IPv4 — Addressing, Subnets, Fragmentation

What it is#

IPv4 (Internet Protocol version 4) is the addressing-and-forwarding contract that lets any computer on the Internet send a datagram to any other. It defines a 32-bit address space, a 20-byte (minimum) header, a best-effort delivery model with no guarantees of reliability, ordering, or duplicate suppression, and a set of rules for fragmentation when datagrams exceed a link’s maximum transmission unit (MTU).

Every device on a TCP/IP network has at least one IPv4 address. Routers use those addresses (and the routing table populated by OSPF or BGP) to forward datagrams hop by hop until they reach the destination’s link. The protocol is intentionally minimal — most of the complexity of the Internet lives in the layers above (TCP, application protocols) or in the control plane (routing protocols, ARP, DHCP).

IPv4 has been “running out of addresses” since the early 1990s. NAT, private address space (RFC 1918), and the migration to IPv6 are the three responses. Yet IPv4 still carries the majority of Internet traffic and will for years to come.

When to use it#

IPv4 is the default. Almost everything that talks to the Internet speaks IPv4 (often alongside IPv6, in a dual-stack configuration). You don’t usually “choose” IPv4 — you choose where you sit relative to it:

• Public IPv4 addresses for anything externally reachable: web servers, DNS authoritatives, mail servers, SSH bastions. These cost money in scarce supply.
• Private IPv4 (RFC 1918) for internal networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Connect outward via NAT.
• Loopback (127.0.0.0/8) for in-host communication.
• Link-local (169.254.0.0/16) when DHCP fails and the host self-assigns.
• Multicast (224.0.0.0/4) for one-to-many delivery on cooperating networks. Used by OSPF, mDNS / Bonjour, and IPTV.

Use IPv6 in preference when you control the network (datacenter fabrics, mobile carriers), when you need huge address space without NAT, or when public IPv4 is too expensive to lease. Cellular networks and large clouds have aggressively moved to IPv6 internally.

How it works#

Addresses#

A 32-bit IPv4 address is written in dotted-decimal: four 8-bit octets separated by dots. 192.0.2.42 is 0xC0000A2A. The address space has 2^32 ≈ 4.3 billion addresses — too few for the modern Internet, which is why we have NAT and IPv6.

The address is split into a network portion (prefix) and a host portion. Originally this split was at class boundaries (Class A = /8, Class B = /16, Class C = /24). Classful addressing wasted space — a company with 5,000 hosts needed a /16 (65k addresses) since a /24 (256) wasn’t enough. CIDR replaced this in 1993.

CIDR — Classless Inter-Domain Routing#

CIDR writes addresses with an explicit prefix length: 192.0.2.0/24 means “the first 24 bits identify the network; the remaining 8 bits identify the host”. The prefix length is the subnet mask in compact form (/24 is 255.255.255.0).

Smaller prefix length means bigger subnet. /8 covers 2^24 ≈ 16M addresses; /24 covers 256 (254 usable). The two “lost” addresses per subnet are the network address (all host bits 0) and the broadcast address (all host bits 1).

Subnet masks and “is this host on my subnet?”#

Given a destination IP, a host decides whether to send directly on the LAN or to its default gateway by applying the local subnet mask:

dst_network  = dst_ip   AND mask
my_network   = my_ip    AND mask
if dst_network == my_network → ARP for dst, send on LAN
else                         → ARP for gateway, send via gateway

This is the single most-tested concept in entry-level networking interviews.

The IPv4 header#

20 bytes minimum, up to 60 with options (options are rare in practice).

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|  IHL  |     DSCP/ECN  |          Total Length         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|     Fragment Offset     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Time to Live |    Protocol   |        Header Checksum        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Source IP Address                       |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Destination IP Address                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options (0 to 40 bytes)                    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields that matter:

• Version — always 4 for IPv4.
• IHL — internet header length, in 32-bit words. 5 (= 20 bytes) when there are no options.
• DSCP / ECN — differentiated services (QoS marking) and explicit congestion notification.
• Total Length — total datagram size in bytes (header + payload). Max 65,535.
• Identification, Flags, Fragment Offset — used for fragmentation (next section).
• TTL — time-to-live. Decremented by every router; when it hits 0, the router drops the datagram and sends ICMP Time Exceeded. The basis for traceroute.
• Protocol — next-layer protocol number. 6 = TCP, 17 = UDP, 1 = ICMP, 41 = IPv6-in-IPv4.
• Header Checksum — covers header only, not payload. Recomputed by every router (since TTL changes).
• Source / destination IP — 32 bits each.

Fragmentation#

IPv4 datagrams can be up to 65,535 bytes, but link MTUs are usually 1500 (Ethernet), sometimes smaller. If a datagram exceeds the outgoing link MTU and the Don’t Fragment (DF) flag is clear, the router splits it into fragments. Each fragment carries the same Identification field, a Fragment Offset (in 8-byte units), and the More Fragments (MF) flag. The destination reassembles using the offsets.

Fragmentation is mostly a relic. Modern hosts do Path MTU Discovery (PMTUD) — they set DF, watch for ICMP Fragmentation Needed responses, and shrink their segments. Firewalls that block ICMP break PMTUD silently. IPv6 forbids router-level fragmentation entirely (only the source can fragment).

Routing and forwarding#

Every router has a routing table. When a datagram arrives, the router does a longest-prefix-match lookup on the destination IP. The most specific matching prefix wins — 203.0.113.0/24 beats 203.0.113.0/16 for an address 203.0.113.42. The default route 0.0.0.0/0 matches anything; it’s the route of last resort.

Routing tables are populated by routing protocols (OSPF inside an AS, BGP between ASes) or static configuration. The IP layer itself does no path computation — it just looks up and forwards.

Variants#

• Private (RFC 1918) address space. 10.0.0.0/8 (largest, datacenter favourite), 172.16.0.0/12 (less common, Docker default range), 192.168.0.0/16 (home routers). Not routable on the public Internet; usually paired with NAT.
• Carrier-Grade NAT (RFC 6598). 100.64.0.0/10 — the shared address space ISPs use behind their own NAT. You’ll see it on cellular networks.
• Multicast (224.0.0.0/4). One sender, multiple receivers on cooperating networks. Used inside datacenters for control protocols; rarely traverses the public Internet.
• Anycast. Same IP advertised from multiple locations via BGP; the network routes you to the closest. The backbone of CDNs and global DNS (8.8.8.8, 1.1.1.1).
• CGNAT and Carrier-NAT. Many ISPs no longer give residential customers a public IPv4 — they sit behind a shared one. Breaks listening services without IPv6 or port forwarding.
• /31 point-to-point links. RFC 3021 — drops the network/broadcast convention so a 2-address subnet has 2 usable hosts. Routers between two boxes use these.

Trade-offs#

Other trade-offs:

• Public vs private. Public IPs are reachable but auditable. Private IPs are free and abundant but require NAT to reach the outside.
• Header checksum. IPv4 has one (slow — must be recomputed at every hop). IPv6 dropped it (relies on lower-layer CRCs and upper-layer checksums).
• Fragmentation in the network. IPv4 lets routers fragment; IPv6 does not. Source fragmentation pushes responsibility to the sender, simplifies routers, hurts naïve UDP-over-IP applications that exceed MTU.
• TTL exhaustion. The TTL field caps the network’s diameter at 255 hops. Modern Internet paths are usually 10–20 hops; the field also defends against routing loops.

Common pitfalls#

• Confusing the subnet mask with the network address. 255.255.255.0 (mask) versus 192.168.1.0 (network). Both have four dotted octets — different meanings.
• Forgetting the network and broadcast addresses are unusable for hosts. /24 has 254 usable, not 256. /30 has 2, not 4.
• Believing fragmentation is benign. It is not. Reassembly is fragile (loss of any fragment retransmits the whole datagram), firewalls drop fragments without the first-fragment header, and PMTUD failure is silent.
• Trusting source IP for authentication. Spoofing inbound TCP requires guessing initial sequence numbers (hard) but spoofing UDP source IPs is trivial. Don’t authenticate by IP alone for anything that matters.
• Mis-sized subnets. A /28 (14 usable) is too small for a server fleet. A /16 (65k) wastes routing-table space on a small VLAN. Right-size up front; renumbering hurts.
• Picking overlapping private ranges. Two sites both using 192.168.1.0/24 cannot trivially be VPN’d together. Pick non-default RFC 1918 ranges (10.X.Y.0/24 with site-unique X).
• Reading host part of an address as a number. 192.168.1.5 plus 192.168.1.10 is not arithmetic on hosts — the network portion is fixed and the host portion is just an index inside.
• Ignoring DSCP / TOS in production. Some carriers honour DSCP and prioritise traffic; some strip it; some abuse it. Don’t rely on it being preserved end-to-end.

Related building blocks#

• IPv6
• ICMP
• ARP
• NAT and Firewalls
• DHCP