Getting a packet from your device to a server on the other side of the world involves multiple layers of addressing and routing decisions. This page explains how those mechanisms work — and where they can be exploited.

Packet switching

The internet does not hold open a dedicated circuit between sender and receiver. Instead, it uses packet switching: data is broken into independent packets, each carrying source and destination addresses. Packets travel independently, may take different routes, and are reassembled in order by the receiver. This design is resilient — if a router fails, packets route around it — but it also means your data can transit through many different organizations and jurisdictions. A packet from Iceland to the US might pass through routers in several European countries. Each hop is a potential point of interception or analysis.
The IP protocol offers best-effort delivery only. It guarantees none of the following: delivery, in-order arrival, timely delivery, bandwidth, or security. Higher-layer protocols like TCP add reliability on top of IP’s best-effort foundation.

IP addressing

Every device on a network is identified by an IP address at Layer 3. IPv4 uses 32-bit addresses written in dotted-decimal notation (e.g., 192.168.1.1); IPv6 uses 128-bit addresses to accommodate the growing number of connected devices.

Subnets and CIDR notation

IP addresses are divided into a network portion and a host portion. CIDR (Classless Inter-Domain Routing) notation uses a slash to show how many bits belong to the network. For example, 198.0.1.130/24 means the first 24 bits (198.0.1) identify the network, and the last 8 bits (130) identify the host within it.

Reserved IPv4 ranges

Some address ranges are reserved and are not routable on the public internet:
RangePurpose
127.0.0.0/8Loopback (localhost)
10.0.0.0/8Private network
172.16.0.0/12Private network
192.168.0.0/16Private network
255.255.255.255/32Limited broadcast
These private ranges are why your home devices have addresses like 192.168.1.x — they are not directly reachable from the internet without NAT.

MAC addresses

While IP addresses route packets between networks, MAC (Media Access Control) addresses handle delivery within a single network segment at Layer 2. A MAC address is a 48-bit hardware identifier assigned by the manufacturer to a network interface card (NIC), written as six hexadecimal pairs (e.g., 00:1A:2B:3C:4D:5E). When a packet arrives at a router destined for a device on the local network, ARP resolves the destination IP address to a MAC address so the frame can be delivered to the correct device on the LAN. MAC addresses do not cross router boundaries — each hop rewrites the frame’s MAC addresses while preserving the IP addresses.
MAC addresses can be spoofed in software on most operating systems. Do not rely on MAC address filtering alone as a security control — it provides only weak authentication.

NAT — Network Address Translation

IPv4 provides roughly 4.3 billion addresses, far fewer than the number of devices that need internet access. NAT solves this by letting multiple devices on a private network share a single public IP address. When a device on your LAN sends traffic to the internet, your router:
  1. Records the mapping of (private IP, private port) → (public IP, public port) in a NAT translation table.
  2. Replaces the source IP and port with the router’s public IP and a chosen port.
  3. When the response arrives, it reverses the translation and forwards the packet to the correct internal device.
From the internet’s perspective, all devices behind a NAT look like a single host.

NAT: tradeoffs

  • Natural firewall effect: Unsolicited inbound connections from the internet cannot reach devices behind a NAT unless port forwarding rules are configured.
  • Topology hiding: External entities cannot see your internal network structure.
  • IPv4 conservation: NAT is a key reason IPv4 has remained viable despite address exhaustion, and why the transition to IPv6 has been slow.
  • Breaks end-to-end connectivity: Applications that require direct peer-to-peer connections (VoIP, gaming, file sharing) may not work without workarounds like STUN (Session Traversal Utilities for NAT) or TURN (Traversal Using Relays around NAT).
  • Loss of attribution: Multiple internal devices appear as one external IP, complicating logging and forensic investigation.
  • Port limit: Only 65,535 port numbers are available, limiting simultaneous outbound connections from the NATed network.
NAT is not a security feature. It stops unsolicited inbound connections, but it does not encrypt traffic, does not protect against attacks originating from inside the network, and does not prevent malware from calling home once it is already running on an internal device.

Autonomous Systems and internet routing

The internet is not managed by a single organization. It is a federation of independently operated networks called Autonomous Systems (ASes). An Autonomous System (AS) is a collection of IP networks and routers under the control of a single organization — an ISP, a university, a large company — that presents a common routing policy to the internet. Each AS is assigned a unique Autonomous System Number (ASN) by regional internet registries. Routing works at two levels:
  • Interior Gateway Protocols (IGPs): Used within an AS. Protocols like OSPF (Open Shortest Path First) use Dijkstra’s algorithm to find shortest paths, with complete knowledge of the AS’s internal topology.
  • Exterior Gateway Protocols (EGPs): Used between ASes. BGP is the only EGP in widespread use on the internet today.
You can inspect routing on your own machine: 
traceroute google.com   # Linux/macOS — shows each hop to the destination
tracert google.com      # Windows equivalent
ip route                # Show local routing table (Linux)
Get-NetRoute            # Show local routing table (Windows PowerShell)

BGP — Border Gateway Protocol

BGP is the routing protocol that holds the internet together. It allows ASes to advertise which IP prefixes they can reach and to learn routes from neighboring ASes. Key characteristics of BGP:
  • Policy-based, not shortest-path: Routes are chosen based on local criteria — peering agreements, cost, politics, route length — not necessarily the fastest path.
  • Manual configuration: Network administrators configure routing policies by hand, introducing the potential for human error.
  • Trust-based: BGP was designed in an era of trusted peers. It has no built-in mechanism to verify that an AS actually owns the prefix it is advertising.

Routing table mechanics

Every router maintains a routing table that maps destination IP prefixes to next-hop addresses. Building and using this table are separate processes: Building the table:
  • Routers exchange prefix reachability information with neighbors.
  • BGP uses a path-vector algorithm (related to Bellman-Ford) because Dijkstra’s requires complete network knowledge, which is infeasible in the decentralized internet.
  • The result is a forwarding table with next-hop information for each known prefix.
Using the table:
  • When a packet arrives, the router looks up the destination IP using longest prefix match — the most specific matching prefix wins.
  • The packet is forwarded out the interface toward the next hop, or dropped if no match is found.

BGP hijacking

BGP’s trust model is its most significant security weakness.
BGP hijacking: If a malicious AS announces that it has a route to an IP prefix, neighboring ASes may accept and propagate that announcement. Because routers use longest prefix match, an attacker can announce a more specific (longer) prefix to steal traffic.Example attack:
  • Legitimate AS announces 10.0.0.0/8.
  • Attacker announces 10.1.0.0/16 (a more specific sub-prefix).
  • Traffic destined for 10.1.x.x is routed to the attacker because /16 is more specific than /8.
Consequences: Traffic interception, data theft, traffic analysis, denial of service.Real-world example: In 2008, Pakistan Telecom accidentally (or deliberately) announced a more specific route for YouTube’s IP address range. The announcement propagated globally, diverting a significant portion of worldwide YouTube traffic to Pakistan Telecom and taking YouTube offline for most users for several hours.
Mitigation — RPKI (Resource Public Key Infrastructure): RPKI cryptographically binds IP prefixes to their legitimate AS owners. Routers that support RPKI can reject route announcements that fail cryptographic verification, preventing hijacked prefixes from propagating.
Even if a BGP hijacker successfully diverts traffic to your bank’s IP prefix, TLS provides a second layer of defense. The attacker cannot present a valid TLS certificate for the bank’s domain without compromising a Certificate Authority — so your browser would display a certificate error, alerting you that something is wrong.

Route poisoning

Route poisoning is a technique used in distance-vector routing protocols to mark a route as unreachable by setting its metric to infinity, preventing routing loops. Attackers can exploit this mechanism to deliberately poison routing tables, causing traffic to be dropped or misdirected. Keeping routing software patched and deploying authentication for routing protocol sessions (e.g., MD5 or TCP-AO for BGP sessions) reduces this risk.

Diagnostic tools

Use these tools to observe routing and addressing on your own system:
CommandWhat it shows
ping <host>Tests reachability and measures round-trip time
traceroute <host> / tracert <host>Maps each hop between you and the destination
ip addr / Get-NetIPAddressShows IP and MAC addresses for all interfaces
ip route / Get-NetRouteDisplays the local routing table
ip neigh / Get-NetNeighborDisplays the ARP cache
dig <domain>Detailed DNS lookup including TTL and record type