivalent to IPv4's 127.0.0.1

4.2 IPv6 header structure #

The IPv6 header is dramatically simplified versus IPv4 and is fixed at 40 bytes. Variable-length fields and the checksum are gone, which speeds up router processing.

Field Size Role
Version 4 bits 6
Traffic Class 8 bits QoS (DSCP / ECN)
Flow Label 20 bits identifies a single flow
Payload Length 16 bits length of the payload
Next Header 8 bits type of the next header (upper protocol or extension header)
Hop Limit 8 bits the IPv6 equivalent of IPv4's TTL
Source Address 128 bits sender
Destination Address 128 bits recipient

What disappeared from IPv4:

  • Header Checksum — redundant since Ethernet and TCP/UDP already do error detection
  • Identification / Flags / Fragment Offset — fragmentation by intermediate routers is forbidden; PMTUD makes it the sender's responsibility
  • Options — when extension is needed, separate "extension headers" are chained via Next Header

4.3 SLAAC and address auto-configuration #

IPv6 has a built-in mechanism to auto-configure addresses without DHCP — Stateless Address Autoconfiguration (SLAAC).

  1. On joining a link, the host sends a Router Solicitation (RS).
  2. The router replies with a Router Advertisement (RA): "the prefix on this link is 2001:db8:abcd::/64".
  3. The host builds a 128-bit address by combining the prefix with an Interface ID derived from its MAC (EUI-64) or a random value (Privacy Extensions).

These are all implemented over ICMPv6 — which is why IPv6 is conceptually "IP + ICMPv6" as a unit.

4.4 Coexistence with IPv4 #

A complete IPv6 migration is still in progress; for the foreseeable future, both run side by side.

  • Dual-Stack: hosts and routers run both IPv4 and IPv6 and pick the right one per destination. This is the dominant approach.
  • NAT64 / DNS64: lets IPv6-only hosts reach IPv4-only servers — a router translates IPv6→IPv4 and DNS wraps IPv4 addresses into IPv6 form like 64:ff9b::xxxx.
  • 6to4 / Teredo: older mechanisms that tunneled IPv6 traffic through IPv4 networks. Now deprecated.

5. Routing #

5.1 Routing tables #

Every host and router has a routing table that says, "packets for this destination range go out this interface." The longest-prefix match picks the entry that fits the destination IP most specifically.

$ ip route
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.50
10.0.0.0/8 via 192.168.1.254 dev eth0

default (= 0.0.0.0/0) is the default gateway — "anything that doesn't match anything else."

5.2 Major routing protocols #

Protocol Style Scope
RIP (Routing Information Protocol) Classic, hop-count based path selection Small in-house (mostly retired)
OSPF (Open Shortest Path First) Link-state, Dijkstra shortest path Mid-to-large enterprise (IGP)
IS-IS Link-state like OSPF ISP / carrier networks
BGP (Border Gateway Protocol) Path-vector, the only standard for inter-AS The whole Internet (EGP)

The Internet itself runs on BGP. Every AS (Autonomous System — an ISP, a large company) exchanges routes via BGP, building a global routing table that today contains over a million prefixes.

6. Major commands and usage #

6.1 ip — modern Linux network configuration #

The replacement for ifconfig. Part of the iproute2 package.

# Interfaces and addresses
ip addr show
ip -br addr             # brief view
ip addr add 192.168.1.50/24 dev eth0
ip addr del 192.168.1.50/24 dev eth0

# Bring a link (NIC) up / down
ip link set eth0 up
ip link set eth0 down

# Routing table
ip route show
ip route add 10.0.0.0/8 via 192.168.1.254
ip route del 10.0.0.0/8

# ARP / NDP table
ip neigh show

# Statistics
ip -s link show eth0

6.2 ping / traceroute / mtr #

ICMP-based reachability and path testing (see the ICMP article for details).

ping -c 4 example.com
traceroute example.com
mtr example.com

6.3 netstat / ss — socket listings #

ss is the fast, modern replacement for netstat.

ss -tunlp        # TCP/UDP listening ports + processes
ss -tan          # all TCP connections
ss -an state established  # only established connections

6.4 nmap — IP scanning #

# Host discovery
nmap -sn 192.168.1.0/24

# TCP SYN scan
nmap -sS -p 1-1000 192.168.1.50

# OS fingerprinting
nmap -O 192.168.1.50

# IPv6
nmap -6 2001:db8::1

6.5 tcpdump — packet capture #

# Watch IP packets on eth0
sudo tcpdump -i eth0 -nn ip

# Traffic to/from a specific host
sudo tcpdump -i eth0 host 192.168.1.50

# Narrow to a port
sudo tcpdump -i eth0 'tcp port 80'

# IPv6
sudo tcpdump -i eth0 ip6

6.6 whois — registration info for an IP #

whois 8.8.8.8        # → Google LLC
whois 93.184.216.34  # → Edgecast / Verizon

7. Security — major attacks and defenses #

7.1 IP Spoofing #

Forging the source IP to hide the attacker or to abuse a trust relationship.

  • DDoS amplification: spoof the victim's IP as the source, query reflectors like DNS / NTP / Memcached, and the flood of replies hammers the victim.
  • TCP sequence number attacks: abused the host-based trust of the old rlogin / rsh (rarely seen now).

Defense: have ISPs implement source address validation as in BCP 38 (RFC 2827) — packets leaving an AS should only carry a source address that legitimately belongs to that AS.

7.2 DDoS #

Saturating a service with a flood of IP packets. Major flavors:

  • Volumetric: fill the pipe (UDP flood, ICMP flood, amplification)
  • Protocol: exhaust TCP/UDP state (SYN flood, ACK flood)
  • Application: overwhelm the app with HTTP requests

Defense: scrubbing at upstream ISPs / DDoS protection from Cloudflare, Akamai, and similar / Anycast for load distribution.

7.3 IPsec — encryption at the IP layer #

IPsec (RFC 4301-4309) authenticates and encrypts IP packets themselves. It's the de facto standard for VPNs.

  • AH (Authentication Header): authentication only
  • ESP (Encapsulating Security Payload): encryption + authentication
  • IKE (Internet Key Exchange): key exchange

It comes in transport mode (encrypts only the payload) and tunnel mode (encrypts the whole packet and wraps it in a new IP header).

7.4 IP-based access control #

A firewall or server that "only accepts traffic from a specific IP / subnet." For most homes this — iptables / nftables / Windows Defender Firewall — is the first effective security layer.

# iptables example — 22/tcp only from corp LAN
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

IP is humble and used by everyone without thinking. But without understanding "which packet takes which path and how it gets there," you'll get stuck at the root cause of any nontrivial network issue and at the foundation of any security design. As the substrate of the entire Internet, holding the IPv4 header and the v6 transition (§3–§4), the routing-protocol distinctions (§5), and the spoofing / DDoS / IPsec security layer (§7) together as one continuous picture changes how clearly you can read network problems.