IP was designed as a Layer 3 connectionless protocol. It provides the necessary functions to deliver a packet from a source host to a destination host over an interconnected system of networks. The protocol was not designed to track and manage the flow of packets. These functions, if required, are performed primarily by TCP at Layer 4.
IP makes no effort to validate whether the source IP address contained in a packet actually came from that source. For this reason, threat actors can send packets using a spoofed source IP address. In addition, threat actors can tamper with the other fields in the IP header to carry out their attacks. Therefore, it is important for security analysts to understand the different fields in both the IPv4 and IPv6 headers.
The IPv4 Packet Header
The fields in the IPv4 packet header are shown in the figure.
The figure shows five rows of words. Above the rows are four uniform sections labelled byte 1 byte 2 bytes 3 bytes 4.
Down the side of the rows, there is a line with arrows at both ends running from top to bottom labelled 20 bytes. The top row has 4 major blocks. The first block is labelled version and its size is half of byte 1.
The next block is the internet header length that takes the rest of byte 1. Byte 2 is taken up by differentiated services (DS) which are subdivided into D S C P and E C N. Bytes 3 and 4 have a block labelled total length. The second row has three sections: identification that runs across bytes 1 and 2, a flag that uses up three-quarters of byte 3, and fragment offset that takes the rest.
Row 3 has 3 major sections labelled time to live that takes up byte 1, a protocol that takes up byte 2, and a header checksum that takes bytes 3 and 4. Row 4 is labelled source IP address and runs across the 4 bytes. Row 5 is labelled destination IP address and runs across the 4 bytes.
IPv4 Packet Header
The table describes the IPv4 header fields.
IPv4 Header Field
Description
Version
Contains a 4-bit binary value set to 0100 that identifies this as an IPv4 packet.
Internet Header length
A 4-bit field containing the length of the IP header.
The minimum length of an IP header is 20 bytes.
Differentiated Services or DiffServ (DS)
Formerly called the Type of Service (ToS) field, the DS field is an 8-bit field used to determine the priority of each packet.
The six most significant bits of the DiffServ field are the Differentiated Services Code Point (DSCP).
The last two bits are the Explicit Congestion Notification (ECN) bits.
Total length
Specifies the length of the IP packet including the IP header and the user data.
The total length field is 2 bytes, so the maximum size of an IP packet is 65,535 bytes however packets are much smaller in practice.
Identification, Flag, and Fragment offset
As an IP packet moves through the internet, it might need to cross a route that cannot handle the size of the packet.
The packet will be divided, or fragmented, into smaller packets and reassembled later.
These fields are used to fragment and reassemble packets.
Time-to-Live (TTL)
Contains an 8-bit binary value that is used to limit the lifetime of a packet.
The packet sender sets the initial TTL value, and it is decreased by one each time the packet is processed by a router.
If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address.
Protocol
Field is used to identify the next level protocol.
This 8-bit binary value indicates the data payload type that the packet is carrying, which enables the network layer to pass the data to the appropriate upper-layer protocol.
Common values include ICMP (1), TCP (6), and UDP (17).
Header checksum
A value that is calculated based on the contents of the IP header.
Used to determine if any errors have been introduced during transmission.
Source IPv4 Address
Contains a 32-bit binary value that represents the source IPv4 address of the packet.
The source IPv4 address is always a unicast address.
Destination IPv4 Address
Contains a 32-bit binary value that represents the destination IPv4 address of the packet.
Options and Padding
This is a field that varies in length from 0 to a multiple of 32 bits.
If the option values are not a multiple of 32 bits, 0s are added or padded to ensure that this field contains a multiple of 32 bits.
There are eight fields in the IPv6 packet header, as shown in the figure.
The figure shows four rows of words. Above the rows are four uniform sections labeled byte 1 byte 2 bytes 3 bytes 4. Down the side of the rows, there is a line with arrows at both ends running from top to bottom labelled 40 bytes. The top row has 4 major blocks.
The first block is labelled version and its size is half of byte 1. The next block is the traffic class that takes the rest of byte 1 and half of byte 2. The last block is labeled flow label that takes half of byte 2 and all of bytes 3 and 4. Byte 2 is taken up by differentiated services (DS) which are subdivided into D S C P and E C N.
Bytes 3 and 4 have a block labelled total length. The second row has three sections: payload length that runs across bytes 1 and 2, next header that uses byte 3, and hops limit that uses byte 4. The third row is labelled source IP address and runs across the 4 bytes. The fourth row is labelled destination IP address and runs across the 4 bytes.
IPv6 Packet Header
The table describes the IPv6 header fields.
IPv6 Header Field
Description
Version
This field contains a 4-bit binary value set to 0110 that identifies this as an IPv6 packet.
Traffic Class
This 8-bit field is equivalent to the IPv4 Differentiated Services (DS) field.
Flow Label
This 20-bit field suggests that all packets with the same flow label receive the same type of handling by routers.
Payload Length
This 16-bit field indicates the length of the data portion or payload of the IPv6 packet.
Next Header
This 8-bit field is equivalent to the IPv4 Protocol field.
It indicates the data payload type that the packet is carrying, enabling the network layer to pass the data to the appropriate upper-layer protocol.
Hop Limit
This 8-bit field replaces the IPv4 TTL field.
This value is decremented by a value of 1 by each router that forwards the packet.
When the counter reaches 0, the packet is discarded, and an ICMPv6 Time Exceeded message is forwarded to the sending host, indicating that the packet did not reach its destination because the hop limit was exceeded.
Source IPv6 Address
This 128-bit field identifies the IPv6 address of the sending host.
Destination IPv6 Address
This 128-bit field identifies the IPv6 address of the receiving host.
An IPv6 packet may also contain extension headers (EH) that provide optional network layer information. Extension headers are optional and are placed between the IPv6 header and the payload. EHs are used for fragmentation, security, to support mobility, and more. Unlike IPv4, routers do not fragment routed IPv6 packets.
Fact Check Policy
CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.
Action Point PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Fact Check Policy
CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.
Adeniyi Salau is a highly dedicated and committed Blogger of repute. He likes sharing his IT knowledge with others. My desire is to impact as many lives as possible with my IT skills. You can download my mobile APP. Download the ICTLOAD APP on Google Playstore. Thanks.
Leave a Reply