IP Addresses Explained — IPv4 / IPv6 / Subnets / Routing thumbnail

IP Addresses Explained — IPv4 / IPv6 / Subnets / Routing

⏱ approx. 22 min views 172 likes 0 LOG_DATE:2026-05-09
TOC

An IP address is the number that identifies a host on a network — the "street address" used to carry packets to their destination. The 192.168.1.1 printed on the back of your home router and the globally-routed 8.8.8.8 are at heart the same thing: a 32-bit integer. This article walks through reading an IPv4 address → subnets / CIDR → NAT → routing → IPv6 → practical commands → security, covering only what you actually need when you operate a network.

01

What IP actually does #

IP (Internet Protocol) lives at OSI layer 3 (the Network layer), sitting between TCP / UDP above and Ethernet / Wi-Fi below. Its job is simple: look at the destination address, hand the packet to the next router, and eventually deliver it.

There are only three properties worth memorising:

  • Connectionless — no session setup; just throw the packet. Each packet is independent.
  • Best-effort — no guarantee of delivery, ordering, or de-duplication. Retransmission and ordering belong to TCP.
  • Per-hop routing — every router consults its own table to decide the next exit.

In other words, IP is "writing an address on an envelope and having each post office relay it forward". There is no guarantee it arrives, but the simplicity is exactly why it scales to the entire planet.

▸ Why IPv4 and IPv6 run side by side

IPv4 (specified in 1981) provides 32 bit ≈ 4.3 billion addresses — at the time considered effectively infinite. IANA's central pool ran out in 2011, and ever since two things have run in parallel: NAT stretching IPv4 further, and the long migration to IPv6 with its 128 bit (2^128 ≈ 3.4×10^38) address space. As of 2026, around 45 % of global clients connect over IPv6, but IPv4 is far from gone — the realistic stance for years to come is understand both and use whichever the situation calls for.

02

Reading an IPv4 address #

An IPv4 address is 32 bits split into four 8-bit octets, written in decimal with dots. 192.168.1.10 is, underneath, just a 32-bit integer.

192.168.1.10 viewed in binary
decimal binary meaning 192 11000000 ← first octet 168 10101000 ← second 1 00000001 ← third 10 00001010 ← fourth # each octet runs 0–255 → the full range is 0.0.0.0 to 255.255.255.255

In practice, certain IPv4 ranges are reserved for specific purposes. Being able to glance at an address and immediately classify it as "home network? loopback? public Internet?" speeds things up enormously.

Range Purpose How to remember it
10.0.0.0/8 Private IP (RFC 1918) Common in large-enterprise LANs
172.16.0.0/12 Private IP (RFC 1918) Mid-size networks; Docker's default
192.168.0.0/16 Private IP (RFC 1918) Standard for home and SOHO
127.0.0.0/8 Loopback (yourself) 127.0.0.1 = localhost
169.254.0.0/16 Link-local (APIPA) What a host assigns itself when DHCP fails
224.0.0.0/4 Multicast mDNS / RIP / OSPF
0.0.0.0 "Unspecified" or "any" Common as a bind address
255.255.255.255 Limited broadcast DHCP DISCOVER
▸ Private IPs can't go out to the Internet

The three ranges reserved by RFC 1918 are by convention never routed on the public Internet. They are used only inside corporate LANs or behind home routers, and the router rewrites them to a public IP with NAT on the way out (→ §04). If ifconfig or ip addr shows a 192.168.x.x, you can be sure you are sitting behind NAT.

03

Subnets and CIDR #

Every IP address splits into a "network portion + host portion". The boundary is written in bits using CIDR notation like /24. For 192.168.1.10/24, the top 24 bits (192.168.1.0) are the network and the bottom 8 bits (.10) are the host.

Once the network is fixed, the number of usable hosts inside it is 2^(32 - prefix) - 2 (the -2 accounts for the network address and the broadcast address).

CIDR Subnet mask Hosts Typical use
/8 255.0.0.0 ~16.77 M Large scale (the whole 10.0.0.0/8)
/16 255.255.0.0 65,534 Campus network
/24 255.255.255.0 254 Standard LAN / single segment
/28 255.255.255.240 14 Small subnets (DMZ etc.)
/30 255.255.255.252 2 Point-to-point links between routers
/32 255.255.255.255 1 Single host (common in ACLs)

Calculate it yourself — enter an IP and CIDR to instantly see the network / broadcast / host range / binary view. Get a feel for exactly where a /26 subnet starts and ends.

▸ Telling "inside the subnet" from "outside"

Before sending a packet, every host asks itself: "is the destination IP in my subnet?" If yes, it resolves the MAC with ARP and delivers directly. If no, it sends the packet to the default gateway. This is the very first branch in routing (→ §05). When two hosts on the same segment can't talk, the first thing to suspect is a mismatched subnet mask.

CIDR was introduced in 1993 in RFC 1519, replacing the older fixed split of class A (8 bit) / B (16 bit) / C (24 bit). Being able to slice the address space at any bit boundary slashed address-space waste in one stroke.

04

NAT — how private IPs reach the outside world #

Inside your home, every phone and laptop carries a 192.168.x.x address, but out to the Internet they all share a single public IP — the one on your router. As packets traverse the router, it rewrites "source IP + port" to its own public IP + a dynamic port — that's NAT (Network Address Translation, RFC 1631). The reverse translation on the response side gets the reply back to the right inside host.

NAT in action (PC making HTTPS to example.com)
# inside → router src=192.168.1.10:54321 dst=93.184.216.34:443 # router records the mapping in its NAT table and rewrites src=203.0.113.7:60123 dst=93.184.216.34:443 # response comes back the other way src=93.184.216.34:443 dst=203.0.113.7:60123 → NAT table lookup → src=93.184.216.34:443 dst=192.168.1.10:54321
▸ NAT is useful but the side effects are real

Being able to share one public IP among hundreds of devices is the single biggest reason IPv4 has lasted this long. The flip side is that "the outside cannot directly reach an inside host," which gets in the way of peer-to-peer traffic. Workarounds include STUN / TURN / ICE (the backbone of video calls and P2P file sharing) and static port forwarding for server use cases. IPv6, in contrast, has enough address space that NAT was deliberately left out of the design.

05

Routing — how a packet finds its destination #

Every host and router carries a routing table that answers "for this destination range, send out this interface to this gateway" — one hop at a time. When multiple entries match the same destination, the longest-prefix match (the more specific network) wins.

A Linux routing table
$ ip route default via 192.168.1.1 dev eth0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.50 10.0.0.0/8 via 192.168.1.254 dev eth0 # Example: dest 10.5.3.1 → matches 10.0.0.0/8 → forwarded via 192.168.1.254 # Example: dest 8.8.8.8 → no specific match → falls through to default (= 192.168.1.1)

default (= 0.0.0.0/0) is the "send anything that didn't match here" default gateway. On a home network this chains PC → router → ISP → ... ever upward, each layer's default gateway pointing one step closer to the Internet core.

▸ TTL and how traceroute works

TTL (Hop Limit in IPv6) in the IP header is decremented by 1 at every router that forwards the packet — it's the safety belt that prevents routing loops from running away. A router that decrements TTL to 0 drops the packet and returns an ICMP Time Exceeded to the original source. traceroute abuses this cleverly: it sends packets with TTL 1, 2, 3... in turn, collects the source IPs of the resulting Time Exceeded messages, and reconstructs the path — a brilliant inversion of an IP behaviour.

Where routing information comes from #

For a corporate LAN, a few ip route add commands or the Router option in DHCP is plenty. The Internet at large, however, is held together by routers exchanging route information with each other via routing protocols:

  • OSPF / IS-IS — intra-organisation (IGP). Link-state designs that compute Dijkstra shortest paths.
  • BGP — inter-organisation (EGP). The world's AS (Autonomous System) entities advertise routes to each other, building today's global table of over a million routes. It is the protocol that holds the Internet together.
06

The IPv4 header fields worth knowing #

An IPv4 packet is a fixed 20-byte header + data. You don't need to memorise every field — the five below are the ones you actually meet in tcpdump and in troubleshooting.

Field Role Why you care
Source / Destination IP sender / receiver Reading direction and counterparty
TTL decremented per hop, dropped at 0 traceroute, loop prevention, OS fingerprinting (initial 64 for Linux / 128 for Windows)
Protocol 1=ICMP / 6=TCP / 17=UDP / 47=GRE / 50=ESP tcpdump proto filters, FW rule keys
Total Length header + payload combined (up to 65,535) Fragmentation, MTU-exceeded detection
DF / MF / Fragment Offset fragmentation control PMTUD sets DF=1; when too big, ICMP "Fragmentation Needed" tells the sender to shrink
▸ MTU and fragmentation

The largest IP packet a link can carry is its MTU (1500 bytes on Ethernet). Anything bigger has to be split, but the modern design avoids in-path fragmentation: the sender learns the smallest MTU along the path with Path MTU Discovery (PMTUD) and never exceeds it. A common symptom of broken PMTUD is "over the VPN web pages open, but large file transfers stall" — almost always because ICMP is being filtered and the PMTUD signal can't get back to the sender.

07

IPv6 — the bare minimum in the 128-bit era #

An IPv6 address is 128 bit = 16 bytes, written as eight 4-digit hex groups separated by :2001:0db8:85a3:0000:0000:8a2e:0370:7334. Since that's long, there are two abbreviation rules:

  • Leading zeros in each group can be dropped — 2001:db8:85a3:0:0:8a2e:370:7334
  • A run of all-zero groups can be replaced with :: (only once) — 2001:db8:85a3::8a2e:370:7334

In practice you'll see four kinds:

Range Purpose IPv4 equivalent
2000::/3 Global Unicast (publicly routable) Global IPv4
fe80::/10 Link-local (single link only) Like 169.254.x.x, auto-assigned by SLAAC
fc00::/7 Unique local (intra-org) RFC 1918 private addresses
::1 Loopback 127.0.0.1

The header is simplified to a fixed 40 bytes, dropping IPv4's Header Checksum, Identification, and Options. In-flight fragmentation by intermediate routers is forbidden; error detection is left to Ethernet below and TCP/UDP above. Variable extensions are pushed out into a chain of "extension headers" linked via the Next Header field.

▸ SLAAC — addresses appear without DHCP

In IPv6, when a host joins a link it sends a Router Solicitation to an ICMPv6 multicast address, and the router replies with a Router Advertisement announcing "this link's prefix is 2001:db8:abcd::/64". The host combines that prefix with either an ID derived from its MAC or a random one, and produces its full 128-bit address by itself — that's SLAAC (Stateless Address Autoconfiguration). It plays the role of DHCP in IPv4, but the network side keeps no state.

In real-world deployments, Dual-Stack (where every host and router carries both IPv4 and IPv6 and picks based on destination) is by far the most common posture. For an IPv6-only client that needs to talk to an IPv4-only server, the bridge is NAT64 / DNS64.

08

Practical commands #

The seven commands you'll reach for first in any network investigation. On Linux, iproute2's ip is the modern replacement for ifconfig.

ip — addresses / links / routes
$ ip -br addr # compact one-line view per interface $ ip addr add 192.168.1.50/24 dev eth0 $ ip link set eth0 up $ ip route # routing table $ ip route add 10.0.0.0/8 via 192.168.1.254 $ ip neigh # ARP / NDP table
ping / traceroute / mtr — reachability and path
$ ping -c 4 example.com # ICMP reachability + RTT $ traceroute example.com # list every hop's IP $ mtr example.com # traceroute + continuous ping
ss — open ports and active connections (the netstat replacement)
$ ss -tunlp # listening ports + owning processes $ ss -an state established # only established connections
nmap — sweep a subnet and discover hosts
$ nmap -sn 192.168.1.0/24 # ping sweep (host discovery only) $ nmap -sS -p 1-1000 192.168.1.50 $ nmap -6 2001:db8::1 # IPv6 target
tcpdump / whois — packet capture and registration info
$ sudo tcpdump -i eth0 host 192.168.1.50 $ sudo tcpdump -i eth0 'tcp port 80' $ whois 8.8.8.8 # registered owner → Google LLC

On Windows the equivalents are ipconfig / route print / tracert / netstat -ano / Test-NetConnection (PowerShell).

09

Security around IP #

IP is a thin layer that just carries "addresses"; it has no built-in authentication or encryption. That has made the IP layer a permanent target for attacks, defended by higher-level protocols and by mitigations along the path.

IP Spoofing — forging the source #

UDP does not establish a connection, so the source IP can be trivially forged. The canonical abuse is amplification DDoS: the attacker forges the victim's IP as the source and queries servers that "return a large response to a small query" — DNS, NTP, memcached — so the giant responses pile into the victim. The fundamental defence belongs to ISPs: implement BCP 38 (RFC 2827, source address validation) to enforce that packets leaving an AS carry source IPs from within that AS's allocated range.

DDoS — saturating bandwidth, state, or application #

Flooding a service with traffic comes in layers, from the IP layer up to the application:

  • Volumetric — fill the pipe (UDP flood / ICMP flood / amplification)
  • Protocol — exhaust TCP / UDP state (SYN flood)
  • Application — overwhelm the app with HTTP requests (Slowloris and friends)

No single appliance solves DDoS. The practical approach combines upstream-ISP scrubbing, DDoS protection from Cloudflare / Akamai and friends, and Anycast for geographically distributing the absorption capacity.

IP-based access control — firewalls #

"Allow only specific IPs or subnets" is still a meaningful first layer of defense. Both home routers and corporate firewalls implement essentially the same filtering: combinations of source, destination, and port.

iptables — restrict SSH to the internal LAN
# iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j DROP # 22/tcp only from inside; drop everything else

IPsec — encryption at the IP layer #

IPsec (RFC 4301-) encrypts and authenticates IP packets themselves and is the de facto standard for VPNs. Transport mode encrypts only the payload; tunnel mode wraps the whole original packet inside a new IP header. In practice it's built out of three pieces:

  • ESP — encryption + authentication (this is the one that's actually used)
  • AH — authentication only (effectively deprecated today)
  • IKE — key exchange (IKEv2 is the modern choice)
▸ IP is unglamorous, but it is the bedrock

Without a feel for "which packet takes which path and how it arrives," neither network troubleshooting nor security design works at the fundamental level. Holding addresses and subnets (§02-03) / NAT (§04) / routing (§05) / TTL and fragmentation (§06) together as one connected picture lifts your resolution on everyday problems — pings that don't return, paths that take the long way around, traffic blocked at a firewall — by one full level.

𝕏 Post B! Hatena