IP Packet Structure
Internet Protocol
IP - Internet Protocol is the network layer communications protocol in the Internet protocol suite for relaying datagrams or segments across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.
IP has the task of delivering packets from the source host to the destination host solely based on the IP addresses in the packet headers. For this purpose, IP defines packet structures that encapsulate the data to be delivered. It also defines addressing methods that are used to label the datagram with source and destination information.
The first major version of IP, Internet Protocol version 4 (IPv4), is the dominant protocol of the Internet. Its successor is Internet Protocol version 6 (IPv6), which has been in increasing deployment on the public Internet since around 2006.
Internet Protocol version 4
IPv4 - Internet Protocol version 4 is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks.
IPv4 is a connectionless protocol, and operates on a best-effort delivery model, in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the TCP - Transmission Control Protocol.
An IP packet consists of a header section and a data section.
IPv4 packet header
Notes to IPv4 packet header
- ToS - Type of Service field is obsoleted by RFC 2474 (updated by RFC 3168 and RFC 3260) is used for Differentiated Services Code Point (DSCP) and Explicit Congestion Notification (ECN) .
- IHL - Internet Header Length is 4 bits long and specifies the header length in increments of 32 bits (DWORD). The IHL field can hold values from 0 (Binary 0000) to 15 (Binary 1111). So the longest the IP header size can be is upto 480 bits, which is 60 bytes. The shortest header size is 5 dwords (20 bytes), where the IHL field has the value of 5 (Binary 0101). This is because all of the required fields in the IPv4 header require 20 bytes as a minimum.
- Flags field is composed of 3 smaller fields: Reserved (must be 0), Don’t fragment bit (DF) and More fragments bit (MF).
Summary
Description | Value | Explanation |
---|---|---|
Shortest IPv4 header size | 20 bytes | IHL - the minimum value for this field is 5, which indicates a length of 5 × 32 bits = 160 bits = 20 bytes |
Longest IPv4 header size | 60 bytes | IHL as a 4-bit field, the maximum value is 15; 15 × 32 bits = 480 bits = 60 bytes |
Maximum IPv4 payload size without fragmentation | 1,480 bytes | Maximum Ethernet frame size at 1,500 bytes minus IPv4 header at 20 bytes |
Maximum legal IPv4 payload size | 65,515 bytes | Maximum IPv4 packet size at 65,535 bytes (x0FFFF) minus IPv4 header at 20 bytes |
IPv4 packet header fields
- Version
- The first header field in an IP packet is the four-bit version field. For IPv4, this is always equal to 4.
- Internet Header Length (IHL)
- The IPv4 header is variable in size due to the optional 14th field (options). The IHL field contains the size of the IPv4 header; it has 4 bits that specify the number of 32-bit words in the header. The minimum value for this field is 5, which indicates a length of 5 × 32 bits = 160 bits = 20 bytes. As a 4-bit field, the maximum value is 15; this means that the maximum size of the IPv4 header is 15 × 32 bits = 480 bits = 60 bytes.
- Differentiated Services Code Point (DSCP)
- Originally defined as the type of service (ToS) and is obsolete. This field specifies differentiated services (DiffServ). Real-time data streaming makes use of the DSCP field. An example is Voice over IP (VoIP), which is used for interactive voice services.
- Explicit Congestion Notification (ECN)
- This field allows end-to-end notification of network congestion without dropping packets. ECN is an optional feature available when both endpoints support it and effective when also supported by the underlying network.
- Total Length
- This 16-bit field defines the entire packet size in bytes, including header and data. The minimum size is 20 bytes (header without data) and the maximum is 65,535 bytes. All hosts are required to be able to reassemble datagrams of size up to 576 bytes, but most modern hosts handle much larger packets. Links may impose further restrictions on the packet size, in which case datagrams must be fragmented . Fragmentation in IPv4 is performed in either the sending host or in routers. Reassembly is performed at the receiving host.
- Identification
- This field is an identification field and is primarily used for uniquely identifying the group of fragments of a single IP datagram. Some experimental work has suggested using the ID field for other purposes, such as for adding packet-tracing information to help trace datagrams with spoofed source addresses, but any such use is now prohibited.
- Flags
- A three-bit field follows and is used to control or identify fragments. They are (in order, from most significant to least significant):
- bit 0: is reserved and always set to 0.
- bit 1: represents the Don’t Fragment (DF) flag, which indicates that this packet should not be fragmented
- bit 2: represents the More Fragments (MF) flag, which is set on all fragmented packets except the last one
If the DF flag is set, and fragmentation is required to route the packet, then the packet is dropped. This can be used when sending packets to a host that does not have resources to perform reassembly of fragments. It can also be used for path MTU discovery , either automatically by the host IP software, or manually using diagnostic tools such as ping or traceroute .
For unfragmented packets, the MF flag is cleared. For fragmented packets, all fragments except the last have the MF flag set. The last fragment has a non-zero Fragment Offset field, differentiating it from an unfragmented packet.
- Fragment offset
- This field specifies the offset of a particular fragment relative to the beginning of the original unfragmented IP datagram. The fragmentation offset value for the first fragment is always 0. The field is 13 bits wide, so that the offset can be from 0 to 8191 (from (20 – 1) to (213 – 1)). Fragments are specified in units of 8 bytes, which is why fragment length must be a multiple of 8. Therefore, the 13-bit field allows a maximum offset of (213 – 1) × 8 = 65,528 bytes, with the header length included (65,528 + 20 = 65,548 bytes), supporting fragmentation of packets exceeding the maximum IP length to maximum 65,535 bytes.
- Time to live (TTL)
- Field is used as a hop count — when the datagram arrives at a router, the router decrements the TTL field by one. When the TTL field hits zero, the router discards the packet and typically sends an ICMP time exceeded message to the sender.
- Protocol
- This field defines the protocol used in the data portion of the IP datagram. IANA maintains a list of IP protocol numbers .
- Some of the common payload protocols include:
Protocol Number | Protocol Name | Abbreviation |
---|---|---|
1 | Internet Control Message Protocol | ICMP |
2 | Internet Group Management Protocol | IGMP |
6 | Transmission Control Protocol | TCP |
17 | User Datagram Protocol | UDP |
50 | Encapsulating Security Payload | ESP |
51 | Authentication Header | AH |
132 | Stream Control Transmission Protocol | SCTP |
- Header checksum
- The 16-bit IPv4 header checksum field is used for error checking of the header. When a packet arrives at a router or its destination, the network device calculates the checksum of the header including the checksum field. A value of 0xFFFF (65535) is expected. If a different result is obtained, the device discards the packet. Errors in the data portion of the packet are handled separately by the encapsulated protocol. Both UDP and TCP have separate checksums that apply to their data.
- Source address
- This 32-bit field is the IPv4 address of the sender of the packet. It may be changed in transit by network address translation - NAT .
- Destination address
- This 32-bit field is the IPv4 address of the receiver of the packet. It may be affected by NAT.
- Options
- The options field is not often used. Packets containing some options may be considered as dangerous by some routers and be blocked. The value in the IHL field must include sufficient extra 32-bit words to hold all options and any padding needed to ensure that the header contains an integral number of 32-bit words. If IHL is greater than 5 (i.e., it is from 6 to 15) it means that the options field is present and must be considered.
L2 Fragmentation
Layer 2 (represented by Ethernet 2 Frame ) does not do any fragmentation. It is up to Layer 3 to pass data to Layer 2 in a packet/frame size that will already match Layer 2's MTU. In fact, the reason Layer 3 does fragmentation in the first place is is because of the limitations of the Layer 2 Protocol.
IP doesn't care if the packet size is 1500 bytes of 9999 bytes, it just knows what its underlying Layer 2 protocol can handle. The Packet Length field in the IP header is a 16 bit value, which means IP can create a packet as big as 65535 (216 = 65535) bytes if necessary, but only if the underlying Layer 2 fabric can support it.
Now specifically speaking for "Layer 2 protocols" like CDP, STP, VTP, (etc...), those by design send very small sized frames that should never need to be broken up into smaller frames.