Computer systems connected to networks identify themselves to the other communication partners by using addresses. A computer system connected to the Internet, which communicates with other computers via IP (Internet Protocol), uses an IP address for this purpose. If the Ethernet is used as a transport medium, then a MAC address (Media Access Control) is used for the Ethernet packets. Similar addressing schemes apply, for example, to a wireless local area network (WLAN or Wireless LAN).
In addition, incoming and outgoing connections must be unambiguously identified. This is accomplished in the Internet protocol by using so-called “Port” numbers. Respective address and port pairs at each of the transmitter and the receiver define a connection.
The address data, for example the MAC and IP addresses, are defined in part by the hardware (for example the MAC address of network hardware), or must be set at the computer, or are requested from a server at the start of a session by the computer itself (for example DHCP (=Dynamic Host Configuration Protocol) for an IP address).
Processing of data packets and/or connections in the respective environment is described by the OSI layer model (OSI=Open Systems Interconnection) in layers 2 (Data Link Layer) and 3 (Network Layer). Data packets and connections are routed across physical media, whereby the data are transported via a medium as stipulated for the Data Link Layer (for example, Ethernet frames over Ethernet cables). The data exchange between different computers is controlled in the Network Layer, for example by using IP packets.
Layer 2: Bridges and Switches
Data packets are sent from one computer to another computer. The devices in layer 2 may influence the transport of the data packets. These devices are typically bridges and switches, which control the distribution of the data packets to the individual cable connections. Devices of layer 2 transport the data packets without modifying the data packets. No new separate data packets are generated.
The addressing scheme for the data packets in layer 2 depends on the transport medium. In an Ethernet, MAC addresses are used for addressing. The payload, for example an IP packet, is embedded in an Ethernet frame.
Layer 3 Router
Routers evaluate the address information of layer 3, for example the IP addresses. The data packets are transmitted to other routers or to the destination computer based on the addresses and routing information. In this process, new data packets of layer 2 are generated to enable transport of the data over the intermediate lines.
Data packets can be modified in a router by disassembling large data packets to produce several small data packets, which are later reassembled again (fragmentation).
NAT-Router
Routers may optionally modify the IP connection data (address and port) and thus hide the true identity of a computer. This approach is used with NAT (Network Address Translation), which reduces the number of IP addresses that need to be assigned, or can also hide an internal network structure.
VPN-Router
If a VPN (Virtual Private Network) is set up from two remote sub-networks, then the data packets are modified (encrypted) on the intermediate transport path, for example, to prevent unauthorized monitoring. When the data arrive at their destination, their original form is restored. During transport, the data typically appear with the addresses of both VPN routers (ESP protocol, ESP=Encapsulating Security Payload).
Proxy
A proxy receives connections and sets up new connections. This technique is frequently used with firewalls and NAT routers. A proxy has full control over the data flow. “Transparent proxy” arrangements are known, whereby the term “transparent” is used to indicate that no special proxy protocol is employed. Instead, the data flow is intercepted and processed on the proxy computer without the awareness of the client computer.