August 8, 2010

Internet Protocol Suite: Internet Layer Protocols

IGMP architecture example
The Internet Layer is a group of internetworking methods in the TCP/IP protocol suite which is the foundation of the Internet (RFC 1122). It is the group of methods, protocols, and specifications which are used to transport datagrams (packets) from the originating host across network boundaries, if necessary, to the destination host specified by a network address (IP address) which is defined for this purpose by the Internet Protocol (IP). The Internet Layer derives its name from its function of forming an "internet" (uncapitalized), or facilitating "internetworking", which is the concept of connecting multiple networks with each other through gateways.

Internet Layer protocols use IP-based packets. The Internet Layer does not include the protocols that have the limited scope of communicating with other local ("on-link") network nodes for the purpose of maintaining link states between the local nodes, such as the local network topology, and that usually use protocols that are based on the framing of packets specific to the link types. Such protocols belong to the Link Layer.

A particularly crucial aspect in the Internet Layer is the Robustness Principle: "Be liberal in what you accept, and conservative in what you send" (RFC 1122), as a misbehaving host can deny Internet service to many other users.

Internet Layer functions
The Internet Layer has three basic functions: For outgoing packets, select the "next hop" host (gateway) and transmit the packet to this host by passing it to the appropriate Link Layer drivers; for incoming packets, capture packets and pass the packet payload up to the appropriate Transport Layer module, if appropriate. In addition it provides error detection and diagnostic capability.

In Version 4 of the Internet Protocol (IPv4), during both transmit and receive operations, IP is capable of automatic or intentional fragmentation or defragmentation of packets, based, for example, on the maximum transmission unit (MTU) of link elements. However, this feature has been dropped in IPv6, as the communications end points, the hosts, now have to perform path MTU discovery and assure that end-to-end transmissions don't exceed the minimum discovered.

In its operation, the Internet Layer is not responsible for reliable transmission. It provides only an unreliable service, and "best effort" delivery. This means that the network makes no guarantees about packets' proper arrival. This was an important design principle and change from the previous protocols used on the early ARPANET. Since packet delivery across diverse networks is inherently an unreliable and failure-prone operation, the burden of providing reliability was placed with the end points of a communication path, i.e., the hosts, rather than on the network. This is one of the reasons of the resiliency of the Internet against individual link failures and its proven scalability.

The function of providing reliability of service is the duty of higher level protocols, such as the Transmission Control Protocol (TCP) in the Transport Layer.

Integrity of packets is guaranteed only in IPv4 (not in IPv6) through checksums computed for IP packets.

Internet Layer protocols

The core protocols in the Internet Layer are:

  • Internet protocol (IP), it is implemented in two versions, for IPv4 and IPv6.

  • Internet Control Message Protocol (ICMP), primarily used for error and diagnostic functions, different implementations exist for IPv4 and IPv6.

  • Internet Group Management Protocol (IGMP), used by IPv4 hosts and adjacent multicast routers to establish multicast group memberships.

  • Security- IPSec

The Internet Protocol (IP) is a protocol used for communicating data across a packet-switched inter-network using the Internet Protocol Suite, also referred to as TCP/IP.

IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has the task of delivering distinguished protocol datagrams (packets) from the source host to the destination host solely based on their addresses. For this purpose the Internet Protocol defines addressing methods and structures for datagram encapsulation. The first major version of addressing structure, now referred to as Internet Protocol Version 4 (IPv4) is still the dominant protocol of the Internet, although the successor, Internet Protocol Version 6 (IPv6) is being deployed actively worldwide.

IP encapsulation
Many       citation needed     Hotline Server ...
Image via Wikipedia
Data from an upper layer protocol is encapsulated as packets/datagrams (the terms are basically synonymous in IP). Circuit setup is not needed before a host may send packets to another host that it has previously not communicated with (a characteristic of packet-switched networks), thus IP is a connectionless protocol. This is in contrast to Public Switched Telephone Networks that require the setup of a circuit before a phone call may go through (connection-oriented protocol).

Services provided by IP
Because of the abstraction provided by encapsulation, IP can be used over a heterogeneous network, i.e., a network connecting computers may consist of a combination of Ethernet, ATM, FDDI, Wi-Fi, token ring, or others. Each link layer implementation may have its own method of addressing (or possibly the complete lack of it), with a corresponding need to resolve IP addresses to data link addresses. This address resolution is handled by the Address Resolution Protocol (ARP) for IPv4 and Neighbor Discovery Protocol (NDP) for IPv6.
Internet Protocol version 4 (IPv4) is the fourth revision in the development of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet, and is still by far the most widely deployed Internet Layer protocol.

It is described in IETF publication RFC 791 (September 1981) which rendered obsolete RFC 760 (January 1980). The United States Department of Defense also standardized it as MIL-STD-1777.

IPv4 is a data-oriented protocol to be used on a packet switched internetwork (e.g., Ethernet). It is a best effort delivery protocol in that it does not guarantee delivery, nor does it assure proper sequencing, or avoid duplicate delivery. These aspects are addressed by an upper layer protocol (e.g. TCP, and partly by UDP). IPv4 does, however, provide data integrity protection through the use of packet checksums.

IPv4 uses 32-bit (four-byte) addresses, which limits the address space to 4,294,967,296 (232) possible unique addresses. However, some are reserved for special purposes such as private networks (~18 million addresses) or multicast addresses (~16 million addresses). This reduces the number of addresses that can be allocated as public Internet addresses. As the number of addresses available are consumed, an IPv4 address shortage appears to be inevitable, however network address translation (NAT) has significantly delayed this inevitability.

This limitation has helped stimulate the push towards IPv6, which is currently in the early stages of deployment and the only contender to replace IPv4.

Address resolution
Hosts on the Internet are usually known not by IP addresses, but by names (e.g.,,,, The routing of IP packets across the Internet is not directed by such names, but by the numeric IP addresses assigned to such domain names. This requires translating (or resolving) domain names to addresses.

The Domain Name System (DNS) provides such a system for converting names to addresses and addresses to names. Much like CIDR addressing, the DNS naming is also hierarchical and allows for sub-delegation of name spaces to other DNS servers.

The domain name system is often described in analogy to the telephone system directory information systems in which subscriber names are translated to telephone numbers.

Internet Protocol version 6 (IPv6) is the next-generation Internet Protocol version designated as the successor to version 4, IPv4, the first implementation used in the Internet and still in dominant use currently. It is an Internet Layer protocol for packet-switched inter-network. The main driving force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. IPv6 was defined in December 1998 by the Internet Engineering Task Force (IETF) with the publication of an Internet standard specification, RFC 2460.

In December 2008, despite marking its 10th anniversary as a Standards Track protocol, IPv6 was only in its infancy in terms of general worldwide deployment. A 2008 study by Google indicated that penetration was still less than one percent of Internet-enabled hosts in any country. The leaders were Russia (0.76%), France (0.65%), Ukraine (0.64%), Norway (0.49%), and the United States (0.45%). Although Asia led in terms of absolute deployment numbers, the relative penetration was smaller (e.g., China: 0.24%). IPv6 has been implemented on all major operating systems in use in commercial, business, and home consumer environments. According to the study, Mac OS X led in IPv6 penetration of 2.44%, followed by Linux (0.93%) and Windows Vista (0.32%).

IPv6 has a much larger address space than IPv4. This results from the use of a 128-bit address, whereas IPv4 uses only 32 bits. The new address space thus supports 2128 (about 3.4×1038) addresses. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the primary need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.

IPv6 also implements new features that simplify aspects of address assignment (stateless address auto-configuration) and network renumbering (prefix and router announcements) when changing Internet connectivity providers. The IPv6 subnet size has been standardized by fixing the size of the host identifier portion of an address to 64 bits to facilitate an automatic mechanism for forming the host identifier from Link Layer media addressing information (MAC address).

Network security is integrated into the design of the IPv6 architecture. Internet Protocol Security (IPsec) was originally developed for IPv6, but found widespread optional deployment first in IPv4 (into which it was back-engineered). The IPv6 specifications mandate IPsec implementation as a fundamental interoperability requirement.

The general requirements for implementing IPv6 on a network host are specified in RFC 4294

The first publicly used version of the Internet Protocol, Version 4 (IPv4), provides an addressing capability of about 4 billion addresses (232). This was deemed sufficient in the early design stages of the Internet when the explosive growth and worldwide penetration of networks was not anticipated.

During the first decade of operation of the TCP/IP-based Internet, by the late 1980s, it became apparent that methods had to be developed to conserve address space. In the early 1990s, even after the introduction of classless network redesign, it became clear that this would not suffice to prevent IPv4 address exhaustion and that further changes to the Internet infrastructure were needed. By the beginning of 1992, several proposed systems were being circulated, and by the end of 1992, the IETF announced a call for white papers (RFC 1550) and the creation of the "IP Next Generation" (IPng) area of working groups.

The Internet Engineering Task Force adopted IPng on July 25, 1994, with the formation of several IPng working groups. By 1996, a series of RFCs were released defining Internet Protocol Version 6 (IPv6), starting with RFC 2460.

Incidentally, the IPng architects could not use version number 5 as a successor to IPv4, because it had been assigned to an experimental flow-oriented streaming protocol (Internet Stream Protocol), similar to IPv4, intended to support video and audio.

IPv4 exhaustion
Estimates of the time frame until complete exhaustion of IPv4 addresses used to vary widely. In 2003, Paul Wilson (director of APNIC) stated that, based on then-current rates of deployment, the available space would last for one or two decades. In September 2005, a report by Cisco Systems suggested that the pool of available addresses would dry up in as little as 4 to 5 years. As of May 2009, a daily updated report projected that the IANA pool of unallocated addresses would be exhausted in June 2011, with the various Regional Internet Registries using up their allocations from IANA in March 2012. There is now consensus among Regional Internet Registries that final milestones of the exhaustion process will be passed in 2010 or 2011 at the latest, and a policy process has started for the end-game and post-exhaustion era.
The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached.

ICMP  relies on IP to perform its tasks, and it is an integral part of IP. It differs in purpose from transport protocols such as TCP and UDP in that it is typically not used to send and receive data between end systems. It is usually not used directly by user network applications, with some notable exceptions being the ping tool and traceroute.

ICMP for Internet Protocol version 4 (IPv4) is also known as ICMPv4. IPv6 has a similar protocol, ICMPv6.

Internet Control Message Protocol is part of the Internet Protocol Suite as defined in RFC 792. ICMP messages are typically generated in response to errors in IP datagrams (as specified in RFC 1122) or for diagnostic or routing purposes.

ICMP messages are constructed at the IP layer, usually from a normal IP datagram that has generated an ICMP response. IP encapsulates the appropriate ICMP message with a new IP header (to get the ICMP message back to the original sending host) and transmits the resulting datagram in the usual manner.

For example, every machine (such as an intermediate router) that forwards an IP datagram has to decrement the time to live (TTL) field of the IP header by one; if the TTL reaches 0, an ICMP Time to live exceeded in transit message is sent to the source of the datagram.

Each ICMP message is encapsulated directly within a single IP datagram, and thus, like UDP, ICMP is unreliable.

Although ICMP messages are contained within standard IP datagrams, ICMP messages are usually processed as a special case, distinguished from normal IP processing, rather than processed as a normal sub-protocol of IP. In many cases, it is necessary to inspect the contents of the ICMP message and deliver the appropriate error message to the application that generated the original IP packet, the one that prompted the sending of the ICMP message.

Many commonly-used network utilities are based on ICMP messages. The traceroute command is implemented by transmitting UDP datagrams with specially set IP TTL header fields, and looking for ICMP Time to live exceeded in transit (above) and "Destination unreachable" messages generated in response. The related ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages.
Internet Control Message Protocol Version 6 (ICMPv6) or ICMP for IPv6 is a new version of ICMP. ICMPv6 is defined in RFC 4443. ICMPv6 operates in the Internet Layer of the TCP/IP model and performs error reporting for the Internet Protocol, as well as some other diagnostic functions (such as "ping").

ICMPv6 is an integral part of the IPv6 architecture that must be completely supported by all IPv6 implementations and nodes.

Message source address determination
A node that sends an ICMPv6 message has to determine both the Source and Destination IPv6 Addresses in the IPv6 header before calculating the checksum. If the node has more than one unicast address, it must choose the Source Address of the message as follows:

  • If the message is a response to a message sent to one of the node's unicast addresses, the Source Address of the reply MUST be that same address.

  • If the message is a response to a message sent to any other address, such as

    • a multicast group address,

    • an anycast address implemented by the node, or

    • a unicast address that does not belong to the node
The Source Address of the ICMPv6 packet MUST be a unicast address belonging to the node. The address SHOULD be chosen according to the rules that would be used to select the source address for any other packet originated by the node, given the destination address of the packet. However, it MAY be selected in an alternative way if this would lead to a more informative choice of address reachable from the destination of the ICMPv6 packet.

ICMPv6 message transmission
A node that forwards an ICMP message has to determine both the source and the destination IPv6 addresses for the ICMPv6 message. Particular care must be put into the choice of the source address. If a node has more than one unicast address, it must choose the source address of the message as follows:

* If the message is a response to a message sent to one of the node unicast addresses, the Source Address of the reply must be that same address.
* If the message is a response to a message sent to a multicast or anycast group to which the node belongs, the Source Address of the reply must be a unicast address belonging to the interface on which the multicast or anycast packet was received.
* If the message is a response to a message sent to an address that does not belong to the node, the Source Address should be the unichecking the error (for example, the unicast address belonging to the interface on which the packet forwarding failed).
* In other cases, the node routing tables must be examined to determine which interface will be used to transmit the message to its destination, and the unicast address belonging to that interface must be used as the Source Address of the message.

When an ICMPv6 node receives a packet, it must undertake actions that depend on the type of message. The ICMPv6 protocol must limit the number of error messages sent to the same destination to avoid network overloading. For example, if a node continues to forward erroneous packets, ICMP will signal the error to the first packet and then do so periodically, with a fixed minimum period or with a fixed network maximum load. An ICMP error message must never be sent in response to another ICMP error message.
The Internet Group Management Protocol (IGMP) is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships.

It is an integral part of the IP multicast specification, operating above the network layer, though it doesn't actually act as a transport protocol. It is analogous to ICMP for unicast connections. IGMP can be used for online streaming video and gaming, and allows more efficient use of resources when supporting these types of applications. IGMP does allow some attacks, and firewalls commonly allow the user to disable it if not needed.

IGMP is only needed for IPv4 networks, as multicast is handled differently in IPv6 networks.

Host and router implementations
The IGMP protocol is implemented as a host side and a router side. A host side reports its membership of a group to its local router, and a router side listens to reports from hosts and periodically sends out queries. The FreeBSD, Linux and Windows Operating Systems supports IGMP at the host side. For Linux, IGMPv3 was added in the 2.5 kernel series. For FreeBSD, IGMPv3 was added in version 8.0.

For the server side implementation, the Linux case uses a daemon such as mrouted to act as a IGMP Linux router. There are also entire routing suites (such as XORP), which turn an ordinary computer into a full-fledged multicast router.
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.

IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be used for protecting any application traffic across the Internet. Applications need not be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must typically be incorporated into the design of applications.

IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the National Security Administration (NSA).

IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for Comments addressing various components and extensions, including the official capitalization style of the term.
Enhanced by Zemanta

About the Author


Author & Editor

Has laoreet percipitur ad. Vide interesset in mei, no his legimus verterem. Et nostrum imperdiet appellantur usu, mnesarchum referrentur id vim.

Post a Comment

Iwebslog Blog © 2015 - Designed by