link layer


This post is a draft. What is a draft?

The lowest layer in the Internet protocol suite, and the one that is nearest to the physical medium that connects hosts together. The link layer is mostly responsible for communication to and from the physical medium, and to provide services to the internet layer. As such, the link layer is a bit primitive regarding other layers, but it provides important functionalities such as dealing with transmission errors and regulating flow of data. The data link layer also encapsulates traffic into frames, containing a frame header, a data payload, and a frame trailer.

Standards such as Ethernet and Wi-Fi belong to the link layer, that is, MAC addresses are part of it. Ethernet switches typically operate at the link layer (although they are called layer 2 switches as they refer to the data link layer of the OSI model). Ethernet switches with IP routing (called layer 2+3 switches) also exist

The Internet protocol suite assumes that physical data transmission is taken care of, as RFC 1122 and RFC 1123 do not discuss physical data transmission and do not want to impose any standards for it. According to some authors, the link layer can be roughly compared to the OSI data link layer and physical layer combined. We will not enter into the debate for our course, as the link layer is perhaps the least interesting for us. What we will touch upon is MAC addresses and ARP.

Media Access Controller - MAC

The Media Access Controller (MAC) is responsible to controlling hardware that deals with interaction with the transmission medium. One of its functions is also to provide access to MAC addresses.

A MAC address is hard-coded into hardware, into network interfaces. It is a unique identifier, which is developed and imprinted at device creation time by manufactures. It works a bit like a barcode. Its official format (managed by IEEE under the therm EUI-48) is six groups of two hexadecimal digits separated by hyphens, but many network utilities will separate the hexadecimal groups with a colon.

You can see yours with recent GNU/Linux distributions using the ip a command. On macOS, this is shown with networksetup -listallhardwareports. A (randomly generated) MAC address has the form 01:82:1E:EB:F1:C2. Blocks of addresses (the first 3 octets) are assigned to manufacturers for a fee. My Apple MacBook Pro has MAC addresses that start with f0:18:98 for the Wi-Fi adapter and the Bluetooth adapter (a network adapter is also known as Network Interface Card, or NIC, in the hosting world), and with 82:9c:b0 for Ethernet adapters (via Thunderbolt). The second half of a MAC address does not have a particular meaning and can be decided by the manufacturer.

You might wonder such a numbering scheme would ever run out as with IPv4. Yes, it will. IEEE estimates that we will run out of MAC addresses expressed as EUI-48 around year 2080. There is a new standard, much like IPv6, that will make use of a bigger identifier.

A MAC address is used most commonly to allow hosts to identify themselves on a network, to the router, before they are assigned an address at a higher level, that is the IP address. MAC addresses also allow distinguishing unicast and multicast communication for frames.

When the least significant bit of an address’s first octet is 0 (for my in my Wi-Fi adapter that would be f0 hex → 11110000 bin, and for my Ethernet adapters that would be 82 hex → 10000010 bin) a frame is meant to reach only one receiving network adapter (unicast). If a switch does not know which port leads to a given MAC address, the switch will forward an unicast frame to all of its ports, executing an unicast flood. The node with the matching MAC address will accept the frame.

If the bit is set to 1, the frame will be sent once as with unicast, but network adapters can opt to accept it according to various other criteria (multicast). When the MAC address is set to FF:FF:FF:FF:FF:FF, we have all nodes accepted and forwarded, thus flooded, by all nodes (broadcast).

Address Resolution Protocol - ARP

ARP is for discovering link layer addresses (MAC address is the current default one) associated with a IPv4 address. IPv6 has a corresponding protocol at the link layer level, named Neighbor Discovery Protocol (NDP). The job of ARP is to map IP addresses onto the data link layer, when communication happens. It works as follows.

Suppose that, within a LAN like the one below, there are two hosts H1 and H2. H1 and H2 are connected via ethernet to a switch. The ethernet switch is connected to a router.

Example: Hosts H1 and H2 communicate via the link layer

Host H1 must send data to a host for which it only knows a name, Through the network DNS service, which is somewhere in the networks represented by the three dots, H1 obtains H2 IP address, The IP software on H1 is able to tell H1 that the IP address belongs to same network of H1. H1 still needs to find an “ethernet address”, or MAC address to send data to, through the switch. What H1 can do is to send a broadcast packet through ethernet, with destination FF:FF:FF:FF:FF:FF, which will get flooded by the switch to all other H2, H3, H4, H5, .., hosts of the network. The broadcasted packet will contain a request of the form “who owns”. H2, together will all other devices within the LAN, will receive the packet and respond to it with its ethernet address, or MAC address. H1 now has got what it was asking for, and can send data.

I do not use a commenting system anymore, but I would be glad to read your feedback. Feel free to contact me.