Introduction to the Internet Protocol
The IP layer in TCP/IP determines where packets of data are to be routed based on their destination IP addresses. IP uses packets to carry information through the network. A packet is a self-contained, independent entity that contains data and sufficient information to be routed from the source to the destination without reliance on previous packets.
IP has these characteristics:
- IP operates at Layer 3 of the OSI model (network layer), and Layer 2 of the TCP/IP stack (Internet layer).
- IP is a connectionless protocol in which a one-way datagram is sent to the destination without advance notification to the destination device. The destination device receives the data and does not return any status information to the sending device.
- IP uses hierarchical addressing in which the network ID resembles a street and the host ID resembles a house or office building on that street.
- IP provides service on a best-effort basis and does not guarantee packet delivery. A packet can be misdirected, duplicated, or lost on the way to its destination.
IP does not provide any special features that recover corrupted packets. If these services are required, they must be provided by higher layers in the protocol stack.
Attackers may manipulate the fields in the IP header to carry out their attacks, so it is important for an analyst to understand the different fields of the IP headers. The IPv4 header fields are:
- Version: A 4-bit field that identifies the IP version being used. Version is 4 referred to as IPv4.
- IP Header length: A 4-bit field containing the length of the IP header. The minimum length of an IP header is 20 bytes.
- Type of service: The 8-bit ToS field traditionally uses 3 bits for IP Precedence. The newer redefinition of the ToS field uses a 6-bit DSCP field and a 2-bit ECN field to identify the level of service a packet receives in the network.
- Total length: Specifies the length of the IP packet that includes the IP header and the user data. The length field is 2 bytes, so the maximum size of an IP packet is 65,535 bytes.
- Identifier, flags, and fragment offset: As an IP packet moves through the Internet, it might need to cross a route that cannot handle the size of the packet. The packet will be divided, or fragmented, into smaller packets and reassembled later. These fields are used to fragment and reassemble packets.
- Time to live: It is possible for an IP packet to roam aimlessly around the Internet. If there is a routing problem or a routing loop, then you don’t want packets to be forwarded forever. A routing loop is when a packet is continually routed through the same routers over and over. The TTL field is initially set to a number and decremented by every router that is passed through. When TTL reaches 0, the packet is discarded.
- Protocol: In the layered protocol model, the layer that determines which application the data is from or which application the data is for is indicated using the Protocol field. This field does not identify the application, but identifies a protocol that sits above the IP layer that is used for application identification. For example, protocol number 1 = ICMP, 6 = TCP, 17 = UDP.
- Header checksum: A value that is calculated based on the contents of the IP header. Used to determine if any errors have been introduced during transmission.
- Source IP address: 32-bit IP address of the sender.
- Destination IP address: 32-bit IP address of the intended recipient.
- Options and padding: A field that varies in length from 0 to a multiple of 32 bits. If the option values are not a multiple of 32 bits, 0s are added or padded to ensure that this field contains a multiple of 32 bits.