The network layer (layer 3) is the layer that coordinates the transmission of data to other networks (that is, outside of the user's own network). This is particularly important to the cybersecurity analyst because it is this network that informs you whether the threat is internal or external, and therefore allows the operations center to focus its attention on preventing access or segmenting the network.
In this section, we will learn how to describe the fields in network layer packet headers and how they can betray an intrusion. Ensure that you know the difference between the addresses at layer 2 and the addresses at layer 3.
The network layer contains routing information – the addresses identify the device requesting the information, and the resource on which it is held. Where the MAC addresses at layer 2 describe how to get from one device to the next in the line, the IP addresses at layer 3 contain information for the original device and its ultimate target.
IPv4 is the dominant addressing scheme in use. It uses a 4-byte (32-bit) address, which is normally represented in dotted decimal format. The 4 byte address contains both the network identifier and the host address. These can be differentiated using the subnet mask. IPv4 has a limit of 4,294,967,296 unique addresses, although many of these are reserved for special purposes, including broadcasts, multicasts, test environments, and loopbacks. The anticipated 45 trillion networked sensors by 2040 can clearly not be supported by this alone (even with the use of private addresses, networks, and port address translation).
IPv6 uses a 16-byte (128- bit) address that allows for several orders of magnitude more (approximately 3 followed by 38 zeros) addresses.
Internet Control Message Protocol (ICMP) is used for network testing, and sits between the network layer and the transport layer. It is dependent on IPv4 or IPv6 for addressing, and must be encapsulated in an IP packet (as if it were a higher-level protocol). ICMP and IP are co-dependent; when IP is implemented, ICMP is implemented alongside it by design.