Big Picture
Network addressing is how devices on a network are identified and located so they can communicate with each other. There are two main addresses a device will have, one is the Media Access Control (MAC) address that is strictly installed in the Network interface card (hardware). The other is an IP Address that is dynamic and used for routing across networks and the internet. Both addresses are required to transmit data from one device to the other and how that process happens is something I used to struggle to understand. This article will hopefully shed some light on this subject and provide some insight on how these addresses are assigned and operate.
Layer 3 – Network Layer
This layer defines the individual nodes on a network and handles how packets would be routed between them to reach a destination, this is called Logical Addressing or Routing. The Network Layer ensures packets are routed from source to destination across different subnets that may have incompatible addressing schemes, with data transmitted through multiple network nodes (routers) along the way. Since direct communication isn’t always possible between different subnets, packets are forwarded from router to router without reaching higher protocol layers, each time being assigned a new intermediate destination until reaching the final recipient. Here are the most common Protocols at this layer:
IPv4 / IPv6: Internet Protocol versions that provide logical addressing and packet structure for identifying and routing data between devices across networks. IPv4 uses 32-bit addresses (like 192.168.1.1) while IPv6 uses 128-bit addresses (like 2001:0db8::1) to accommodate more devices.
IPsec: Internet Protocol Security provides encryption, authentication, and data integrity for IP communications by securing packets at the network layer. Used for VPNs and secure site-to-site connections.
ICMP: Internet Control Message Protocol sends error messages and operational information (like “destination unreachable”) and is used by tools like ping and traceroute. Helps diagnose network connectivity issues.
IGMP: Internet Group Management Protocol manages multicast group memberships, allowing routers to discover which hosts want to receive multicast traffic. Used for streaming video, IPTV, and group communications.
RIP: Routing Information Protocol is a distance-vector routing protocol that uses hop count as a metric to determine the best path between networks. Simple but limited to 15 hops maximum, making it suitable only for small networks.
OSPF: Open Shortest Path First is a link-state routing protocol that uses cost metrics and Dijkstra’s algorithm to calculate the fastest path through a network. More efficient and scalable than RIP, commonly used in large enterprise networks.
IP Addresses
Each host has a Media Access Control (MAC) address that describes the specific device. They also have an IPv4/IPv6 address that helps with addressing via the internet. IPv4 addresses are 32-bit binary numbers combined into 4 bytes of 8-bit octets ranging from 0-255 and each network interface, such as a NIC or Router, is assigned a unique IP address.
IP Address Classes: Originally divided into Classes A-E with different network/host splits:
- Class A: 1.0.0.0 – 127.255.255.255 (/8) – 16+ million IPs per network
- Class B: 128.0.0.0 – 191.255.255.255 (/16) – 65,534 IPs per network
- Class C: 192.0.0.0 – 223.255.255.255 (/24) – 254 IPs per network
- Class D: Multicast (224.0.0.0 – 239.255.255.255)
- Class E: Reserved (240.0.0.0 – 255.255.255.255)
Subnet Masks: Define which bits represent the network versus host portions. Written as either full notation (255.255.255.0) or CIDR suffix (/24), where the number indicates how many bits are set to 1.
Special Addresses:
- Network Address: First IP in subnet (identifies the network itself)
- Broadcast Address: Last IP in subnet (sends to all devices)
- Default Gateway: Usually first or last usable IP (router connecting networks)
Binary Conversion: Each octet’s 8 bits have positional values (128, 64, 32, 16, 8, 4, 2, 1). Sum the values where bits equal 1 to get the decimal number.
Example: 11000000 = 2^7 + 2^6 =128 + 64 = 192
CIDR (Classless Inter-Domain Routing): Modern replacement for rigid class system. The suffix (like /24) indicates how many bits belong to the network portion, allowing flexible subnet sizing. 192.168.10.39/24 means the first 24 bits are network, last 8 bits are host addresses.
Subnetting
This is when you’re taking one big IP address range and splitting it into smaller networks. Think of it like dividing a building into separate departments with labeled doors.
Understanding Host Bits vs Network Bits
Every IP address has two parts:
- Network bits (locked/fixed) – identify which subnet you’re in
- Host bits (flexible) – identify individual devices within that subnet
The subnet mask tells you which is which:
- Where mask = 1 Network bit (can’t change)
- Where mask = 0 Host bit (can change)
Example: 192.168.12.160/26
IP Address: 192.168.12.160
Binary: 11000000.10101000.00001100.10|100000
Subnet Mask: 255.255.255.192 (/26)
Binary: 11111111.11111111.11111111.11|000000
The line at the end separates network from host (recall made of 32 bits total)
Network bits (26 bits): 11000000.10101000.00001100.10 ← LOCKED, can’t change.
Host bits (6 bits): 100000 ← FLEXIBLE, we can change these.
Finding Network Address: Set Host Bits to 0
Take the host portion and make all bits = 0
Original IP: 192.168.12.10|100000 (160 in decimal)
Set to 0: 192.168.12.10|000000 (128 in decimal)
Breaking down that last octet:
Original: 10100000 = 128 + 32 = 160
Network: 10000000 = 128 + 0 = 128
Network Address = 192.168.12.128 ← This is the subnet’s “name”
Finding Broadcast Address: Set Host Bits to 1
Take the host portion and make all bits = 1
Original IP: 192.168.12.10|100000 (160 in decimal)
Set to 1: 192.168.12.10|111111 (191 in decimal)
Breaking down that last octet:
Original: 10100000 = 128 + 32 = 160
Broadcast: 10111111 = 128 + 32 + 16 + 8 + 4 + 2 + 1 = 191
Broadcast Address = 192.168.12.191 and this address is used to send to everyone in subnet
Finding Usable Host Range
Now that we know:
- Network: 192.168.12.128 (reserved – first address)
- Broadcast: 192.168.12.191 (reserved – last address)
Everything in between is usable:
- First usable host: 192.168.12.129
- Last usable host: 192.168.12.190
- Total usable: 62 addresses
This works because setting all to 0 gives you the lowest possible number setting all to 1 gives you the highest possible number
Dividing Into 4 Smaller Subnets
Now maybe we want to take the network address 192.168.12.128/26 and divide it into for smaller subnets.
We had 6 host bits. Now we “borrow” 2 of them for the network:
- Before /26: 26 network bits, 6 host bits
- After /28: 28 network bits, 4 host bits
/26: 11111111.11111111.11111111.11|000000 (6 host bits = 64 addresses)
/28: 11111111.11111111.11111111.1111|0000 (4 host bits = 16 addresses)
Now each subnet has only 4 host bits because 2^4 = 16 addresses each
The 4 New Subnets:
| Subnet | Binary (last octet) | Network | Broadcast | Usable Range |
| 1 | 1000 | 0000 to 1000 | 1111 | .128 |
| 2 | 1001 | 0000 to 1001 | 1111 | .144 |
| 3 | 1010 | 0000 to 1010 | 1111 | .160 |
| 4 | 1011 | 0000 to 1011 | 1111 | .176 |
The first 4 bits change (network) and the last 4 bits cycle through 0000-1111 (hosts)
Bottom line is that we’re just flipping the flexible bits (host bits) all the way down (000…) or all the way up (111…) to find the boundaries of our subnet.
MAC Addressing
Recall that MAC addresses are configured by a manufacturer but can be changed (Spoofed) by malicious actors. This means that they technically belong at Layer 2 (Physical layer) of the OSI model as they pertain to hardware. They are in a 48-bit format of 6 octets in Hexadecimal format that represent the physicals network interface card of a device on a network. Some example formats would be: DE:AD:BE:EF:13:37, DE-AD-BE-EF-13-37, DEAD.BEEF.1337.
Understanding Hexadecimal Notation
The hexadecimal system makes binary representation more readable and understandable for humans. The decimal system can show 10 states (0-9) with a single character, and the binary system can show 2 states (0 or 1). In contrast, the hexadecimal system can represent 16 states (0-F) with a single character.
The relationship between decimal, hexadecimal, and binary works as follows: decimal 1 equals hex 1 equals binary 0001. Decimal 2 equals hex 2 equals binary 0010. This pattern continues through decimal 9 equals hex 9 equals binary 1001. Then decimal 10 equals hex A equals binary 1010, decimal 11 equals hex B equals binary 1011, continuing up to decimal 15 equals hex F equals binary 1111.
To illustrate how this applies to IP addressing, consider an IPv4 address like 192.168.12.160. In the first octet, the decimal 192 converts to binary 1100 0000 and hexadecimal C0. The second octet, decimal 168, converts to binary 1010 1000 and hexadecimal A8. The third octet, decimal 12, converts to binary 0000 1100 and hexadecimal 0C. The fourth octet, decimal 160, converts to binary 1010 0000 and hexadecimal A0. The complete IPv4 address in hexadecimal would be C0A80CA0.
MAC Address Structure
First 3 bytes (24 bits) = OUI (Organizationally Unique Identifier) identifies the Manufacturer and are assigned by IEEE.
Last 3 bytes (24 bits) = NIC (Network Interface Controller) Also assigned by the Manufacturer and make each address unique.
Standards Using MAC Addresses
There are standards for assigning MAC address depending on the type on NIC interface that a device has: Ethernet (IEEE 802.3), Bluetooth (IEEE 802.15), and WLAN/WiFi (IEEE 802.11).
Special MAC Address Types
In network communication there are three main types of MAC Address transmission methods. Unicast is the normal mode where a packet reaches on specific host. You can identify Unicast addresses because the last bit of the first octet is 0. Multicast allows a packet to by sent to multiple hosts simultaneously, and hosts decide whether to accent or deny based on their configurations. Multicast addresses have the last bit of the first octet set to 1. Broadcast sends packets to all hosts on the local network and is represented by an address with all bits set to 1 (FF:FF:FF:FF:FF:FF), and protocols like ARP and DHCP use broadcast to discover devices or request network configuration.
Second-to-Last Bit in First Octet
The second-to-last bit in the first octet of a MAC address identifies whether it’s globally or locally administered. When this bit is 0, it’s a Global OUI (Organizationally Unique Identifier) officially assigned by IEEE to the manufacturer, but when the bit is 1, it’s a Locally Administered address that was manually configured and doesn’t come from the IEEE database. Some reserved local address ranges include 02:00:00:00:00:00, 06:00:00:00:00:00, 0A:00:00:00:00:00, and 0E:00:00:00:00:00.
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP) resolves Layer 3 IP addresses to Layer 2 MAC addresses, enabling communication between devices on a LAN more efficiently than using IP addresses alone. It essentially ties the IP address to the MAC address to make sure the right device gets the right packet. ARP works in two steps: first, an ARP Request is broadcast to all devices asking “Who has IP 10.129.12.101? Tell 10.129.12.100,” and then the target device sends an ARP Reply unicast directly back saying “10.129.12.101 is at AA:AA:AA:AA:AA:AA” with both its IP and MAC address.
MAC Address Security Threats
There are several MAC address security threats you should know about. MAC spoofing involves changing a device’s MAC address to match another device to gain unauthorized network access by impersonating a legitimate device. MAC flooding attacks send thousands of packets with different MAC addresses to overflow a switch’s MAC address table, causing it to stop functioning correctly. MAC address filtering bypass exploits networks that only allow specific MAC addresses by spoofing an approved MAC to gain access. ARP spoofing (also called ARP poisoning) sends falsified ARP messages to associate the attacker’s MAC address with a victim’s IP address, allowing the attacker to intercept traffic in a Man-in-the-Middle attack. For example, an attacker might send a message that “10.129.12.255 (gateway) is at CC:CC:CC:CC:CC:CC” so the victim believes the attacker is the gateway and sends all traffic through them, and tools like Ettercap and Cain & Abel can automate this.
Because of these vulnerabilities, you should never rely on MAC addresses alone for security. Instead, implement network segmentation, strong authentication protocols, firewalls, Intrusion Detection Systems (IDS), secure protocols like IPSec and SSL/TLS, and ARP spoofing detection tools to properly protect your network.
IPv6
IPv6 represents the next evolution in internet protocol addressing, serving as the successor to IPv4. While IPv4 addresses are 32 bits long, IPv6 addresses extend to 128 bits. The prefix in an IPv6 address identifies both the host and network portions of the address. The Internet Assigned Numbers Authority (IANA) maintains responsibility for assigning both IPv4 and IPv6 addresses along with their associated network portions.
In the long term, IPv6 is expected to completely replace IPv4, which still dominates internet traffic today. However, both protocols can coexist simultaneously through a configuration known as Dual Stack, allowing networks to support both addressing schemes during the transition period.
The End-to-End Principle
IPv6 consistently follows the end-to-end principle, providing publicly accessible IP addresses for any end device without requiring Network Address Translation (NAT). This architectural decision means that a single interface can have multiple IPv6 addresses, and special IPv6 addresses exist to which multiple interfaces can be assigned.
Key Advantages Over IPv4
The protocol offers a larger address space, enabling address self-configuration through SLAAC (Stateless Address Autoconfiguration). Each interface can support multiple IPv6 addresses, and routing becomes faster overall. End-to-end encryption through IPsec is built into the protocol, and data packages can reach sizes up to 4 gigabytes.
IPv6 Address Types
IPv6 defines three distinct types of addresses, each serving different communication needs. Unicast addresses are assigned to a single interface. Anycast addresses can be assigned to multiple interfaces, but only one of them receives the packet. Multicast addresses are assigned to multiple interfaces, and all of them receive the same packet.
An important distinction from IPv4 is that IPv6 eliminates the broadcast address entirely. Instead, IPv6 relies on multicast addresses to support discovery and communication with multiple nodes.
IPv6 Address Structure
An IPv6 address totals 16 bytes in length. Due to this extended length, IPv6 addresses are represented in hexadecimal notation. The 128 bits are divided into 8 blocks, with each block containing 16 bits or 4 hexadecimal numbers. All four hex numbers in each block are grouped together and separated by colons (:) instead of the dots (.) used in IPv4.
To simplify notation, leading zeros within blocks can be omitted, and consecutive blocks of at least 4 zeros can be replaced with two colons (::). For example, the full IPv6 address fe80:0000:0000:0000:dd80:b1a9:6687:2d3b/64 can be shortened to fe80::dd80:b1a9:6687:2d3b/64.
Network Prefix and Interface Identifier
Every IPv6 address consists of two fundamental parts: the Network Prefix (network part) and the Interface Identifier, also called the Suffix (host part).
The Network Prefix identifies the network, subnet, or address range. The Interface Identifier is formed from the 48-bit MAC address of the interface and is converted to a 64-bit address in the process. The default prefix length is /64, though other typical prefixes include /32, /48, and /56. When organizations request their own networks from providers, they typically receive a shorter prefix (such as /56) rather than /64.
Additional IPv6 Address Example with Breakdown
Consider the IPv6 address 2001:0db8:85a3:0000:0000:8a2e:0370:7334/64, which can be shortened to 2001:db8:85a3::8a2e:370:7334/64.
Network Prefix: The network prefix consists of the first 64 bits: 2001:0db8:85a3:0000 (or 2001:db8:85a3:0 in shortened form). This portion identifies the specific network and subnet to which the address belongs. The /64 notation indicates that the first 64 bits represent the network portion of the address.
Interface Identifier: The interface identifier consists of the remaining 64 bits: 0000:0000:8a2e:0370:7334 (or ::8a2e:370:7334 in shortened form). This portion uniquely identifies the specific host or interface within that network. The interface identifier is typically derived from the device’s MAC address through a process called EUI-64, though it can also be randomly generated or manually configured.
IPv6 Notation Standards
RFC 5952 established the official standards for IPv6 address notation to ensure consistency. All alphabetical characters must always be written in lowercase. All leading zeros within a block are always omitted. One or more consecutive blocks of 4 zeros (hex) can be shortened to two colons (::). However, this shortening to two colons (::) may only be performed once, starting from the left.