109.1 Fundamentals of Internet Protocols

Weight: 4

Goal: Demonstrate a proper understanding of TCP/IP network fundamentals.

This is a theory-heavy objective. There are very few commands to memorize — but a lot of concepts.

1. IP Addresses

An IP address uniquely identifies a network interface on a network. There are two versions in active use:

IPv4 — 32-bit addresses, written as four decimal numbers (0–255) separated by dots: 192.168.1.10.
IPv6 — 128-bit addresses, written as eight groups of four hex digits separated by colons: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

IPv4 address classes (historical)

The old “classful” system divided the IPv4 space by the first octet:

Class	First octet range	Default mask	Typical use
A	1–126	/8 (255.0.0.0)	Very large networks
B	128–191	/16 (255.255.0.0)	Medium networks
C	192–223	/24 (255.255.255.0)	Small networks
D	224–239	—	Multicast
E	240–255	—	Reserved / experimental

Real networks today use CIDR (Classless Inter-Domain Routing) instead — any prefix length is allowed, not just /8, /16, /24. The classes are mostly historical, but the exam still expects you to recognize them.

Private (RFC 1918) IPv4 ranges

These ranges are never routed on the public internet. Use them on home/office LANs.

Range	Size
`10.0.0.0/8`	10.0.0.0 – 10.255.255.255
`172.16.0.0/12`	172.16.0.0 – 172.31.255.255
`192.168.0.0/16`	192.168.0.0 – 192.168.255.255

Special addresses

Address	Meaning
`127.0.0.1`	IPv4 loopback (`localhost`) — refers to the local machine.
`0.0.0.0`	“Any” / unspecified. Used as a wildcard for listening sockets and as a placeholder route.
`255.255.255.255`	Limited broadcast — to all hosts on the local subnet.
`169.254.0.0/16`	Link-local / APIPA — auto-assigned when no DHCP is available.

2. Subnets and Netmasks

A subnet mask divides an IP address into two parts:

Network portion — identifies the network.
Host portion — identifies a host within that network.

Two notations

192.168.1.10 / 255.255.255.0       # traditional dotted-decimal mask
192.168.1.10 / 24                   # CIDR notation

/24 means “the first 24 bits are network, the remaining 8 bits are host.”

Reading a /24 example

IP address      192.168.1.10
Netmask         255.255.255.0       (= /24)

Network address 192.168.1.0         (all host bits set to 0)
Broadcast       192.168.1.255       (all host bits set to 1)
Usable hosts    192.168.1.1 – 192.168.1.254     (254 hosts)

Common CIDR sizes

CIDR	Mask	Usable hosts
/30	255.255.255.252	2 (point-to-point links)
/29	255.255.255.248	6
/28	255.255.255.240	14
/24	255.255.255.0	254
/16	255.255.0.0	65 534

Formula: usable hosts = 2^(host_bits) − 2 (subtract network and broadcast).

Network, broadcast, and gateway

Network address — first address (host bits = 0). Identifies the subnet.
Broadcast address — last address (host bits = 1). A packet sent here reaches every host on the subnet.
Default gateway — the IP of the router that forwards packets out of this subnet. The local host sends here anything not destined for the local network.

3. IPv6 Basics

IPv6 was created because the IPv4 address space (~4 billion addresses) was running out.

Notation rules

Hex digits, 8 groups of 4, separated by colons: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Leading zeros in a group may be dropped: 0db8 → db8.
A single run of zero groups may be replaced by :: — only once per address.

Same address shortened:

2001:0db8:85a3:0000:0000:8a2e:0370:7334
2001:db8:85a3::8a2e:370:7334

Key IPv6 addresses

Address	Meaning
`::1`	Loopback (equivalent to IPv4 `127.0.0.1`).
`::`	Unspecified address (equivalent to `0.0.0.0`).
`fe80::/10`	Link-local — auto-configured on every interface.
`2000::/3`	Global unicast — public, routable addresses.
`fc00::/7`	Unique local addresses — private (like RFC 1918).
`ff00::/8`	Multicast (IPv6 has no broadcast — multicast replaces it).

Differences from IPv4 to remember

No broadcast in IPv6 — only multicast.
No ARP — neighbor discovery is done with NDP (Neighbor Discovery Protocol) using ICMPv6.
Hosts can auto-configure their own addresses via SLAAC (Stateless Address Autoconfiguration) using router advertisements.

4. The TCP/IP Layers and the Big Three Protocols

TCP/IP is a stack of layered protocols. For the exam, focus on the transport layer.

┌────────────────────────────────────┐
│ Application (HTTP, SSH, DNS, SMTP) │
├────────────────────────────────────┤
│ Transport (TCP, UDP)               │
├────────────────────────────────────┤
│ Internet (IP, ICMP)                │
├────────────────────────────────────┤
│ Link (Ethernet, Wi-Fi)             │
└────────────────────────────────────┘

IP (Internet Protocol)

Connectionless, best-effort delivery of packets. Provides addressing and routing. Unreliable — packets may be lost, duplicated, or arrive out of order.

ICMP (Internet Control Message Protocol)

Used for diagnostics and error reporting at the IP layer, not for carrying user data. Examples:

Echo Request / Echo Reply → used by ping.
Destination Unreachable → returned when a host or port is not reachable.
Time Exceeded → returned by traceroute to discover the path.

TCP (Transmission Control Protocol)

Connection-oriented: a session is established before data flows (the three-way handshake: SYN → SYN-ACK → ACK).
Reliable: lost packets are retransmitted; order is restored.
Flow-controlled: prevents the sender from overwhelming the receiver.
Used by: HTTP, HTTPS, SSH, SMTP, FTP, IMAP, POP3 — anything that needs reliability.

UDP (User Datagram Protocol)

Connectionless: just send a packet, no setup.
Unreliable: no retransmission, no ordering.
Lightweight: low overhead, no handshake.
Used by: DNS, DHCP, NTP, SNMP, VoIP, streaming, online games — anything where speed matters more than guaranteed delivery.

TCP vs UDP at a glance

	TCP	UDP
Connection	Required (handshake)	None
Reliable	Yes	No
Ordered	Yes	No
Speed	Slower (overhead)	Faster
Use cases	Web, email, SSH	DNS, DHCP, NTP, streaming

5. Ports and Sockets

A port is a 16-bit number (1–65535) identifying a specific service on a host. The combination IP + port is called a socket.

Port ranges

Range	Name	Use
1–1023	Well-known / privileged	Standard services. Binding requires root on Linux.
1024–49151	Registered	Assigned by IANA but for ordinary applications.
49152–65535	Dynamic / ephemeral	Temporary ports clients use for outgoing connections.

Well-known ports for the exam

Service	Port	Protocol
FTP (data / control)	20 / 21	TCP
SSH	22	TCP
Telnet	23	TCP
SMTP	25	TCP
DNS	53	UDP (and TCP for large queries / zone transfers)
DHCP	67 (server), 68 (client)	UDP
TFTP	69	UDP
HTTP	80	TCP
POP3	110	TCP
NTP	123	UDP
IMAP	143	TCP
SNMP	161	UDP
LDAP	389	TCP
HTTPS	443	TCP
SMTPS	465	TCP
Syslog	514	UDP (TCP also possible)
SMTP submission	587	TCP
IMAPS	993	TCP
POP3S	995	TCP

`/etc/services`

This text file lists well-known service names paired with ports. Tools that show port numbers can translate them into names by looking here. Format:

ssh    22/tcp
http   80/tcp
dns    53/udp

6. DNS, DHCP, NAT — Short Definitions

These services keep coming up in this objective. Know what each does (details belong to later objectives, especially 109.4).

Service	Function
DNS (Domain Name System)	Translates names (`www.example.com`) to IP addresses, and vice versa. Uses port 53 (UDP for queries, TCP for zone transfers).
DHCP (Dynamic Host Configuration Protocol)	Automatically assigns IP address, netmask, gateway, and DNS servers to clients. UDP ports 67 (server) and 68 (client).
NAT (Network Address Translation)	A router rewrites packet headers so many private hosts can share one public IP. The standard way a home/office connects to the internet.

7. A Few Essential Diagnostic Commands

Detailed coverage of these commands is in 109.3. Here are the minimum essentials in case they come up in the context of this objective.

ping host                       # is the host reachable? (ICMP echo)
ping6 host                      # IPv6 version
traceroute host                 # path packets take, hop by hop
ip addr                         # show interface IP addresses
ip route                        # show the routing table (and default gateway)
ss -tuln                        # list listening TCP/UDP sockets

8. Quick Reference for the Exam

Numbers to memorize:

IPv4 = 32 bits, IPv6 = 128 bits.
Private IPv4 ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Loopback: 127.0.0.1 (v4), ::1 (v6).
Well-known ports: see the table above.

Concepts:

TCP vs UDP differences.
The three-way handshake (SYN, SYN-ACK, ACK).
What ICMP is for (and that ping/traceroute use it).
Subnet mask, network address, broadcast address, default gateway.
CIDR notation.
The role of DNS, DHCP, and NAT.

Files:

/etc/services — service name to port mapping.

9. Likely Exam Questions (Self-Check)

How many bits are in an IPv4 address? How many in an IPv6 address? IPv4: 32 bits. IPv6: 128 bits.
List the three private IPv4 address ranges. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
What is the loopback address in IPv4 and IPv6? IPv4: 127.0.0.1. IPv6: ::1.
You have a network 192.168.1.0/24. What is the broadcast address, and how many usable hosts are there? Broadcast: 192.168.1.255. Usable hosts: 254 (2^8 − 2).
What is the main practical difference between TCP and UDP? TCP is connection-oriented, reliable, and ordered, at the cost of overhead. UDP is connectionless, unreliable, and lightweight.
What three packets make up the TCP three-way handshake? SYN → SYN-ACK → ACK.
Which protocol does ping use? ICMP (specifically Echo Request and Echo Reply).
What port and protocol does SSH use? TCP 22.
What port and protocol does DNS use? UDP 53 for most queries, TCP 53 for large responses and zone transfers.
What ports and protocol does DHCP use? UDP — port 67 on the server, port 68 on the client.
What port and protocol does HTTPS use? TCP 443.
What does /etc/services contain? A mapping of well-known service names to port numbers and protocols.
What is the difference between port 1023 and port 1024 in terms of who may bind to them on Linux? Ports 1–1023 are privileged — only root can bind to them. From 1024 upward, any user can bind.
What does NAT do, and why is it ubiquitous on home networks? Network Address Translation lets a router rewrite source/destination addresses so many devices on a private network can share a single public IP, conserving the limited IPv4 space.
What replaces ARP in IPv6? NDP (Neighbor Discovery Protocol), which uses ICMPv6.
What is SLAAC? Stateless Address Autoconfiguration — the IPv6 mechanism by which a host configures its own address from router advertisements without a DHCP server.
In CIDR notation, what does /24 mean, and what is the equivalent dotted-decimal mask? The first 24 bits are the network portion. Equivalent mask: 255.255.255.0.