MAC addresses are useful only to local networks and shouldn’t be required beyond this point; however, because they identify a device, and often its user, nonlocal network nodes can sometimes request and store MAC addresses.


According to Edward Snowden, the NSA monitors MAC addresses of electronic devices to track the movements of everyone in a city.

Free Wifi hotspots can track users the same way.

Some operating systems have started to randomize the MAC address to prevent hardware addresses from being too easily linked to real-world identities.


To communicate with other nodes on the network, in addition to the MAC address, you need a network address. To obtain a network address, your device needs to talk to the router.

Once physically connected, your device’s network card gets assigned to a network address through the Dynamic Host Configuration Protocol (DHCP).


Through copper wire, it transmits as electrical signals.

Through the air, it takes the form of radio waves.

Through glass fiber, it is sent as light signals.


When devices talk to each other, they need a language that they both understand. We call this language a protocol, a system of rules with a particular syntax that defines how devices throughout the internet talk to each other and what to do when errors occur.


When a private network connects to the internet and sends out packets via a router, the router uses a technique called Network Address Translation (NAT) to rewrite the packet’s address tags.

When using NAT, the router keeps all the information about who sent which packets in its memory. When the network receives a reply from the internet, the router rewrites the incoming packet’s tags and sends the packets to the private address that its memory says is supposed to receive them. If the router turns off, all this information is lost.


IPv6 has another advantage over IPv4. Whenever a device connects to a home router that speaks IPv6, instead of receiving just one private address rewritten by NAT that isn’t reachable from the outside world, the device receives a whole bunch of addresses that are all publicly reachable. This makes it possible for devices to provide services and to actively participate in the internet.


When a router allocates IP addresses to connected devices, it gets the addresses from a unique pool of possible public IPv4 and IPv6 addresses handled by the Internet Assigned Numbers Authority (IANA).

The IANA gives out ranges of IP addresses to regional internet registries (RIR).

The RIRs then give out the IP ranges to local internet registries (LIR).

LIR either give out the ranges to further subcontractors or are themselves internet service providers (ISP).

Finally, ISPs assign each of the routers it operates a public IP address.

It’s worth noting that an IP address may be assigned statically, so that it’s always the same for a certain device, or dynamically, so that it changes regularly. We use static IP addresses mostly for servers: they should always be reachable under the same address.


The internet isn’t actually one big, unified network. Instead, it’s a network made out of tens of thousands of smaller networks called autonomous systems (AS) belonging to universities, ISPs, or telecommunications companies.

ASs are so named because they’re administered independently from each other. There are currently about 97K such ASs.

If the internet is a map of the world, ASs are like villages, cities, or countries on the map. They’re relatively well interconnected, in ways similar to street networks. Some routes on the map are bigger and therefore faster to travel on; other routes require you to pay to use them.


The protocol that makes this interconnection possible is the Border Gateway Protocol (BGP), the de facto routing standard on the internet.

With BGP, each AS controls its own map of the internet and references routes and distances to other networks from its own point of view. Very few BGP servers have a complete global map of all possible routes through the internet.


The TLS trust mechanism is weak: CAs can get compromised or forced to issue false certificates, and client applications might be tricked into accepting them.


To secure communication, we can use cryptography. Generally there are 2 cryptographic techniques: signing and encryption.


The private key is unique. Only its owner can use it for signing and decrypting data, and it must therefore be kept secret.

The owner can copy the public key and give it to those who need to send them encrypted data or messages.


In some applications using asymmetric cryptography, the receiver is also required to use a passphrase on top of using the private key. This ensures that nobody else can use the private key even if they found it somewhere.


Several countries have legal restrictions on the domestic use of encryption. More common still are restrictions on the export or import of encryption technologies.


Remember that networks can deliver packets as long as the packets have correct packet headers, regardless of the packets’ contents. The network itself is content agnostic: it doesn’t care about content, as long as the packets are routable. This is what we call network neutrality.


DNS blocking affects all protocols that rely on DNS, such as HTTP(S), FTP, POP, and SSH.


Membership in internet governance organizations consists largely of employees of big companies. As members of these organizations, the employees work to standardize their companies’ work product and thereby give it legitimacy. By these means, their companies gain a competitive edge.


On paper, every individual may attend and participate remotely in the writing of RFCs and standards, but in practice flying to each of the meeting and paying the entrance fee of $875 isn’t within the reach of people who aren’t sponsored by a company. This skews the creation of IETF standards toward the interests of big companies that can afford to attend IETF meetings.