User Tools

Site Tools


Internet Protocol IPv4

Internet Protocol (IP) provides support at the network layer of the OSI model. IP provides for:

  • Addressing
  • Type of service specification
  • Fragmentation and re-assembly
  • Security

All transport protocol data packets such as UDP or TCP packets are encapsulated in IP data packets to be carried from one host to another. IP is a connection-less unreliable service, meaning there is no guarantee that the data will reach the intended host. The datagrams may be damaged upon arrival, out of order, or not arrive at all. IP is defined by rfc791. Therefore the layers above IP such as TCP are responsible for being sure correct data is delivered.

IPv4 still routes most Internet traffic today, despite the ongoing deployment of a successor protocol, IPv6.

Version 4 bits The IP protocol version, currently 4 or 6.
Header length 4 bits The number of 32 bit words in the header.
Type of service (TOS)8 bits Only 4 bits are used which are minimize delay, maximize throughput, maximize reliability, and minimize monetary cost. Only one of these bits can be on. If all bits are off, the service is normal. Some networks allow a set precedences to control priority of messages.
Bits 0-2Precedence.
Bit 3A value of 0 means normal delay. A value of 1 means low delay.
Bit 4Sets throughput. A value of 0 means normal and a 1 means high throughput.
Bit 5A value of 0 means normal reliability and a 1 means high reliability.
Bits 6-7Reserved for future use.
Total length 16 bitsTotal length of the IP data message in bytes.
Identification 16 bitsUniquely identifies each datagram. This is used to re-assemble the datagram. Each fragment of the datagram contains this same unique number
Flags 3 bitsOne bit is the more fragments bit.
Bit 0Reserved
Bit 1The fragment bit. A value of 0 means the packet may be fragmented while a 1 means it cannot be fragmented. If this value is set and the packet needs further fragmentation, an ICMP error message is generated.
Bit 2One bit is the more fragments bit
Fragment offset 13 bitsThe offset in 8 byte units of this fragment from the beginning of the original datagram.
Time to live (TTL) 8 bits Limits the number of routers the datagram can pass through. Usually set to 32 or 64. Every time the datagram passes through a router this value is decremented by a value of one or more. This is to keep the datagram from circulating in an {!infinite loop:One that never terminates (that is, the machine spins or buzzes forever and goes catatonic). There is a standard joke that has been made about each generation's exemplar of the ultra-fast machine: “The Cray-3 is so fast it can execute an infinite loop in under 2 seconds!”}} forever.
Protocol 8 bitsIdentifies which protocol is encapsulated in the next data area. This is may be one or more of TCP(6), UDP(17), ICMP(1), IGMP(2), or OSPF(89). A list of these protocols and their associated numbers may be found in the /etc/protocols file on Unix or Linux systems.
Header checksum 16 bitsFor the IP header, not including the options and data.
Source IP address 32 bitsThe IP address of the card sending the data.
Destination IP address 32 bitsThe IP address of the network card the data is intended for.
Options Security and handling restrictions; Record route - Each router records its IP address; Time stamp - Each router records its IP address and time; Loose source routing - Specifies a set of IP addresses the datagram must go through; Strict source routing - The datagram can go through only the IP addresses specified.
Data Encapsulated hardware data such as ethernet data.

The message order of bits transmitted is 0-7, then 8-15, in network byte order. Fragmentation is handled at the IP network layer and the messages are reassembled when they reach their final destination. If one fragment of a datagram is lost, the entire datagram must be retransmitted. This is why fragmentation is avoided by TCP. The data on the last line is ethernet data, or data depending on the type of physical network.

Type of service specification

rfc791 defined a field within the IP header called the Type Of Service (TOS) byte. This field is used to specify the quality of service desired for the datagram and is a mix of factors. These factors include fields such as Precedence, Speed, Throughput and Reliability. In normal conversations you would not use any such special alternatives, so the Type of Service byte typically would be set to zero. With the advent of multimedia transmission and emergence of protocols such as Session Initiation Protocol (SIP), this field is coming into use.

The IP Type of Service Byte:

Bits 0-2Precedence
Bit 3Delay (0 = Normal Delay, 1 = Low Delay)
Bit 4Throughput (0 = Normal Throughput, 1 = High Throughput)
Bit 5Reliability (0 = Normal Reliability, 1 = High Reliability)
Bits 6-7Reserved for future use

The three bit Precedence field is defined as follows:

Precedence bitsDefinition
111Network Control
110Internetwork Control
100Flash Override

Session Initiation Protocol (SIP)

This protocol is an application-layer control protocol used for creating, modifying and terminating sessions with one or more participants. Some examples of such activities include Internet multimedia conferences, Internet telephone calls and multimedia distribution. SIP is intended to support communications using Multicast, a mesh of Unicast relations, or a combination of both.

Fragmentation and reassembly

There are a number of deferring network transmission architectures, with each having a physical limit of the number of data bytes that may be contained within a given frame. This physical limit is described in numerous specifications and is referred to as the Maximum Transmission Unit (MTU) of the network. As a block of data is prepared for transmission, the sending or forwarding device examines the MTU for the network the data is to be sent or forwarded across. If the size of the block of data is less then the MTU for that network, the data is transmitted in accordance with the rules for that particular network.

There are two situations in which MTU becomes important:

  • The size of the block of data being transmitted is greater than the MTU.
  • Data must traverse across multiple network architectures, each with a different MTU.

IPv4 Fragmentation Fields

The three fields concerned with IP Fragmentation are:

Field NameFunctionOffset LocationAlias
Identification16-bit field containing a unique number used to identify the frame and any associated fragments for reassembly. 18-19 Identification Field
Flags3-bit field containing the flags that specify the function of the frame in terms of whether fragmentation has been employed, additional fragments are coming, or this is the final fragment. 20 Fragmentation Flags
Fragmentation Offset13-bit field indicating the position of a particular fragment's data in relation to the first byte of data (offset 0). 20-21 Fragment Offset


With increasing interconnection and complexity of networks, fragments from multiple blocks of data might travel along different paths to the destination, possibly arriving out of sequence in relation to one another. That is, a fragment from block number one might arrive intermixed with the data stream for block number 2 or vice versa. The function of the Fragment Offset Field is to identify the relative position of each fragment, and it is the Identification Field that serves to allow the receiving device to sort out which fragments comprise what block of data. Each fragment from a particular data stream will have the same Identification Field, uniquely identifying which block it belongs to. If one or more fragments are lost, the buffer of the device performing the reassembly process will time out and discard all of the fragments. In the event of such a time out, the data will then have to be retransmitted by the sending device.


Bit IndicatorDefinition
x0xMay fragment
x1xDo not fragment
xx0Last fragment
xx1More fragments

When a receiving station processes each frame, one of the operations it performs is to review the Flags field. Depending on the value indicated by this field, several possible actions are then initiated, including:

  • xx1 More Fragments - Indicates that there are additional IP Fragments that comprise the data associated with that specific Identification Field. The receiving device will allocate buffer resources for reassembly and pass all frames containing that unique Identification Field to the buffer.
  • xx0 Last Fragment - Indicates that this fragment is the final frame for the data block identified by the Identification Field. The receiving device will now attempt to reassemble the fragments in the order specified by the Fragment Offset field.

Fragment Offset

Because it is possible that the fragments that comprise a block of data might travel along different paths to the destination, it is possible they might arrive out of sequence. While the Identification Field serves to mark which IP fragments belong to which block of data, it is the Fragment Offset Field, sometimes referred to as the Fragmentation Offset Field, that tells the receiving device which order to reassemble them in.

During the IP Fragmentation Reassembly process, if a particular fragment is found to be missing, as indicated by the Fragmentation Offset Count, the buffer will enter a wait state until either the missing piece(s) are received or a time out occurs. In the event of such a time out, the buffer simply discards the fragments.

IP Fragmentation

  1. The device attempting to transmit the block of data will first examine the Flag field to see if the field is set to the value of x0x or x1x. If the value is equal to x1x this indicates that the data may not be fragmented, forcing the transmitting device to discard that data. Depending on the specific configuration of the device, an Internet Control Message Protocol (ICMP) Destination Unreachable → Fragmentation required and Do Not Fragment Bit Set message may be generated.
  2. Assuming the Flag Field is set to x0x, the device computes the number of fragments required to transmit the amount of data in by dividing the amount of data by the MTU. This will result in X number of frames with all but the final frame being equal to the MTU for that network.
  3. It will then create the required number of IP packets and copies the IP header into each of these packets so that each packet will have the same identifying information, including the Identification Field.
  4. The Flag Field in the first packet, and all subsequent packets except the final packet, will be set to More Fragments. The Flag Field of the final packets will be set to Last Fragment.
  5. The Fragment Offset Field will be set for each packet to record the relative position of the data contained within that packet.
  6. The packets will then be transmitted according to the rules for that network architecture.

IP Fragment Reassembly

  1. The device receiving the data detects the Flag Field set to More Fragments.
  2. It will then examine all incoming packets for the same Identification Field contained in the packet.
  3. It will store all of these identified fragments in a buffer in the sequence specified by the Fragment Offset Field.
  4. Once the final fragment, as indicated by the Flag Field, is set to Last Fragment, the device will attempt to reassemble that data in offset order.
  5. If reassembly is successful, the packet is then sent to the ULP in accordance with the rules for that device.
  6. If reassembly is unsuccessful, perhaps due to one or more lost fragments, the device will eventually time out and all of the fragments will be discarded.
  7. The transmitting device will than have to attempt to retransmit the data in accordance with its own procedures.

Across networks

Imagine a block of data originating on a 16Mb Token Ring network (MTU = 17914B) that is connected to another 16Mb Token Ring network (MTU = 17914B) via an Ethernet network (MTU = 1500B). The data block met the MTU restriction for a 16Mb Token Ring Network, but the Router connecting the Token Ring to the Ethernet Network is faced with having to forward this large block onto a network with a smaller MTU. It will simply follow the rules for IP Fragmentation as if was transmitting the frame itself except that the Identification Field will be that of the original frame.

Once the data reaches the router on the other end of the Ethernet network, it will perform reassembly of the fragments exactly as previously described and pass the reassembled block of data onto the network with the new MTU.


IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (Time to Live, checksum), traffic prioritization (Type of Service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, Fragment Offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames.

IP fragmentation exploits

IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.

Denial of Service (DoS)

The IPv4 Fragmentation and Reassembly can be used to trigger a Denial of Service Attack (DOS). The receiving device will attempt reassembly following receipt of a frame containing a Flag field set to xx1, indicating more fragments are to follow. Receipt of such a frame causes the receiving device to allocate buffer resources for reassembly. If a device is flooded with separate frames, each with the Flag field set to xx1, but each has the Identification Field set to a different value, the device would attempt to allocate resources to each separate fragment in preparation for reassembly and would quickly exhaust its available resources while waiting for buffer time-outs to occur. To defend against such DOS attempts, many network security features include specific rules implemented at the Firewall that change the time-out value for how long they will hold incoming fragments before discarding them.

en/hacking/network/protocols/ipv4.txt · Last modified: 2020/07/09 19:58 by Digital Dot