MAC vs. IP routing

Question

I was reading an answer from another post that I did not understand and I would like clarification on.

Your original assumptions are not entirely correct. What you call a router is two devices in one – a two-port router internally connected to a multiple-port Ethernet switch.

This means that the computers are directly connected at layer 2, and can send packets to each other without going through the router core – they're simply relayed between ports by the switch chip. (The router has its own port in the switch.)

So if you look at the packets using Wireshark, you'll see that they directly use each other's MAC addresses, while outside packets always have the router's MAC as the destination.

...

   ... each computer in a subnetwork is not connected to each other, but rather to a switch, which then can pass on packages¹ to the correct destination. An Ethernet-frame does not contain the subnet-mask, as the switch already has this knowledge, and hence does not need it to do the correct switching.

That's again incorrect. Switches do not have this knowledge; their switching core works at layer 2 and does not know anything about IP – it forwards Ethernet frames purely based on the 'destination MAC address' field.
____________________
¹ [Editorial note] Presumably this is meant to be “packets”.

Source https://superuser.com/a/1191145/337631

How could the paraphrased above be true? I have configured a fair bit of household grade network hardware and it does not appear to be this way in reality. In your router you have both IP and MAC filtering and routing options. Also, when using VM software, your physical network card goes into promiscuous mode, where it receives packets sent to multiple IP addresses and passes the correct ones to the VM and to the real (host) machine. Surely IP version four would function even if the MAC address was somehow withheld.

Answer 1

How could the paraphrased above be true? I have configured a fair bit of household grade network hardware and it does not appear to be this way in reality. In your router you have both IP and Mac filtering and routing options.

That's not really surprising nor is a problem in any way.

First, although IP routers are described as "layer 3" devices, that doesn't mean they cannot interact with lower layers – they do usually see the whole packet, with both its Ethernet and IP headers, and a firewall rule could perfectly well match on either or both.

Second, I'm going to repeat that your household-grade network hardware tends to have multiple functionalities – the main CPU runs the OS and handles routing; the hardware switch handles layer-2 packet forwarding between the 'LAN' ports; and the Wi-Fi access point handles, well, Wi-Fi. It's entirely possible for the same OS to be able to configure both the routing core and the attached switching & Wi-Fi hardware.

(In fact I would bet that the MAC filtering option is specifically for the Wi-Fi access point – these can allow or deny layer-1 WLAN associations based on the station's MAC. Though I'm not sure whether that's usually enforced by the Wi-Fi AP chip itself, or by hostapd running on the main OS...)

Then there's what people call "layer-3 switches", which can act as switches or routers depending on needs – each individual port is reconfigurable, so you could have some ports switched (thus belonging to the same subnet), the rest routed, and the OS reconfigures the switch chip as necessary.

Also when using VM software your physical network card goes into promiscuous mode where it receives packets sent to multiple IP addresses and passes the correct ones to the VM and to the real machine.

Yes, that's not a problem either. There is nothing that would prevent a PC from becoming an IP router or a bridge, or a combination thereof. Most VM software can work in both modes – either bridge the VMs to LAN at layer 2, or create a separate subnet for them so that the PC acts as a router between the two.

(In this regard PCs can get really flexible – just yesterday I decomissioned a "brouter" that was set up as a bridge except when it came to IPv4 packets, which were routed instead...)

Surely IP version four would function even if the Mac address was some how withheld.

Really, it's not IP that needs L2 addressing – it's the layer 2 itself that does.

Yes, it would certainly be possible to design a network which only cared about IP addresses and used those for switching as well. In fact, I think that's exactly how ATM networks worked – an ATM "switch" would essentially act as a self-configuring router, but also automatically learned which individual ATM addresses were behind each port (as a switch would).

But in practice IP was designed to not have hard dependencies on any particular sort of link layer, and as a result you can carry it over anything – Ethernet, FDDI, ARCnet, FireWire, carrier pigeons… Likewise, because most link layers had their own addressing avoided any dependencies on IPv4, one didn't need to do anything to have the same switches support IPv6 (or for that matter IPX, or DECnet, or AppleTalk, or NetBEUI, …) all over the same Ethernet.

So the reason you have both kinds of addresses is that they were deliberately kept separate, and this allowed for great flexibility.

(Both IPv4 and IPv6 can also function over point-to-point links without needing any L2 addressing, since such links only have two directions anyway; two simple examples would be VPN and dial-up connections.)

---

Actually, while this has nothing to do with subnet masks, you could take a look at IPX and DECnet – both common LAN protocols in the early days before IP and Internet took over. IPX addresses had two parts, network and host, e.g. 618A1.0060086DD3EE, and the host part was always the same as the corresponding Ethernet MAC address. Meanwhile, DECnet did the opposite – it required changing the Ethernet MAC to a special address in which the DECnet node address was encoded. So on the one hand you didn't need ARP, but on the other hand you were pretty much required to use Ethernet or something compatible with it.

Answer 2

In your router you have both IP and Mac filtering and routing options.

Many home-grade routers have the ability to only let devices with certain MAC addresses accesst he wireless, but there isn't going to be anything about "MAC routing."

Here's a simple and crude block diagram of what is going on.

All of the little boxes that are network interfaces are Ethernet network interfaces. Incoming frames must be Ethernet.

Also when using VM software your physical network card goes into promiscuous mode where it receives packets sent to multiple IP addresses and passes the correct ones to the VM and to the real machine.

This is MAC forwarding, but not really routing. It's what a hardware switch does and it's possible and not uncommon for the function to be done in software. There is no real requirement that only 1 MAC respond behind a physical interface (this is indeed how a hub-not a switch-looks and works). The term routing as it applies in networking specifically means forwarding between 2 separate networks.

Surely IP version four would function even if the Mac address was some how withheld.

IP does not care about the MAC address but the layer below might.

Specifically Ethernet, a layer 2 protocol, does care about the MAC address.

So keep in mind what you really have is not just a router, but an Ethernet router with a built-in 4-port Ethernet switch.

Ethernet requires MAC addresses. If the incoming layer 2 protocol is not Ethernet it will not make it through to the router at all because all the other interfaces are expecting Ethernet.

How could the paraphrased above be true?

An Ethernet MAC works under the following assumptions:

• If something ships out a frame with a destination MAC address through an interface, it will reach that MAC.

• The usual situation making this true is that all devices are A) on the same physical medium, or B) intermediated with a switch that just transparently learns destination MAC addresses so as to allow what is really a shared medium be better utilized.

What if the destination system you want to reach is not on the same network? Then the two assumptions above fail and Ethernet by itself cannot any longer help you talk to your destination system. Ethernet only cares about systems on the same switch or medium.

You need routers and a "routing layer" above Ethernet and that's exactly what the Internetworking Protocol (IP) is for. IP addresses are explicitly global and do not care about the underlying layer by design - you are supposed to be able to reach any given IP address from anywhere in the world, firewall rules notwithstanding (private address ranges are a "hack" introduced later to mitigate shortages).

Answer 3

Since I do mention layers, I will start by introducing that quickly. The bottom 4 layers of the OSI model are:

• 4 - Transport - typically working with (TCP or UDP) port numbers
• 3 - Network - typically working with IP addresses
• 2 - Data Link - typically working with MAC-48 addresses
• 1 - Physical - typically working with electrical signals (e.g., is media available or busy?) - often handled by hardware so much that software doesn't need to interact much with this layer

Surely IP version four would function even if the Mac address was some how withheld.

No, the MAC-48 address cannot be withheld.

So, typically what happens is that the computer sending the information makes an IP packet. (Could be IPv4 or IPv6-- doesn't affect the process being described here.) The IP packet specifies the destination device's IP address. This device could be local (e.g., a printer on the network), or remote (located halfway around the world).

The computer then creates a frame, which may be Ethernet (for wired connections) or Wi-Fi (for Wireless connections). The frame requires a destination MAC-48 address. So, the computer checks to see what destination MAC-48 address to use. It uses a "routing table" to figure out what destination MAC-48 address to use. If the destination IP address is on the same subnet, the computer will use a Layer 3 to Layer 2 conversion process (ARP with IPv4, NDP for IPv6) to find the destination MAC-48 address of the device (e.g., the printer). If the destination IP address is something remote, the computer will use the same sort of Layer 3 to Layer 2 conversion process to find the destination MAC-48 address of the gateway device (typically called a "default gateway", unless you have a more elaborate setup that has a more specific gateway, which some multi-site businesses may use).

Just as the IP packet contains some information you wish to communicate, which is called the "payload", frames also have a section called a "payload". The computer makes a frame which uses the IP packet as the payload. So the resulting frame contains the IP packet.

Then, the computer sends the frame to whatever it is connected to. We commonly call that a "switch". But, for this example, let's assume you're actually connected to a router.

Now, the router could perform "firewall"-like functions, by:

• blocking a MAC-48 address ("MAC Filtering"), or
• looking within the frame, and looking in the IP packet, and blocking a certain IP address ("IP address Filtering"), or
• looking within the frame, and finding an IP packet, and looking in the IP packet, and finding a TCP segment or a UDP datagram, and looking in that segment/datagram to find a "port number", and filtering based on the port

Let's just assume that there is no firewalling functions that will cause problems.

The destination device will look at the destination MAC address. If a device receives a frame containing a destination MAC-48 address which the device isn't using, then the device will just ignore that frame unless the device acts like a "bridge". (A "switch" is essentially basically just a "multi-port bridge" with more than 2 ports; devices are not typically marketed/sold with the name "bridge" anymore unless the device is converting between different types of physical media. Instead, multi-port devices are typically called "switches" and 2-port devices might be "extenders".) If a device is a bridge, then it simply passes along the frame.

If a device receives a frame with a destination MAC-48 address that matches what the device uses, then the device processes the frame. Basically, the device determines, "I will accept this", extracts the payload (which is the IP packet), and loses track of the rest of the bits of the frame. At this point, the device stops looking at the details of the "Layer 2" frame, and is just paying attention to the details of the "Layer 3" packet.

• If the layer 3 packet specifies the destination IP address of the device looking at the packet, then that device processes the packet (typically by noticing the packet is TCP, UDP, or ICMP; if TCP or UDP then the port number is checked to see what software program should receive the data).
• If the layer 3 packet specifies a different destination IP address:
  • If the device is configured as a router, the device will route the packet. That basically means looking at the router's routing table, figuring out the next destination, and making a new frame containing the MAC-48 address of the next device.
  • Otherwise, the packet is typically ignored.
    • If the packet isn't ignored, then the device is not really following the normal expectations, so the device is operating in what we call "promiscuous mode". (Your computer, which is running a "virtual machine", does this so that your computer will pass the traffic to the virtual machine.)

So, the section of circuitry/software which handles an incoming IP packet doesn't ever get to see the IP packet until after the frame is processed. This is why the MAC-48 address is required; that is the basic way how devices tend to communicate with other devices on a local network. If you don't have frames, then you don't have communication, and so the destination never receives the IP packet. (That is why this next quoted sentence just doesn't make a lot of sense for people who know how each of these steps work.)

Surely IP version four would function even if the Mac address was some how withheld.

IP packets do not contain MAC-48 addresses. (Well, of course, they could contain a MAC-48 address as part of its payload, but that isn't part of the structure of an IP packet.) By the time a device is paying attention to the details of an IP packet, that device probably doesn't need any of the Layer 2 details (like the MAC-48 address) anymore, and so the device may have already forgotten those details.