Learn TCP/IP Networking IP Addressing
Lesson 4 of 12

IP Addressing

16 min read

IP Addressing — IPv4, IPv6, and How Devices Are Identified

Every device on a network needs a way to be found. On the internet and on most modern networks, that job belongs to the IP (Internet Protocol) address. An IP address is a numerical label assigned to every device that connects to a network using the Internet Protocol. It serves two distinct purposes: identifying the host (which device is this?) and providing a location (how do we reach it?).

This file covers how IP addresses work, the two major versions in use today, special address ranges you will encounter constantly in security work, and why all of this matters when you are trying to understand or defend a network.

Why Every Device Needs an Address

Think of an IP address like a postal address. Without it, no one would know where to send packets, and no one would know where a packet came from. When your browser loads a web page, your computer sends packets to the web server's IP address. The server sends packets back to your IP address. Every step of that exchange depends on IP addresses being correctly assigned, read, and routed.

IP addresses are assigned at the network layer — Layer 3 in the OSI (Open Systems Interconnection) model, and the Internet Layer in the TCP/IP (Transmission Control Protocol / Internet Protocol) model. They exist above the physical wiring and below the application software that users interact with.

IPv4 — The Current Standard

IPv4 (Internet Protocol version 4) has been the dominant addressing scheme since the early days of the internet. It is still the most common version you will encounter inside corporate and home networks, even as IPv6 is being deployed alongside it.

Structure

An IPv4 address is 32 bits long. It is written as four decimal numbers separated by dots, like this:

192.168.1.100

Each of the four numbers is called an octet — eight bits — and can range from 0 to 255. Because the address is 32 bits, the total number of possible unique IPv4 addresses is 2^32, which equals approximately 4.3 billion addresses.

That sounds like a lot. It is not enough. More on that shortly.

Binary Representation — Essential for Understanding Subnetting

Every IPv4 address is ultimately a 32-bit binary number. Networking equipment does not read "192.168.1.100" — it reads:

11000000.10101000.00000001.01100100

Breaking it down octet by octet:

Decimal Binary
192 11000000
168 10101000
1 00000001
100 01100100

To convert a decimal number to binary, you divide it repeatedly by 2 and read the remainders in reverse. For practical purposes in cybersecurity, you will want to memorize the binary values of the powers of 2: 128, 64, 32, 16, 8, 4, 2, 1. Each bit position in an octet corresponds to one of these values from left to right.

Understanding binary is not optional when you reach subnetting. A subnet mask is a binary pattern — 1s covering the network portion, 0s covering the host portion. You cannot correctly calculate subnets without understanding binary.

IPv4 Address Classes — Classful Addressing

Before modern routing, the internet used a system called classful addressing. The class of an address was determined by its first few bits, and that class determined how the address was split between the network portion and the host portion. Classful addressing has been replaced in practice by CIDR (Classless Inter-Domain Routing), but the class boundaries still appear in documentation, default subnet masks, and conversations with experienced network engineers. You need to know this.

Class A — 0.0.0.0 through 127.255.255.255

  • The first bit of the address is always 0.
  • The first octet identifies the network; the remaining three octets identify the host.
  • CIDR notation: /8 prefix, meaning the first 8 bits are the network portion.
  • Each Class A network can host up to 16,777,214 individual devices.
  • Originally assigned to very large organizations and national networks. Only 128 Class A networks exist, so they were treated as scarce, valuable resources.

Class B — 128.0.0.0 through 191.255.255.255

  • The first two bits are always 10.
  • The first two octets identify the network; the last two identify the host.
  • CIDR notation: /16 prefix.
  • Each Class B network can host up to 65,534 devices.
  • Originally assigned to large organizations such as universities and major corporations.

Class C — 192.0.0.0 through 223.255.255.255

  • The first three bits are always 110.
  • The first three octets identify the network; the last octet identifies the host.
  • CIDR notation: /24 prefix.
  • Each Class C network can host up to 254 devices (256 minus the network address and the broadcast address, which are reserved).
  • The most common class. Home routers, small offices, and most internal network segments you will encounter use /24 networks in the 192.168.x.x range.

Class D — 224.0.0.0 through 239.255.255.255

  • Reserved for multicast. Multicast means sending one packet to a group of receivers simultaneously, rather than one receiver (unicast) or all receivers (broadcast).
  • Used by routing protocols (such as OSPF — Open Shortest Path First) and streaming applications.
  • Not assigned to individual hosts.

Class E — 240.0.0.0 through 255.255.255.255

  • Reserved and experimental. Not used in production networks.
  • 255.255.255.255 within this range is the limited broadcast address (see Special Addresses below).

The Transition to CIDR

Classful addressing was wasteful. An organization needing 300 hosts had to receive a full Class B network (65,534 host addresses), leaving tens of thousands of addresses unused. CIDR was introduced in 1993 to allow networks of any size — /9, /17, /22, /27, whatever fits the actual need — rather than forcing everything into Class A, B, or C blocks. Despite this, you will still hear "Class C network" used informally to mean "a /24 network."

Special and Reserved IPv4 Ranges

Certain IPv4 address ranges are set aside for specific purposes. You will encounter these constantly.

Loopback — 127.0.0.0/8

Any address in the range 127.0.0.0 through 127.255.255.255 is a loopback address. Traffic sent to any address in this range stays on the local machine and never goes out to a network.

The address 127.0.0.1 is called "localhost." When you run a web server on your own computer and connect to http://localhost, you are using the loopback address. This is indispensable for testing services locally without network connectivity.

In security work, if you see a connection from 127.0.0.1, the traffic is originating from the same machine it is connecting to — not from a remote attacker. However, some malware routes traffic through localhost as part of proxy chains.

Private Address Ranges — RFC 1918

RFC 1918 defines three address blocks that are reserved for private networks. These addresses are not routed on the public internet — a router on the public internet that receives a packet with an RFC 1918 source or destination address will drop it.

Range CIDR Notation Address Count Original Class
10.0.0.0 – 10.255.255.255 10.0.0.0/8 16,777,216 Class A private
172.16.0.0 – 172.31.255.255 172.16.0.0/12 1,048,576 Class B private
192.168.0.0 – 192.168.255.255 192.168.0.0/16 65,536 Class C private

Why private addresses exist: IPv4 has only approximately 4.3 billion possible addresses — far fewer than the number of devices connected to the internet. Private addresses allow organizations and homes to use the same address ranges internally without conflicting with each other or with the public internet. When a device inside a private network communicates with the internet, NAT (Network Address Translation) translates its private address to the organization's single public IP address (or one of a small pool of them) before the packet leaves the network.

The most familiar range to most people is 192.168.0.0/16. If your home router gives your laptop the address 192.168.1.45, that address works only inside your home network. From the internet, your home looks like one address — your ISP's (Internet Service Provider's) public IP.

In security work, knowing RFC 1918 ranges tells you immediately what kind of network you are looking at:

  • If you see a 192.168.x.x or 10.x.x.x address in a log, you are looking at internal traffic.
  • If an attacker gains access to an internal network, they will enumerate RFC 1918 ranges to discover additional targets — a technique called internal network scanning.
  • RFC 1918 addresses appearing as the source in packets arriving from the internet is a red flag. Legitimate traffic should never arrive from these addresses, because they are not routable on the public internet. Seeing them may indicate IP spoofing or a misconfigured network device.

APIPA — 169.254.0.0/16

APIPA stands for Automatic Private IP Addressing. When a Windows or macOS device tries to obtain an IP address from a DHCP (Dynamic Host Configuration Protocol) server and fails — because the DHCP server is down or unreachable — the device assigns itself an address in the range 169.254.0.0 through 169.254.255.255.

These addresses allow devices on the same local segment to communicate with each other but not with the broader network or the internet.

If you see a device with an IP address in the 169.254.x.x range, the immediate diagnosis is: DHCP has failed for this device. This is a common starting point for network troubleshooting.

Broadcast Addresses

  • Limited broadcast: 255.255.255.255 — sends a packet to all devices on the local network segment. Routers do not forward this address.
  • Directed broadcast — the address with all host bits set to 1 in any given subnet (e.g., 192.168.1.255 in a 192.168.1.0/24 network). Used to reach all hosts in a specific subnet. Historically exploited in the Smurf DDoS (Distributed Denial of Service) attack; modern routers block directed broadcasts by default.

Network Address

The address with all host bits set to 0 identifies the network itself rather than any specific host. For example, 192.168.1.0 in the 192.168.1.0/24 network is the network address. It cannot be assigned to a device.

Network vs. Host Portion

Every IPv4 address is divided into two logical parts:

  1. The network portion — identifies which network the device belongs to.
  2. The host portion — identifies the specific device within that network.

The subnet mask determines where the dividing line falls. A subnet mask of 255.255.255.0 (also written as /24) means the first 24 bits are the network portion and the last 8 bits are the host portion. Subnetting is covered in detail in the subnetting file, but understanding that this division exists is fundamental to reading any IP address meaningfully.

IPv6 — The Successor

IPv4's address exhaustion problem was recognized decades ago. IANA (Internet Assigned Numbers Authority), the organization responsible for global IP address allocation, exhausted its pool of unallocated IPv4 address blocks in February 2011. Regional registries exhausted their pools in subsequent years. The solution was developed long before this point: IPv6 (Internet Protocol version 6).

Why IPv6 Was Created

IPv6 was designed to solve the address exhaustion problem by providing a vastly larger address space, while also simplifying and improving the protocol itself.

IPv6 provides 2^128 possible addresses — approximately 340 undecillion addresses. That is 340 followed by 36 zeros. In practical terms, it is enough to assign a unique address to every grain of sand on Earth many times over, and then do it again for every planet in the observable universe. IPv6 address exhaustion is not a concern.

Structure

An IPv6 address is 128 bits long. It is written as eight groups of four hexadecimal digits separated by colons:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Hexadecimal (hex) uses 16 digits: 0–9 and a–f. Each hex digit represents 4 bits, so four hex digits represent 16 bits. Eight groups of 16 bits give you the full 128 bits.

Compression Rules

IPv6 addresses written in full are long and prone to transcription errors. Two compression rules make them shorter:

  1. Drop leading zeros within each group. The group 0db8 can be written as db8. The group 0000 can be written as 0.
  2. Replace one consecutive run of all-zero groups with ::. This can only be used once per address. The address above has two all-zero groups (0000:0000). Applying both rules:
Full:       2001:0db8:85a3:0000:0000:8a2e:0370:7334
Compressed: 2001:db8:85a3::8a2e:370:7334

When you expand a compressed address, you count the groups present, subtract from 8, and expand :: to that many all-zero groups.

IPv6 Special Addresses

Address Meaning
::1 Loopback — equivalent to 127.0.0.1 in IPv4
fe80::/10 Link-local addresses — auto-assigned, not routable beyond the local network segment
ff00::/8 Multicast addresses
::/0 Default route — equivalent to 0.0.0.0/0 in IPv4
2001:db8::/32 Documentation prefix — reserved for examples in RFCs and books (like this one)

Link-local addresses (fe80::/10) are automatically generated by every IPv6-capable device from its MAC (Media Access Control) address when IPv6 is enabled. They are used for communication within a local network segment and are not forwarded by routers. If you inspect network interfaces on a modern operating system, you will see a link-local address even if IPv6 has not been configured by a network administrator.

IPv6 Improvements Over IPv4

IPv6 was not simply a larger IPv4. It brought several genuine improvements:

No NAT required. Because every device can have a globally unique public IPv6 address, NAT becomes unnecessary. This simplifies network design and resolves problems that NAT creates for protocols that embed IP addresses in their payloads (such as some VoIP — Voice over Internet Protocol — applications).

IPsec built into the standard. IPsec (IP Security) is a suite of protocols for authenticating and encrypting IP traffic. In IPv4, IPsec is an optional add-on. In IPv6, it was built into the specification from the start. (In practice, implementation is still not universal, but the design intent is there.)

Simplified header. IPv4's header has a variable number of fields and options that make parsing complex. IPv6 uses a fixed-length header with extension headers chained as needed. This allows routers to process packets more efficiently.

SLAAC — Stateless Address Autoconfiguration. IPv6 devices can generate their own addresses without a DHCP server. A device combines the /64 network prefix advertised by the local router with a host portion derived from its MAC address (or a randomly generated value). This self-configuration mechanism works automatically.

IPv6 Adoption

As of 2024, approximately 45 to 50 percent of global internet traffic uses IPv6. Most modern networks run dual-stack — both IPv4 and IPv6 simultaneously — rather than switching exclusively to one or the other. This means many devices have both an IPv4 and an IPv6 address at the same time, and use whichever is appropriate for a given connection.

Security Relevance

IP addressing is not just a networking concept — it is foundational to how attacks are planned, how reconnaissance is conducted, and how defenses are designed.

IP Spoofing

IP spoofing means forging the source IP address in a packet. Because IP itself has no mechanism to verify that the source address is genuine, an attacker can craft a packet claiming to come from any IP address. This is used in:

  • DDoS amplification attacks. The attacker sends requests with the victim's IP as the source address to servers that generate large responses (DNS — Domain Name System amplification, NTP — Network Time Protocol amplification). The servers send their large responses to the victim, flooding it with traffic the victim never requested.
  • Bypassing IP-based access controls. If a firewall or application only checks the source IP address without further authentication, spoofing can bypass that check in some circumstances (though responses will not return to the attacker unless additional conditions are met).

Network Scanning and Reconnaissance

IP address ranges are the input to every network scanner. An attacker who knows they are inside an organization's network will scan RFC 1918 ranges to discover what hosts are present, what operating systems they run, and what services are exposed. Knowing that 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are the private ranges that internal networks use tells you exactly where to scan.

In authorized penetration testing, this same knowledge is the starting point for internal network assessments.

OSINT from Public IP Space

Public IP addresses assigned to an organization can often be found through IANA's registry, WHOIS (Who Is) lookups, and regional internet registry databases. This gives attackers a map of an organization's public-facing address space before they send a single packet toward the target.

IPv6 Security Gaps

Organizations that enable IPv6 without corresponding security controls create attack paths that IPv4-only defenses cannot see. Firewalls, intrusion detection systems, and logging tools that are not IPv6-aware may pass IPv6 traffic without inspecting it at all. Attackers who tunnel traffic inside IPv6 packets or use IPv6 link-local addresses can sometimes evade detection entirely.

Running dual-stack means running two attack surfaces. Every security control that exists for IPv4 must have a corresponding control for IPv6. Many organizations have not done this work.

A specific technique called IPv6 rogue router advertisement involves an attacker sending fake IPv6 router advertisements on a local network segment. Devices that receive these advertisements may begin routing traffic through the attacker's machine, enabling a man-in-the-middle attack even on a network that has not deployed IPv6 intentionally — because IPv6 is enabled by default on most modern operating systems.

The Bottom Line

An IP address is a numerical label that identifies a device on a network and provides the information needed to route packets to it. IPv4 uses 32-bit addresses (approximately 4.3 billion total), organized into classes and divided into public, private, loopback, and special-purpose ranges. IPv6 uses 128-bit addresses (approximately 340 undecillion total) and was created to solve IPv4 address exhaustion. Most networks today run both versions simultaneously. From a security perspective, IP addresses are the foundation of reconnaissance, the basis of IP spoofing attacks, and a source of blind spots when IPv6 is deployed without proper controls.

Check Your Understanding

  1. A device on your network shows an IP address of 169.254.43.12. What does this tell you, and what would you check next?

  2. An attacker gains access to an internal corporate network. Without any other information, what IP address ranges would they likely scan first to find other internal devices, and why?

Something to Think About

  1. IPv6 eliminates NAT because every device can have a globally unique address. NAT has been criticized for breaking the end-to-end principle of the internet, but it has also been credited with providing a layer of obscurity for internal networks. If IPv6 removes NAT entirely, what new approaches would organizations need to adopt to achieve equivalent network boundary protection?

  2. IP spoofing has been known and exploitable for decades, yet IP itself still has no built-in source address verification. What practical and technical obstacles have prevented the widespread deployment of source address validation — and what does that say about the challenges of changing foundational internet protocols?

References

  1. Official Specification. RFC 791 — "Internet Protocol". IETF, September 1981. — Original IPv4 specification defining packet structure, addressing, and fragmentation.

  2. Official Specification. RFC 8200 — "Internet Protocol, Version 6 (IPv6) Specification". IETF, 2017. — Current IPv6 standard, defining the 128-bit address space and IPv6 packet structure.

  3. Official Specification. RFC 1918 — "Address Allocation for Private Internets". IETF, 1996. — Defines the three private IPv4 address ranges used inside virtually every organization's network.

  4. Official Registry. IANA — "IPv4 Address Space Registry". Internet Assigned Numbers Authority. — Authoritative registry of all IPv4 allocations by block.

  5. Official Guidance. CISA — "IPv6 Security Guidance". CISA. — Federal guidance on IPv6 deployment and the security gaps it can introduce when organizations enable IPv6 without corresponding security controls.

// share