What is the Network Layer? Functions and protocols of OSI Layer 3

Have you ever wondered how a data packet from a computer in Hanoi finds its way to a server in Europe, passing through dozens of different routers, and still arrives at the right destination? This is the job of the Network Layer, the third layer in the OSI model. This article provides a comprehensive analysis of what the Network Layer is, the core functions it performs, the protocols operating at this layer, and how it relates to enterprise infrastructure security.

1. What is the Network Layer?

The Network Layer, or the network tier, is the third layer in the seven-layer OSI (Open Systems Interconnection) model. The Network Layer is responsible for logical addressing, routing, and forwarding packets between different networks, ensuring that data is transmitted from the source device to the destination device even when the two devices reside on completely separate networks.

Within the layered architecture of the OSI model, the Network Layer sits between the Transport Layer (Layer 4) above and the Data Link Layer (Layer 2) below. The Network Layer receives requests from the Transport Layer, handles routing and addressing, then passes packets down to the Data Link Layer for transmission over the physical medium.

The key distinguishing point: the Data Link Layer only handles data transmission between two adjacent nodes within the same network segment, using MAC addresses. The Network Layer solves the end-to-end communication problem across an entire internetwork, using IP addresses to identify devices on a global scale.

Illustration of the 7-layer OSI model (with the Network Layer at the third layer)

2. Core functions of the Network Layer

The main functions of the Network Layer include:

Logical Addressing: Assigns a unique IP address (IPv4/IPv6) to each device on the network. This mechanism enables precise identification and communication between devices across multiple different networks.
Packetization: Receives segments from the Transport Layer, then encapsulates them into packets by adding an IP Header containing source/destination information, TTL, and other control fields.
Host-to-Host Delivery: Provides a mechanism for delivering packets from the source device to the destination device across multiple intermediate networks (best-effort delivery).
Forwarding: Moves packets from the input interface to the appropriate output interface on a router, based on the destination IP address in the packet header.
Routing: Uses routing algorithms and protocols (such as OSPF, BGP, RIP, etc.) to determine the most optimal path for packets traversing multiple intermediate networks.
Fragmentation and Reassembly: When a packet size exceeds the MTU of the transmission medium, the network layer fragments the packet into smaller pieces for transmission. At the destination device, these fragments are reassembled back into the original packet.
Subnetting: Divides a large network into smaller subnets to manage IP addresses efficiently, reduce broadcast domain size, and optimize network traffic.
Network Address Translation (NAT): Maps private (internal) IP addresses to public IP addresses when communicating with the Internet. This function conserves IPv4 address space and enhances internal network security.

The Network Layer is responsible for routing and forwarding packets

3. How the Network Layer works

The process of processing and transporting data at the network layer is carried out sequentially through the following steps:

Address assignment: Each device on the network is assigned a unique logical address called an IP address (IPv4 or IPv6).
Data encapsulation: Data passed down from the Transport Layer is encapsulated into packets, with an IP Header attached containing the source IP address, destination IP address, TTL, and other control information.
Analysis and routing: Routers analyze the destination IP address of packets to determine the best available path based on the routing table.
Hop-by-hop movement: Packets traverse the network hop by hop, being continually forwarded through routers until they reach the destination device.
Packet fragmentation: If a packet size exceeds the MTU (Maximum Transmission Unit) limit of the transmission medium, the network layer splits it into smaller pieces called fragments.
Reassembly at destination: Once the fragments reach the destination system, they are collected and reassembled into the original packet before being passed up to the next layer.

4. Network Layer protocols

To ensure the above operational steps run smoothly, the network layer uses the following set of protocols and mechanisms:

IP (Internet Protocol, IPv4/IPv6): The core protocol of the network layer, responsible for providing logical addressing and delivering packets on a best-effort basis across multiple networks.
ICMP (Internet Control Message Protocol): A protocol dedicated to sending error reports and network diagnostic messages (Ping, Traceroute, Destination Unreachable, etc.).
ARP (Address Resolution Protocol): Maps logical IP addresses to physical MAC addresses within the same LAN (generally considered a support protocol bridging Layer 2 and Layer 3).
RARP (Reverse Address Resolution Protocol): The reverse of ARP; helps a device find its own IP address from its MAC address (now obsolete, replaced by BOOTP/DHCP).
NAT (Network Address Translation): A mechanism that translates private IP addresses to public IP addresses, conserving IPv4 address space and enhancing internal network security.
IPSec (Internet Protocol Security): A suite of protocols providing security for IP connections through encryption, authentication, and data integrity.
MPLS (Multiprotocol Label Switching): A packet-forwarding technique based on labels rather than IP routing table lookups, improving speed and supporting better QoS.

5. Common threats to the Network Layer

The Network Layer is directly exposed to the Internet and is therefore a target for many types of cyberattacks. Understanding threats at Layer 3 is the first step toward building an effective defense strategy:

IP Spoofing: Attackers modify the source IP address information in the IP Header to remain anonymous or impersonate a trusted device on the internal network. This is the foundational technique used to launch reflection and amplification DDoS attacks.
Network/Volumetric DDoS: Floods a massive volume of traffic (through junk packets) directly targeting routing nodes (routers, gateways) or servers. The objective is to exhaust bandwidth and device processing capacity. Typical DDoS attack types include ICMP Flood, UDP Flood, and IP Fragmentation attacks. Note: SYN Flood is also often grouped here, although it technically exploits a TCP protocol vulnerability at Layer 4.
Route Hijacking (BGP Hijacking): Attackers deliberately advertise bogus IP prefixes to the global BGP routing system. This causes Internet traffic to be misdirected through the attacker's systems, creating the risk of service disruption (DoS) or man-in-the-middle eavesdropping and impersonation attacks.

6. Effective protection measures at the Network Layer

To protect the Network Layer, the following measures can be applied:

Firewall Layer 3 and Access Control Lists (ACLs): Use firewalls and static ACL rules on Layer 3 routers/switches to filter data flows based on source/destination IP addresses and protocol types right at the network gateway.
Unicast Reverse Path Forwarding (uRPF): An anti-IP-spoofing mechanism that verifies whether the source IP address of a received packet is actually valid according to the current routing table. If the packet arrives on an inconsistent interface, it is immediately dropped.
BGP Security (RPKI and BGPsec): Deploys public key infrastructure to validate ownership of IP address ranges (Route Origin Authorization), effectively preventing forged BGP routes.
DDoS Mitigation and Scrubbing Center: Uses services from specialized providers to act as a filter. Attack traffic is absorbed and scrubbed before legitimate packets are forwarded to the actual infrastructure.
Zero Trust Architecture (Network Segmentation): Breaks the network into small, isolated zones (micro-segmentation) using technologies such as VLAN or VXLAN at Layer 3, enforcing the principle of always verify, never trust by default for all packets traversing the network, including those from the internal network.

Network Layer security measures users should be aware of

7. VNIS: A comprehensive web/app/API security and acceleration solution for enterprises

VNIS (VNETWORK Internet Security) is VNETWORK's web/app/API security and acceleration platform, designed to help enterprises proactively defend against cybersecurity threats. VNIS protects systems in real time against multi-layer DDoS attacks (Layer 3/4/7), malicious bots, and common exploitation vulnerabilities. VNIS applies AI to detect and block anomalous behavior early while maintaining performance and end-user experience.

7.1 Two-layer protection model

Layer 1 — Infrastructure-tier protection: VNIS combines AI Smart Load Balancing and Multi-CDN to handle DDoS attacks at the network layer. AI automatically analyzes access behavior, distributes traffic appropriately, and eliminates anomalous traffic sources before they overload the system.

Layer 2- WAAP (Web Application and API Protection): VNIS deploys AI-powered WAAP to block Layer 7 DDoS, malicious bots, and common security vulnerabilities listed in the OWASP Top 10. This layer protects the processing logic of web/app/APIs directly, where attacks are often deep and difficult to detect.

7.2 Key features

Real-time detection and mitigation of multi-layer DDoS (Layer 3/4/7)
AI-integrated WAAP with continuously updated security rule sets
Global Multi-CDN maintaining speed and stability even under attack
Protection of hundreds of thousands of websites, applications, and APIs worldwide
SOC team monitoring 24/7

8. Summary

The Network Layer (Layer 3) is the third layer in the OSI model, playing a pivotal role in logical addressing, routing, and delivering packets between different networks. Through its best-effort delivery and hop-by-hop forwarding mechanisms, the network layer serves as the traffic control center that enables data to flow seamlessly from any location to anywhere else in the world. However, it is also the most frequently attacked layer, with threats such as IP Spoofing, DDoS, and BGP Hijacking. A thorough understanding of the Network Layer not only strengthens foundational networking knowledge but also serves as an essential basis for building a secure and efficient network infrastructure for enterprises. If your organization is looking for a solution to protect network infrastructure against Layer 3 threats, contact VNETWORK to receive consultation on deploying VNIS tailored to your scale and specific requirements.

FAQ about the Network Layer

1. What is the Network Layer?

The Network Layer is the third layer in the OSI model, responsible for logical addressing (IP), routing, and delivering packets between different networks, enabling data to travel from source to destination across multiple intermediate networks.

2. What are the main functions of the Network Layer?

Core functions include logical addressing, packet encapsulation, routing and forwarding, fragmentation and reassembly, NAT, and support for best-effort delivery.

3. What is the difference between the Network Layer (Layer 3) and the Data Link Layer (Layer 2)?

The Data Link Layer handles data transmission only within the same local network segment using MAC addresses, while the Network Layer is responsible for communication between different networks using IP addresses and routing through routers.

4. What are the key protocols operating at the Network Layer?

The main protocols include IP (IPv4/IPv6), ICMP, IPSec, and MPLS. Supporting mechanisms such as NAT and ARP (bridging Layer 2 and Layer 3) are also used.

5. Why is the Network Layer a common attack target?

Because the Network Layer is directly exposed to the Internet and handles packet routing, it is easily exploited through techniques such as IP Spoofing, volumetric DDoS, and BGP Hijacking.