Overview
If Ethernet frames are the local delivery mechanism — the equivalent of a courier navigating within a single building — then IP addresses are the global postal system. An Ethernet MAC address gets a frame from one port to another on the same network segment. An IP address gets a packet across the entire planet, through any number of intermediate routers, to a specific destination that may be thousands of miles away.
The Internet Protocol, version 4, is defined in RFC 791 and has been the foundational addressing scheme of the internet since 1981. It assigns every networked interface a 32-bit address — a number that, when interpreted correctly, tells routers exactly which network the device belongs to and where to send traffic destined for it.
Understanding IPv4 addressing is not optional background knowledge. It is the prerequisite for understanding routing, subnetting, NAT, DHCP, DNS, and essentially everything that happens at and above Layer 3. The concepts are simple at their core — a 32-bit number divided into two parts — but the implications of those concepts permeate every aspect of network design and operation.
A 32-Bit Number
An IPv4 address is a 32-bit binary number. It has 2³² possible values: 4,294,967,296 unique addresses in total. Humans do not read binary comfortably, so IPv4 addresses are expressed in dotted decimal notation: the 32 bits are divided into four 8-bit groups (called octets), each converted to its decimal equivalent and separated by dots.
Binary: 11000000 10101000 00000001 01100100
Decimal: 192 .168 .1 .100Each octet can have a value between 0 and 255 (because 2⁸ = 256 possible values per octet). So the range of all IPv4 addresses runs from 0.0.0.0 to 255.255.255.255.
This notation is convenient for humans but can obscure what is actually happening. When a router makes a forwarding decision, it is not comparing dotted decimal strings — it is performing bitwise AND operations on 32-bit integers at wire speed. Remembering that an IP address is fundamentally a number, not a label, is key to understanding how routing and subnetting work.
Network and Host — The Two-Part Address
Every IPv4 address is divided into two logical parts: the network portion and the host portion. The network portion identifies which network the address belongs to. The host portion identifies the specific device within that network.
Think of it like a mailing address: the city and street name identify the neighborhood (network), and the house number identifies the specific building (host). Two addresses can have the same street (same network) with different house numbers (different hosts), and they can reach each other directly without a router. But to reach an address on a different street, you need to go through a router.
The question is: where exactly is the dividing line between the network and host portions? That is what the subnet mask answers.
Subnet Masks and CIDR Notation
The subnet mask is a 32-bit number that, when written in binary, consists of a contiguous block of 1s followed by a contiguous block of 0s. The 1s mark the bits that belong to the network portion; the 0s mark the bits that belong to the host portion.
IP address: 192.168.1.100 → 11000000.10101000.00000001.01100100
Subnet mask: 255.255.255.0 → 11111111.11111111.11111111.00000000
|____ network (24 bits) ___|_ host _|In this example, the first 24 bits are the network portion and the last 8 bits are the host portion. The network is 192.168.1.0 and this particular device is host number 100 within that network.
CIDR notation (Classless Inter-Domain Routing, defined in RFC 4632) expresses this more compactly by appending a slash and the number of 1-bits in the subnet mask to the IP address: 192.168.1.100/24. The /24 tells you immediately that 24 bits belong to the network and 8 bits belong to the host. CIDR notation is the modern standard and is used everywhere — routing tables, firewall rules, DHCP scope configurations, cloud security groups.
Common subnet sizes and their implications:
| CIDR | Subnet Mask | Host Bits | Usable Hosts | Common Use |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 24 | 16,777,214 | Large ISP allocations, Class A legacy |
| /16 | 255.255.0.0 | 16 | 65,534 | Large enterprise networks |
| /24 | 255.255.255.0 | 8 | 254 | Standard LAN segment |
| /25 | 255.255.255.128 | 7 | 126 | Split /24 for two segments |
| /26 | 255.255.255.192 | 6 | 62 | Small team or device group |
| /30 | 255.255.255.252 | 2 | 2 | Point-to-point router links |
| /31 | 255.255.255.254 | 1 | 2 | Point-to-point (RFC 3021, no broadcast) |
| /32 | 255.255.255.255 | 0 | 1 | Single host route (loopback, VPNs) |
Usable hosts = 2^(host bits) − 2. The two subtracted addresses are reserved: the network address (all host bits zero) and the broadcast address (all host bits one).
Network Address and Broadcast Address
Within any subnet, two addresses are reserved and cannot be assigned to devices:
Network address — all host bits set to 0. This identifies the subnet itself, not any individual device. 192.168.1.0/24 is the network address for the 192.168.1.0 subnet. It appears in routing tables and is used to identify the subnet in documentation, but no device has this address as its own.
Broadcast address — all host bits set to 1. Packets sent to this address are delivered to every device in the subnet. For 192.168.1.0/24, the broadcast address is 192.168.1.255. Protocols like ARP, DHCP DISCOVER, and various routing protocols use directed broadcasts.
Everything in between — 192.168.1.1 through 192.168.1.254 in a /24 — is available for assignment to devices.
The IPv4 Header
Every IP packet begins with a header that carries the source and destination addresses, along with other fields the network infrastructure needs to route and deliver the packet correctly.
IPv4 Header — minimum 20 bytes, no options
| Field | Size | Notes |
|---|---|---|
| Version | 4 bits | Always 4 for IPv4 |
| IHL | 4 bits | Internet Header Length in 32-bit words. Minimum 5 (= 20 bytes, no options) |
| DSCP / ECN | 1 byte | Quality of Service marking (Differentiated Services Code Point) |
| Total Length | 2 bytes | Total packet size including header and payload, in bytes |
| Identification | 2 bytes | Used to reassemble fragmented packets |
| Flags | 3 bits | DF (Don’t Fragment), MF (More Fragments) |
| Fragment Offset | 13 bits | Position of this fragment within the original packet |
| TTL | 1 byte | Time To Live — decremented by each router. Packet discarded when it hits 0 |
| Protocol | 1 byte | Layer 4 protocol: 6 = TCP, 17 = UDP, 1 = ICMP |
| Header Checksum | 2 bytes | CRC over the header only (not the payload) |
| Source IP | 4 bytes | Sender’s IP address |
| Destination IP | 4 bytes | Recipient’s IP address |
| Options | 0–40 B | Optional, rarely used in modern networks |
TTL — The Packet’s Expiry Date
The Time To Live field deserves special attention. Despite its name, TTL does not measure time — it counts hops. Every router that forwards a packet decrements the TTL by one. When TTL reaches zero, the router discards the packet and sends an ICMP Time Exceeded message back to the source.
TTL exists to prevent routing loops from flooding the network forever. If a misconfiguration causes two routers to send traffic back and forth to each other indefinitely, TTL ensures that each packet eventually dies rather than circulating until the network collapses. Linux and macOS set TTL to 64 by default; Windows uses 128. These default values are visible in Wireshark captures and can help identify the OS of a device in a packet capture.
Special and Reserved Address Ranges
Not all IPv4 addresses are available for assignment to general devices. Several ranges are reserved by IANA for specific purposes:
| Range | Purpose | RFC |
|---|---|---|
10.0.0.0/8 | Private network (Class A) | RFC 1918 |
172.16.0.0/12 | Private network (Class B range) | RFC 1918 |
192.168.0.0/16 | Private network (Class C range) | RFC 1918 |
127.0.0.0/8 | Loopback — local host only | RFC 5735 |
169.254.0.0/16 | APIPA — link-local, no DHCP | RFC 3927 |
0.0.0.0/8 | ”This network” — source only | RFC 1122 |
255.255.255.255 | Limited broadcast | RFC 919 |
224.0.0.0/4 | Multicast | RFC 5771 |
Private Addresses and NAT
The RFC 1918 private ranges (10.x.x.x, 172.16–31.x.x, 192.168.x.x) are not routed on the public internet. Routers at the internet boundary are configured to drop packets with private source or destination addresses. This means every device using a private address that needs internet access must go through Network Address Translation (NAT) — a mechanism that substitutes the private source address with a public one before the packet leaves the network.
The existence of RFC 1918 private ranges is also why the 4.3 billion IPv4 addresses have not run out as quickly as the math would suggest: millions of devices share a handful of public addresses through NAT. But it does mean that two completely separate networks can use the same private address range internally, which creates complications when those networks need to be connected.
Loopback
The entire 127.0.0.0/8 range is reserved for loopback. Traffic sent to any address in this range is handled entirely within the local network stack — it never reaches the physical network interface. 127.0.0.1 is the conventional loopback address, used universally to refer to “this machine.” If you can ping 127.0.0.1 but not the machine’s own interface address, the problem is in the physical network stack or the interface configuration, not in the IP stack itself.
APIPA
When a device is configured to use DHCP and no DHCP server responds, Windows (and some Linux configurations) will assign the device an address in the 169.254.0.0/16 range — an Automatic Private IP Address (APIPA). Devices with APIPA addresses can communicate with other APIPA-addressed devices on the same segment but cannot reach any router or internet resource. Seeing a 169.254.x.x address on a device is an immediate indicator that DHCP has failed.
How Routers Use IP Addresses
A router’s job is to forward packets toward their destination. It does this by consulting its routing table — a list of known network prefixes and the next-hop or interface through which they are reachable.
When a packet arrives, the router performs a longest prefix match on the destination IP address:
- Extract the destination IP from the packet header
- Compare it against every entry in the routing table using bitwise AND with each entry’s subnet mask
- Select the entry whose network prefix is the longest (most specific) match
- Forward the packet toward the next-hop specified in that entry
For example, if the routing table contains both 10.0.0.0/8 and 10.1.2.0/24, a packet destined for 10.1.2.50 matches both entries. The router selects 10.1.2.0/24 because it is the more specific match — 24 bits match rather than just 8. This longest-prefix-match rule is fundamental to how IP routing scales and allows specific routes to override more general ones.
A default route (0.0.0.0/0) is the catch-all: it matches every destination address and is used when no more specific route exists. Every device with internet access has a default route pointing toward a gateway that can reach the broader internet.
Classful Addressing — Historical Context
In the early days of IP (before CIDR was invented in 1993), address space was allocated in fixed-size classes:
| Class | First Octet Range | Default Mask | Network Bits | Notes |
|---|---|---|---|---|
| A | 1–126 | /8 | 8 | Very large organizations |
| B | 128–191 | /16 | 16 | Large organizations |
| C | 192–223 | /24 | 24 | Small organizations |
| D | 224–239 | — | Multicast | |
| E | 240–255 | — | Reserved |
This system was catastrophically wasteful. An organization that needed 300 addresses had to take a full Class B (/16 = 65,536 addresses) because a Class C (/24 = 256 addresses) was too small. Thousands of Class B allocations were handed out to universities and corporations, each consuming 65,534 addresses when they needed only a fraction. CIDR replaced classful addressing by allowing subnet masks of any length, enabling the network to allocate exactly the address space actually needed.
The term “Class A, B, C” still appears in documentation and conversation (and in some certification exam materials) but it describes a historical allocation model, not a technical feature of modern IP. All modern networking uses CIDR.
Key Concepts
The subnet mask is not optional
The subnet mask is as important as the IP address itself. Without it, a device cannot determine whether a destination address is on its local segment (reachable directly via Layer 2) or on a remote network (requiring a router). A misconfigured subnet mask is one of the most common causes of connectivity failures that are otherwise inexplicable — the device might be able to reach some hosts but not others, depending on where their addresses fall relative to the incorrectly configured network boundary.
The default gateway must be on the same subnet
The default gateway address must be within the same subnet as the device’s own IP address. If it is not, the device cannot send the initial ARP request to resolve the gateway’s MAC address, and the gateway is unreachable. This is a frequent misconfiguration: correct IP address and subnet mask, but a gateway address that belongs to a different network.
IP addresses identify interfaces, not devices
A router has multiple interfaces, each with its own IP address — one per connected network. A server with two NICs has two IP addresses. A virtual machine host running multiple VMs may have dozens. When someone says “the server’s IP address,” they really mean “the IP address of the interface you are connecting to.” Devices do not have a single IP address; interfaces do.