IP: Datagram Forwarding, Subnetting, ARP, and DHCP

IP header key fields

 0      4      8      16             32
┌──────┬──────┬───────┬──────────────┐
│  Ver │ HLEN │  TOS  │   Length     │
├──────┴──────┼───────┴──────────────┤
│    Ident    │  Flags │  Frag Offset │
├─────────────┼─────────────────────┤
│     TTL     │  Proto │   Checksum  │
├─────────────┴─────────────────────┤
│          Source Address           │
├───────────────────────────────────┤
│        Destination Address        │
└───────────────────────────────────┘

| Field | Size | Purpose | |---|---|---| | Version | 4 bits | IPv4 = 4, IPv6 = 6 | | HLEN | 4 bits | Header length in 32-bit words (min 5 = 20 bytes) | | TTL | 8 bits | Decremented at each hop; packet dropped at 0 | | Protocol | 8 bits | TCP=6, UDP=17, ICMP=1 | | Source/Dest | 32 bits each | IPv4 addresses | | DF flag | 1 bit | Don't Fragment; if set, router drops oversized packet and sends ICMP Fragmentation Needed |

Datagram forwarding

Every packet contains a destination IP. Routers forward based on longest-prefix match:

Forwarding table (with CIDR):
┌─────────────────┬─────────────┐
│ Prefix          │ Next Hop    │
├─────────────────┼─────────────┤
│ 192.168.1.0/24  │ Interface 0 │
│ 192.168.2.0/24  │ Interface 1 │
│ 10.0.0.0/8      │ Router R2   │
│ 0.0.0.0/0       │ Default GW  │
└─────────────────┴─────────────┘

Packet to 192.168.1.50:
  AND with /24 mask → 192.168.1.0 → match Interface 0 ✓

Packet to 10.5.5.5:
  AND with /8 mask → 10.0.0.0 → match Router R2 ✓

Packet to 8.8.8.8:
  No specific match → default 0.0.0.0/0 → Default GW ✓

Subnetting

A network number originally identified exactly one physical network. Subnetting lets one network number span multiple physical networks using a subnet mask:

Network: 128.96.34.0/25  (subnet mask 255.255.255.128)

Host portion = last 7 bits → 128 addresses per subnet

Subnet 1: 128.96.34.0   - 128.96.34.127  (mask 255.255.255.128)
Subnet 2: 128.96.34.128 - 128.96.34.255  (mask 255.255.255.128)

Forwarding table with subnets:
┌─────────────────┬─────────────────┬─────────────┐
│ SubnetNumber    │ SubnetMask      │ Next Hop    │
├─────────────────┼─────────────────┼─────────────┤
│ 128.96.34.0     │ 255.255.255.128 │ Interface 0 │
│ 128.96.34.128   │ 255.255.255.128 │ Interface 1 │
│ 128.96.33.0     │ 255.255.255.0   │ Router R2   │
└─────────────────┴─────────────────┴─────────────┘

Router logic: destination AND SubnetMask == SubnetNumber → use that entry. Apply all masks and use the most specific (longest) match.

CIDR aggregates routes — a /20 prefix covers 16 /24 networks, replacing 16 routing table entries with one

ConceptNetworking

Without CIDR, every class C network (256 addresses) needed a separate routing table entry. The internet's routing tables would grow proportionally with the number of allocated networks. CIDR allows arbitrary prefix lengths and route aggregation: an ISP with 192.4.16.0/20 can advertise one prefix covering 192.4.16.0 through 192.4.31.255 — 16 class C networks in one entry. This kept internet routing tables manageable as IPv4 allocation grew.

Prerequisites

• Binary arithmetic
• IPv4 addressing
• Routing tables

Key Points

• /N means the top N bits are the network part. /24 = 256 addresses, /16 = 65536 addresses.
• Longest prefix match: more specific routes take precedence. 10.1.2.0/24 beats 10.0.0.0/8 for 10.1.2.5.
• Private ranges (RFC 1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — not routed on the public internet.
• Default route 0.0.0.0/0 matches everything and is used as the gateway of last resort.

ARP: resolving IP to MAC

IP knows where to send a packet (destination IP) but the local link needs a MAC address to deliver a frame. ARP broadcasts a query on the local network:

ARP request (broadcast):
  "Who has 192.168.1.10? Tell 192.168.1.5"

ARP reply (unicast):
  "192.168.1.10 is at aa:bb:cc:dd:ee:ff"

The querier caches the IP→MAC mapping. The ARP cache has a TTL (typically 20 minutes on Linux). Stale entries are evicted; hosts that change IP or NIC will get re-queried.

ARP only works within a subnet — routers don't forward ARP broadcasts. When sending to a different subnet, the host ARPs for its default gateway's MAC, which then routes the packet.

DHCP: automatic IP assignment

DHCP assigns IP addresses dynamically using a 4-step DORA exchange:

Client                              DHCP Server
  │                                      │
  │──── DISCOVER (broadcast) ──────────▶│  "Any DHCP servers?"
  │                                      │
  │◀─── OFFER (broadcast/unicast) ──────│  "Here's 192.168.1.50, lease 24h"
  │                                      │
  │──── REQUEST (broadcast) ───────────▶│  "I accept 192.168.1.50"
  │                                      │
  │◀─── ACK (broadcast/unicast) ────────│  "Confirmed, lease until [time]"

The initial DISCOVER is sent to 255.255.255.255 (broadcast) because the client has no IP yet. The server's OFFER includes: assigned IP, subnet mask, lease duration, default gateway, and DNS servers. The client broadcasts the REQUEST (not unicasts) so other DHCP servers on the segment know which offer was accepted.

After lease expiry (or at 50% of lease time), the client unicasts a RENEW request to the same server. At 87.5% of lease time without renewal, it broadcasts a REBIND to any available server.

📝ARP cache poisoning and why ARP is unauthenticated

ARP has no authentication — any host can broadcast a gratuitous ARP claiming any IP:MAC mapping. A malicious host sends unsolicited ARP replies claiming "10.0.0.1 is at my MAC" and all hosts on the segment update their caches. Traffic intended for the gateway now goes to the attacker (ARP poisoning / ARP spoofing).

Defenses:

• Dynamic ARP Inspection (DAI): Switch validates ARP packets against a DHCP snooping binding table (IP-MAC-port mappings from observed DHCP exchanges). Packets with mismatched IPs are dropped.
• Static ARP entries: Pin critical hosts (gateways, DNS servers) with arp -s. Won't be overwritten by gratuitous ARPs.
• IPv6 uses NDP (Neighbor Discovery Protocol) instead of ARP, with SEND (Secure Neighbor Discovery) using cryptographic signatures for validation.

A host with IP 192.168.1.5 wants to send a packet to 192.168.2.10. The host's subnet mask is /24. What does the host ARP for?

medium

192.168.1.5/24 is on the 192.168.1.0/24 subnet. 192.168.2.10 is on a different subnet. The host has a default gateway of 192.168.1.1.

• A192.168.2.10 — ARP for the destination IP directly

  Incorrect.ARP only works within the local subnet — broadcasts don't cross routers. 192.168.2.10 is on a different /24 subnet and won't receive the ARP broadcast.
• B192.168.1.1 (the default gateway) — the host ARPs for the gateway's MAC, then sends the packet to the gateway for routing

  Correct!The host compares the destination (192.168.2.10) with its own subnet (192.168.1.0/24) and determines the destination is off-subnet. Off-subnet packets must go through the default gateway. The host ARPs for the gateway's MAC address (192.168.1.1), builds an Ethernet frame with the gateway's MAC as destination, but the IP packet inside has destination 192.168.2.10. The gateway receives the frame, looks at the IP destination, and routes the packet toward 192.168.2.10 on the correct interface.
• C255.255.255.255 — broadcast ARP to find any host that knows the route

  Incorrect.ARP queries are broadcast to find a specific IP's MAC address. Broadcast address 255.255.255.255 is used by DHCP for different purposes. ARP broadcasts are to all hosts on the local segment, not to a specific broadcast address.
• DNeither — the host sends the packet directly using the destination IP without ARP

  Incorrect.IP packets must be encapsulated in link-layer frames to be transmitted. The frame requires a destination MAC address. ARP is how the host finds the MAC for the next hop.

Hint:When a destination is off-subnet, where does the packet go first? What MAC address does the host need to build the Ethernet frame?