IP - Internet Protocol

The Internet Protocol (IP) is a fundamental protocol in the suite of Internet protocols used for routing and addressing packets of data so that they can travel across networks and reach their intended destinations. IP operates at the Network Layer (Layer 3) of the OSI model. The protocol defines the structure of the packets and provides mechanisms for addressing, encapsulation, fragmentation, and reassembly of data packets.


IP plays a critical role in internet communication by enabling data to be routed from the source to the destination across multiple networks. This involves several key functions:


IP assigns unique addresses to each device on the network, ensuring that data packets are delivered to the correct destination.

Packet Routing:

Routing Packets: IP determines the best path for data packets to travel across interconnected networks. Routers, which operate at the network layer, use IP addresses to forward packets to their destination.

Fragmentation and Reassembly:

Handling Large Packets: When data packets are too large to be transmitted over a network segment, IP fragments them into smaller packets. These fragments are reassembled at the destination to recreate the original packet.


Encapsulating Data: IP encapsulates data from higher-layer protocols (such as TCP or UDP) into IP packets, which include headers containing essential routing information.


Connecting Networks: IP enables the interconnection of diverse network technologies. This allows for seamless communication between different types of networks and devices.

Protocol Header Anatomy

The IP protocol header anatomy:

   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |Version|  IHL  |Type of Service|          Total Length         |
   |         Identification        |Flags|      Fragment Offset    |
   |  Time to Live |    Protocol   |         Header Checksum       |
   |                       Source Address                          |
   |                    Destination Address                        |
   |                    Options                    |    Padding    |

Explanation of the IP Header Fields

  • Version (4 bits): Indicates the version of the IP protocol. There are two main versions of IP in use today: IPv4, which uses 32-bit addresses, and IPv6, which uses 128-bit addresses to accommodate the need for a larger address space (eg. IoT).

  • IHL (Internet Header Length) (4 bits): Specifies the length of the IP header in 32-bit words. The minimum value is 5 (indicating 20 bytes), and maximum value is 15 (indicating 60 bytes).

  • Type of Service (8 bits): This is used to specify the quality of service desired. It includes fields for precedence, delay, throughput, and reliability.

  • Total Length (16 bits): Specifies the total length of the IP packet (header and data included) in bytes. The minimum length is 20 bytes, and the maximum is 65,535 bytes.

  • Identification (16 bits): Used to uniquely identify the group of fragments of a single IP datagram.

  • Flags (3 bits): Contains control flags such as:

    • Reserved bit (RB): Must be zero.
    • Don't Fragment (DF): If set, the packet cannot be fragmented.
    • More Fragments (MF): If set, there are more fragments. If zero, this is the last fragment.
  • Fragment Offset (13 bits): Indicates the position of the fragment in the original datagram. Measured in units of 8 bytes.

  • Time to Live (TTL) (8 bits): Indicates the maximum time the packet is allowed to remain in the network. Each router that processes the packet decreases the TTL by one. When TTL reaches zero, the packet is discarded.

  • Protocol (8 bits): Indicates the protocol used in the data portion of the IP datagram. Examples include ICMP (1), TCP (6), and UDP (17).

  • Header Checksum (16 bits): Used for error-checking the header. If a checksum mismatch is found, the packet is discarded.

  • Source Address (32 bits): Specifies the IP address of the sender.

  • Destination Address (32 bits): Specifies the IP address of the receiver.

  • Options (variable): Optional field used for network testing, debugging, and security. Options may vary in length.

  • Padding (variable): Used to ensure that the header length is a multiple of 32 bits. Padding is added at the end of the Options field.

IP Assignment

IP addresses are assigned to devices connected to a network by various methods, depending on the type and scope of the network. Here are the main ways IP addresses are assigned:

Dynamic IP Assignment (DHCP):

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to automatically assign IP addresses to devices on a network. It reduces the need for manual configuration. Read more here

Static IP Addressing :

A static IP address is manually assigned to a device by a network administrator. This method is commonly used for servers, printers, and other devices that need a consistent IP address.

How It Works:

  • Manual Configuration: The network administrator assigns a specific IP address to the device and configures it directly on the device.
  • Configuration Details: The administrator also configures the subnet mask, default gateway, and DNS servers.
Static IP Configuration
    IP Address: <assigned IP>
    Subnet Mask: <subnet mask>
    Default Gateway: <gateway IP>
    DNS Servers: <DNS IPs>

Automatic Private IP Addressing (APIPA):

APIPA is used when a device fails to obtain an IP address from a DHCP server. It assigns an IP address automatically from a predefined range ( to

How It Works:

  • Fallback Mechanism: When DHCP is unavailable, the device assigns itself an IP address from the APIPA range.
  • Local Communication: APIPA allows the device to communicate with other devices on the same network segment that also use APIPA addresses.
APIPA Assignment
    IP Address Range: to
    Usage: Local communication when DHCP fails

Public IP Address Assignment by Internet Service Providers (ISPs) :

Internet Service Providers (ISPs) assign public IP addresses to their customers for internet connectivity. These IP addresses can be dynamic or static.

How It Works:

  • Dynamic Public IPs: Assigned via DHCP by the ISP. The public IP may change periodically.
  • Static Public IPs: Assigned manually by the ISP. The public IP remains constant.
ISP IP Assignment
    Dynamic Public IP: Assigned via DHCP
    Static Public IP: Manually assigned by ISP

The IP Address

IP addresses are unique identifiers assigned to devices connected to a network. They are crucial for routing data packets to their correct destinations. Let's discuss the two types now:

IPv4 Address


  • 32-bit Address: IPv4 addresses are 32 bits long,
  • Dotted Decimal Notation: They are typically written as four decimal numbers separated by dots, e.g.,

Component Breakdown:

  • Network Portion: The first part of the address identifies the network.
  • Host Portion: The remaining part identifies the specific device (host) on that network.


  • Subnet Mask: Defines which portion of the address is the network part and which is the host part. Written in dotted decimal or CIDR notation (e.g., or /24).
  • CIDR Notation: Represents the IP address along with the subnet mask, e.g.,


Class A: to (large networks)
Class B: to (medium-sized networks)
Class C: to (small networks)
Class D: to (multicast)
Class E: to (reserved for future use)

Private Addresses & Reserved Ranges: Used within private networks and not routable on the public internet. to to to


IPv4 Address:
    Network Portion: 192.168.1
    Host Portion: 1
    Subnet Mask: (/24)

IPv6 Address


  • 128-bit Address: IPv6 addresses are 128 bits long.
  • Hexadecimal Notation: They are written as eight groups of four hexadecimal digits, separated by colons, e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

Component Breakdown:

  • Global Routing Prefix: The first part, which indicates the network.
  • Subnet ID: Identifies a specific subnet within the network.
  • Interface ID: Identifies the specific interface of a host within the subnet.


  • Zero Compression: Consecutive sections of zeros can be compressed to ::, e.g., 2001:0db8:85a3::8a2e:0370:7334.
  • Leading Zeros: Leading zeros in each group can be omitted, e.g., 2001:db8:85a3::8a2e:370:7334.

Types of Addresses:

  • Unicast: Identifies a single interface.
  • Multicast: Identifies a group of interfaces, packets are delivered to all interfaces in the group.
  • Anycast: Assigned to multiple interfaces, packets are delivered to the nearest one.

Special Addresses:

  • Loopback: ::1 (equivalent to in IPv4).
  • Link-local: fe80::/10 range, used for communication within a single network segment.


IPv6 Address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
    Global Routing Prefix: 2001:0db8:85a3
    Subnet ID: 0000:0000
    Interface ID: 8a2e:0370:7334

The Protocol Sequence

IP Packet Structure creation An IP packet consists of two main parts: the header and the payload. The header contains essential information for routing and delivery, while the payload contains the actual data being transmitted.

IP Header Fields (IPv4)

  • Version: Specifies the IP protocol version (4 for IPv4).
  • Header Length: Indicates the length of the IP header.
  • Type of Service (ToS): Specifies the priority and quality of service for the packet.
  • Total Length: The entire packet length, including header and data.
  • Identification: Used for uniquely identifying fragments of an original IP packet.
  • Flags: Control flags, including the "Don't Fragment" (DF) flag and the "More Fragments" (MF) flag.
  • Fragment Offset: Indicates the position of a fragment in the original packet.
  • Time to Live (TTL): Limits the packet's lifetime, preventing it from circulating indefinitely.
    -- TL;DR : The TTL field ensures packets do not circulate indefinitely.
    -- Explanation : Each IP packet has a TTL (Time to Live) value that decreases by one each time the packet is forwarded by a router. If the TTL reaches zero, the packet is discarded. This mechanism prevents packets from looping endlessly in the network.
    TTL and Packet Lifecycle
        Initial TTL: <initial value>
        TTL Decrement: <decrease per hop>
        Packet Discarded: <when TTL reaches zero>
  • Protocol: Specifies the next-level protocol (e.g., TCP, UDP) encapsulated in the payload.
  • Header Checksum: Used for error-checking of the header.
    • TL;DR : The header checksum field is used for error-checking of the IP header.
    • Explanation : The header checksum helps ensure the integrity of the IP header. If a router detects a corrupted header, it discards the packet.
    Error Checking
        Header Checksum: <checksum value>
        Integrity Check: <process to verify header>
        Packet Discard: <if checksum fails>
  • Source IP Address: The IP address of the sender.
  • Destination IP Address: The IP address of the recipient.
  • Options: Optional fields for additional functionality (not commonly used).
IP Header (IPv4)
    Version: 4
    Header Length: <length>
    Type of Service: <priority>
    Total Length: <total length>
    Identification: <id>
    Flags: <flags>
    Fragment Offset: <offset>
    Time to Live: <TTL>
    Protocol: <protocol>
    Header Checksum: <checksum>
    Source IP Address: <source address>
    Destination IP Address: <destination address>
    Options: <optional fields>

IP Packet Transmission

  1. Encapsulation:
    TL;DR: Data from higher-level protocols (e.g., TCP, UDP) is encapsulated into an IP packet.
    Explanation: The IP protocol takes the data segment from the transport layer (such as a TCP segment or a UDP datagram), adds an IP header to it, and creates an IP packet. This encapsulation process includes adding all the necessary header information for routing and delivery.
    IP Header: <header fields>
    Payload: <higher-layer data>
  1. Addressing and Routing:
    TL;DR: IP addresses are used to route packets from the source to the destination.
    Explanation: Each IP packet contains the source and destination IP addresses. Routers use these addresses to forward the packet along the best path to its destination. Routing decisions are made based on routing tables and protocols.
Addressing and Routing
    Source IP Address: <source address>
    Destination IP Address: <destination address>
    Route: <path determined by routers>
  1. Fragmentation and Reassembly:
    TL;DR: Large IP packets are fragmented for transmission and reassembled at the destination.
    Explanation: If an IP packet is too large to be transmitted over a network segment, it is broken down into smaller fragments. Each fragment is sent as an individual IP packet with specific flags and offset values. The receiving end reassembles the fragments back into the original packet.
    Original Packet: <large packet>
        - Fragment 1: <fragment details>
        - Fragment 2: <fragment details>
        - ...
    Fragments Received: <list of fragments>
    Reassembled Packet: <original packet>

Technical Specifications

  • RFC 791: Internet Protocol (IPv4) Specification - This document specifies the original IPv4 protocol, detailing the structure and operations of IPv4 packets.

  • RFC 8200: Internet Protocol, Version 6 (IPv6) Specification - This document specifies the IPv6 protocol, which includes enhancements over IPv4 such as a larger address space and improved security features.

  • IETF IP Working Group: This page provides information about the working group that developed the IP protocol and related documents. It includes links to relevant RFCs and other technical documents.

Privacy, Anonymity, and Hacking Concerns

A protocol is a structured set of rules and procedures designed to facilitate standardized interactions and operations within technological systems. When implemented in the technological landscape, protocols inherently display an attack surface, mostly due to the underlying technology used, predictable and repeatable nature of protocols — characteristics upon which some level of vulnerabilities can be exploited to whatever endeavours. The below list some of the IP protocol exploitations witnessed over the years.

Concerns on Privacy, Anonymity, and Hacking Concerns

IP addresses tracking and logging is frequently used to analyse online user activities, revealing browsing habits, patterns, location, and more. Know that IP addresses are very easily mapped to geographic locations, exposing user physical locations. Governments and private coorporations alike (eg. Internet Service Providers (ISPs), Google In, Meta, etc) monitor IP traffic to surveil individuals and gather massive quantities of data (notably even when not using their services), to run profiling, to monitizing this data, to share this data with third parties (eg. repackaged for sale) or being subject to breaches, all cases infringing on privacy rights.

Where populations during periods of peace show low interest in protecting their privacy (the collective focus seems to shifts away from security, where the urgency to protect personal data diminishes where no immediate perceived threat to security or stability (The Centre for Internet & Society / National Academies Press)), these capabilities entail major concerns when used in surveillance warfare. Intelligence, Surveillance, and Reconnaissance (ISR) systems, which include IP tracking as a low hanging fruits, play a critical role in gathering and analyzing data to support decision-making in combat and security contexts. These technologies enable the monitoring of Person-of-interests, groups-of-interests (eg. collective dissidents), as means of identification of potential targets, and real-time situational awareness. All of which are essential for effective military and repression operations. Note that such the value of such mapping does not reside only in real-time analytics, but also in database, captured over time, in period of peace, where the integration of artificial intelligence and machine learning into these systems over massive datasets has further improved accuracy and efficient profiling.

Regarding hacks, one would propose that it is rather easy to run IP spoofing by forging the source IP address in packets to disguise some hacker identity or impersonate X device, a technique often used in denial-of-service (DoS) attacks). Attacker also frequently intercepts and alters communication between two parties to redirect traffic (Man in the Middle), or exploit weaknesses in the IP protocol to bypass IP addressing authentication system used by various providers. Read about IP Spoofing, IP Denial, IP MitM attacks.

Some of the most controversial and potentially difficult to bypass abuse of the protocol workings is the IP address blocking performed by network administrators as to enforce censorship. For more, read about IP denial here.


Congratulation is you read this to the en! We hope this article brings a little clarity over the protocol anatomy and its various use cases.