What Is the Network Layer?
Forwarding vs routing, the control plane vs the data plane — what turns 'a wire between two hosts' into 'the Internet'.
Summary#
The network layer is the one that turns “a wire between two hosts” into “the Internet.” Its single job is to move a packet from a source IP to a destination IP, hop by hop, across an arbitrary number of intermediate routers, using only the addresses in the packet’s header. Everything above (TCP, HTTP, your app) and everything below (Ethernet, fibre, Wi-Fi) takes this service for granted.
Two distinctions are load-bearing for understanding the layer:
- Forwarding vs routing. Forwarding is what a router does per packet — look up the destination in a table, send the packet out the right interface. Routing is the control protocol that builds the table in the first place. Forwarding runs in microseconds at line rate; routing runs over seconds-to-minutes as topology changes propagate.
- Data plane vs control plane. The data plane is the packet-pushing path — ASICs, line cards, the forwarding table. The control plane is the brain — running BGP, OSPF, IS-IS, populating the table, handling exceptions. Modern routers separate these cleanly; SDN takes the split further by moving the control plane to a remote controller.
IP — the layer’s canonical protocol — offers a single, deliberately weak contract: best-effort delivery of independent datagrams. No reliability, no ordering, no flow control, no congestion control. Anything stronger is layered above.
Why it matters#
Every other layer’s behaviour is shaped by the network layer’s contract:
- TCP exists because IP loses packets. Retransmission, sequence numbers, congestion control — all are TCP’s response to IP’s “best effort.” If IP were reliable, TCP would be unnecessary.
- Latency and jitter are network-layer phenomena. A packet’s RTT is dominated by the propagation delay across the path the routing protocol selected. CDN POPs and Anycast are network-layer interventions.
- Outages are usually network-layer events. “BGP withdrew the route,” “the route flap drained traffic,” “the firewall is dropping packets” — all L3 stories. App-layer outages are loud; network-layer outages are wide.
The deeper reason engineers care: the network layer is where the Internet’s trust model lives. The data plane forwards what it’s told to forward. The control plane (BGP especially) decides what to tell. Misconfigurations and hijacks at the control plane cascade through the data plane — the Facebook 2021 outage, the Pakistan-YouTube 2008 hijack, the Rostelecom 2017 incident — all were control-plane events that took down data-plane reachability for millions.
How it works#
The two functions#
Every router does exactly two things — and the cleanest mental model is to think of them as separate machines that happen to sit in the same box.
control plane data plane +----------------+ +------------------+ | BGP / OSPF / | | per-packet | | IS-IS / static | populates --> | forwarding | | routes | | (lookup, TTL, | +----------------+ | decrement, | ^ | send out IF) | | +------------------+ topology changes, ^ peer updates | packets inForwarding is per-packet, fast, local. A packet arrives on interface eth0 with destination 203.0.113.42. The router looks up 203.0.113.42 in its forwarding information base (FIB), finds the longest prefix match (say 203.0.113.0/24 → next hop 192.0.2.1 via eth3), decrements the TTL, recomputes the IP header checksum, and shoves the packet out eth3. On modern hardware this is a single ASIC lookup in microseconds.
Routing is the protocol that populated the FIB. The router runs OSPF/IS-IS inside its own AS (interior gateway protocols) and BGP between ASes (the exterior gateway protocol). These protocols exchange topology updates with peers, run a path-selection algorithm, and write the best paths into the routing information base (RIB). Best paths from the RIB are then installed into the FIB used by the data plane.
The control plane is slow, expensive, and CPU-bound. The data plane is fast, cheap, and ASIC-bound. The split is the whole reason routers can forward at terabits per second while still running protocol logic in the background.
Best-effort delivery and what that really means#
IP guarantees almost nothing. Datagrams may:
- Be dropped. Queue overflow at a congested router, TTL hitting zero, ACL deny rules.
- Be reordered. Different packets in the same flow may take different paths if ECMP or load balancing kicks in.
- Be duplicated. Misconfigured tunnels or buggy retransmissions can produce duplicates.
- Be corrupted. The IP header checksum catches header errors but not payload errors; payload integrity is L4’s job (UDP/TCP checksums).
- Arrive after very long delays. A packet can sit in a queue or on a satellite hop long enough for upper layers to assume it’s lost.
A datagram is independent — it carries its own destination, and routers do not maintain state per flow at the IP layer. (Stateful middleboxes, NAT, and firewalls do — but they violate IP’s pure layering. Everything in those boxes is a workaround for L3 not knowing what a “connection” is.)
Delivery models — unicast, multicast, broadcast, anycast#
IP supports four delivery models, though only two are commonly used on the public Internet:
- Unicast — one source, one destination. The default. 99.9%+ of Internet traffic.
- Broadcast — one source, every host on a network segment. Limited to a LAN; routers do not forward broadcasts. ARP and DHCP use it. Has no IPv6 equivalent.
- Multicast — one source, a group of subscribed destinations. Works locally (IPTV, mDNS, OSPF hello packets) but never gained traction on the public Internet — too hard to manage subscription state across ASes.
- Anycast — one IP advertised from many physical sites; BGP picks the topologically closest one. Used by DNS root servers, public resolvers (
8.8.8.8,1.1.1.1), CDN points-of-presence. Looks like unicast from the host’s perspective, but the destination is wherever BGP currently routes.
The TTL hack#
Every IP packet carries a TTL (time-to-live) — initially 64 or 128 — decremented at every router hop. When it hits zero, the router drops the packet and sends an ICMP “Time Exceeded” message back to the source. This is what stops routing loops from melting the network and is also what traceroute exploits: send packets with TTL=1, then 2, then 3, and watch the ICMP errors come back from each hop.
A worked example#
A packet from 198.51.100.7 to 203.0.113.42:
- Host writes an IP header with source, destination, and the TCP segment as payload. Hands it to the kernel.
- First-hop router receives the packet on its LAN interface. Looks up
203.0.113.42in its FIB → next hop is its upstream ISP. - ISP edge router receives it. Looks up
203.0.113.42— finds a BGP-learned prefix203.0.113.0/24advertised by AS 64500 via three intermediate ASes. Forwards to the chosen next-hop AS. - Five or six AS hops later, the packet enters the destination AS’s edge.
- Destination-AS interior routers use OSPF to forward the packet to the router closest to
203.0.113.42. - Last-hop router uses ARP (or NDP for IPv6) to resolve the destination MAC, frames the packet, and sends it on the final link.
- Destination host strips the Ethernet frame, hands the IP datagram to its IP stack, which sees its own address and passes the payload up to TCP.
At every hop the IP header is the only thing examined. The transport-layer payload is opaque.
Variants and trade-offs#
Other axes worth knowing:
- IPv4 vs IPv6. Same layer, same contract, different address sizes (32 vs 128 bits) and a tightened header (no header checksum in v6, no fragmentation by routers, simpler options). Run dual-stack and hosts pick which one to use.
- Stateless vs stateful middleboxes. Pure routers are stateless. NAT, firewalls, and load balancers track flow state — convenient for operators but a violation of L3’s purity that causes failure modes (NAT timeouts dropping long-lived connections, asymmetric routing breaking stateful firewalls).
- Hop-by-hop vs source routing. Standard IP is hop-by-hop — each router decides the next hop. Source routing (
IP_OPTIONSin v4, the routing extension header in v6) lets the source specify the path. Mostly blocked on the public Internet — security risk. - MPLS overlay. Carriers run MPLS on top of IP to get traffic engineering, fast reroute, and L2/L3 VPNs. From the customer’s perspective it looks like IP; inside the carrier, packets carry MPLS labels and are switched on labels rather than longest-prefix-matched on addresses.
When this is asked in interviews#
The opener is often “what does a router do?” — the strong answer separates forwarding (per-packet, data plane) from routing (control protocol, control plane) immediately.
Common follow-ups:
- “What’s the difference between a router and a switch?” — Router operates at L3, forwards by IP, builds tables from a routing protocol. Switch operates at L2, forwards by MAC, builds tables from observed traffic. “Layer 3 switch” is a router with switching ASICs.
- “What does IP guarantee?” — Best-effort delivery of independent datagrams. May drop, reorder, duplicate, corrupt. Anything stronger is L4+.
- “What’s the difference between unicast, multicast, broadcast, and anycast?” — Unicast = one-to-one. Multicast = one-to-group. Broadcast = one-to-LAN. Anycast = one-IP-many-locations, BGP picks closest.
- “What happens when a packet’s TTL hits zero?” — Router drops it, returns an ICMP Time Exceeded. Traceroute uses this.
- “Walk me from your laptop to a remote server at the network layer.” — DNS resolves the name to an IP, ARP/NDP resolves the gateway MAC, the packet leaves with destination IP, each router does longest-prefix match in its FIB, eventually arrives at the destination’s last-hop router which ARPs and delivers on the local segment.
In SRE / networking loops, expect the question to drift into BGP, routing convergence, and incident scenarios (“how would you detect a route hijack?”). In product loops, it usually stays at “what layer owns this concern?” — and the right answer reframes around forwarding vs routing.
Related concepts#