OSI Layer 3: Core Functions, Protocols, and Security Best Practices

What Is OSI Layer 3 (The Network Layer)?

Layer 3, the Network Layer in the OSI model, is responsible for logical addressing (like IP addresses) and routing packets across different networks to enable end-to-end communication. Key functions include determining the best path for data using routing algorithms, encapsulating data into packets with source and destination IP addresses, and forwarding them via network devices like routers.

Key functions of OSI Layer 3 include:

• Logical addressing: Assigns logical addresses, such as IP addresses (IPv4 or IPv6), which are used to identify networks and hosts. 
• Routing: Determines the best path for data packets to travel from the source network to the destination network. 
• Forwarding: Directs packets to the correct next hop based on their destination IP address. 
• Encapsulation: Wraps Layer 3 packets with a header containing source and destination IP addresses, creating an “envelope” around the data. 
• Internetworking: Connects different types of networks to allow communication between them, forming larger networks like the internet.
• Fragmentation and reassembly: Enables communication between networks by breaking down and rebuilding data packets.

This is part of a series of articles about OSI layers.

The Role of Layer 3 in the OSI Model 

The network layer acts as the bridge between the data link layer (Layer 2) and the transport layer (Layer 4), translating local link-level communication into network-wide data delivery. While Layer 2 handles communication within a single network segment using physical addresses (MAC addresses), Layer 3 introduces logical addresses, such as IP addresses, that enable data to move across different networks. 

This separation between physical and logical addressing makes it possible to interconnect heterogeneous network types (Ethernet, Wi-Fi, or cellular) into a unified communication system. Layer 3 also manages routing, which determines the optimal path for packets to travel through intermediate devices like routers. 

These routers use routing tables and algorithms (e.g., OSPF, BGP, RIP) to make decisions dynamically, adapting to network changes and failures. Additionally, the network layer provides fragmentation and reassembly of packets when data must traverse networks with varying maximum transmission units (MTUs).

By abstracting the physical network details, Layer 3 enables scalable internetworking, fault isolation, and efficient data transport. It ensures that higher layers can focus on application logic and session management without needing to handle the complexities of physical connectivity or routing.

Core Functions of the Network Layer 

Logical Addressing and IP Allocation

Logical addressing at Layer 3 provides a method for identifying every device on a network uniquely. This is implemented primarily through the use of internet protocol (IP) addresses, which function differently from physical (MAC) addresses used at Layer 2. IP allocation can be static or dynamic, allowing network administrators to assign addresses manually or via automatic protocols like DHCP. 

Dynamic allocation methods (such as DHCP for IPv4 or SLAAC for IPv6) play a key role in efficient administration and support network growth. Efficient management of logical addresses prevents conflicts, supports hierarchical network models, and optimizes routing efficiency. These addressing schemes help segment networks into subnets, align with organizational structure, and enable effective routing, security segmentation, and troubleshooting.

Routing and Path Determination

Routing is the mechanism by which Layer 3 devices, typically routers, select paths for data to travel from source to destination across interconnected networks. Routers maintain routing tables and use protocols (such as OSPF or BGP) to learn about network topologies and decide the best available paths. Path determination considers metrics like hop count, bandwidth, latency, and administrative policies to optimize network efficiency and reliability.

A primary advantage of routing at Layer 3 is its ability to accommodate complex, hierarchical network structures, supporting the scalability and resilience of enterprise and global networks. Routing protocols can dynamically adjust to link failures, congestion, or topology changes, ensuring continued connectivity and optimal performance. This adaptability differentiates Layer 3 from lower layers, which are limited to single segments and static communication paths.

Packet Forwarding and Encapsulation

Packet forwarding is the process by which Layer 3 devices look at packet headers, primarily the destination IP address, to make forwarding decisions and send packets toward their intended destination. Routers and Layer 3 switches pick the best next hop based on routing tables and then pass the packets to Layer 2 for physical transmission. 

Encapsulation at Layer 3 refers to wrapping transport-layer segments (like TCP or UDP segments) within a Layer 3 header, usually an IP header. This encapsulation process adds necessary addressing and control information needed for successful delivery and allows each networking layer to operate independently. Encapsulation supports interoperability between various Layer 2 technologies such as Ethernet, Wi-Fi, and Frame Relay.

Internetworking

Internetworking enables communication between disparate networks, regardless of their underlying physical media or link-layer protocols. By using logical addressing (IP addresses), the network layer abstracts away the hardware-specific details of local networks, allowing data to move across heterogeneous environments. Routers operate at this layer to connect different network segments, enabling packet delivery across LANs, WANs, and cloud infrastructures.

This capability forms the foundation of the internet, which is essentially a massive internetwork of interconnected systems. Through routing protocols and standardized IP addressing, Layer 3 ensures that devices on different networks, using different technologies, can exchange data reliably. It also supports key enterprise functions like multi-site connectivity, hybrid cloud integration, and scalable network design.

Fragmentation and Reassembly

Fragmentation is a mechanism where Layer 3 breaks down large packets into smaller fragments to accommodate the maximum transmission unit (MTU) of the underlying network. Not all network links support large packets, so routers or the originating device may fragment packets as needed. Each fragment is encapsulated with its own header, allowing the receiving device to identify and reassemble the original packet correctly. 

Reassembly occurs at the receiving endpoint, where all fragments belonging to the same original packet are combined in proper order. If fragments are lost or arrive out of sequence, proper reassembly mechanisms in the protocol help maintain data integrity. This function is Reassembly occurs at the receiving endpoint, where all fragments belonging to the same original packet are combined in proper order. If fragments are lost or arrive out of sequence, proper reassembly mechanisms in the protocol help maintain data integrity. This function is critical for communications across diverse internetworks, where packet size limitations can vary widely due to technology differences or policy configurations.

Key Layer 3 Protocols Explained 

Internet Protocol (IPv4 and IPv6)

The internet protocol (IP) is the core protocol at Layer 3, responsible for logical addressing and routing packets between devices across networks. IPv4, the most widely used IP version, provides a 32-bit address structure, supporting roughly 4.3 billion unique addresses. 

However, due to address exhaustion and growing connectivity needs, IPv6 was introduced with a 128-bit address space, enabling nearly limitless unique addresses and addressing modern network requirements. 

IPv6 also brings enhancements like simplified headers, improved support for mobile networks, better multicasting capabilities, and native security features through IPsec integration. Both IPv4 and IPv6 support basic Layer 3 functions, such as fragmentation, routing, and addressing, but IPv6’s improvements provide better performance for the expanding internet.

ICMP and Diagnostic Messaging

The internet control message protocol (ICMP) complements the main internet protocol by providing diagnostic and error-reporting capabilities at Layer 3. ICMP communicates issues such as unreachable hosts, network congestion, or time-to-live (TTL) expiration, allowing devices and network administrators to diagnose and rectify problems in real time. 

ICMP is vital for tools like ping and traceroute, which test connectivity between networked devices and trace packet traversal across the network path. While ICMP is essential for network troubleshooting and operational transparency, it is also targeted by certain network-based attacks, so proper filtering and monitoring of ICMP traffic are important. 

ARP and Neighbor Discovery

The address resolution protocol (ARP) is used in IPv4 networks to map a Layer 3 IP address to a Layer 2 MAC address, enabling local network communication. When a device needs to send a packet to another device on the same subnet, but only knows its IP address, ARP helps discover the physical (MAC) address required for frame delivery. 

ARP requests and responses are exchanged locally, ensuring correct association between an IP address and a device’s hardware address. In IPv6 networks, neighbor discovery protocol (NDP) replaces ARP and performs similar functions, including address resolution, neighbor unreachability detection, and router discovery. NDP employs ICMPv6 messages and offers additional features like stateless address autoconfiguration. 

OSPF, BGP, and Other Routing Protocols

Open shortest path first (OSPF) and border gateway protocol (BGP) are two foundational Layer 3 routing protocols. OSPF is used primarily within a single organization, providing fast convergence, hierarchical routing, and support for large, complex enterprise networks. OSPF dynamically calculates the shortest path for data based on link costs and network topology changes, reducing downtime and improving reliability. 

On a larger scale, border gateway protocol (BGP) is the protocol that makes Internet-wide routing possible, exchanging routing information between autonomous systems and supporting policy-based decision-making. BGP handles massive routing tables, supports load balancing, and manages inter-domain traffic, making it indispensable for Internet Service Providers and large enterprises. 

Other notable protocols include RIP, EIGRP, and IS-IS, each suited to different types of environments and operational needs.

Security Threats and Vulnerabilities at Layer 3

Routing Attacks

Layer 3 networks are vulnerable to a range of routing-based attacks. Attackers can exploit dynamic routing protocols by injecting false routing updates, causing traffic black-holing, route flapping, or rerouting sensitive traffic through malicious intermediate systems for interception. 

These attacks leverage weak authentication or trust models inherent in some routing protocols (such as early versions of RIP or unsecured BGP sessions), undermining the reliability and integrity of network path selection. Successful routing attacks may result in denial of service, data interception, or widespread network instability. 

Ping-Based Attacks

Ping-based attacks exploit ICMP echo requests (commonly called “pings”) to disrupt network resources or gather intelligence about network topology. An attacker may initiate a “ping flood” by sending a large number of ICMP echo requests to overwhelm a target, consuming bandwidth and computational resources. 

Another variant, called a “smurf attack,” amplifies the traffic by reflecting ICMP requests off misconfigured network devices, multiplying their impact. While ICMP is an invaluable tool for diagnostics, excessive or malicious use can degrade network performance and make devices unavailable to legitimate users.

DDoS Attacks

Distributed denial of service (DDoS) attacks at Layer 3 typically involve overwhelming a network’s infrastructure, such as routers or firewalls, by flooding them with massive volumes of bogus traffic, often leveraging spoofed IP packets. 

These assaults can knock entire services offline, disrupt connectivity, or exhaust network resources, impacting both targeted victims and collateral users. Layer 3 DDoS attacks frequently exploit the absence of source verification and the stateless nature of IP forwarding. 

IP Fragmentation Attacks

IP fragmentation attacks manipulate the packet fragmentation and reassembly process to evade security controls or exhaust system resources. Attackers may craft overlapping, malformed, or excessively fragmented packets, causing end systems or security appliances to expend significant resources or misinterpret the reconstructed data stream. 

Some legacy firewalls may fail to properly inspect fragmented traffic, allowing malicious payloads to bypass detection. Defense against IP fragmentation attacks involves enforcing minimum fragment sizes, validating fragment consistency, and ensuring security devices are capable of deep packet inspection and proper reassembly processing. 

Learn more in our detailed guide to OSI layers attacks (coming soon)

Best Practices for Securing OSI Layer 3

Here are some of the ways that organizations can improve their Layer 3 setup.

1. Maintain Hierarchical Addressing Schemes

Hierarchical addressing simplifies routing by structuring IP addresses to reflect the physical or logical topology of the network. This organization supports route summarization, where multiple contiguous IP addresses can be represented by a single summary route, reducing the size and complexity of routing tables. For large enterprise or ISP networks, this improves routing scalability and speeds up convergence during topology changes.

A well-planned hierarchical address scheme also improves troubleshooting and access control. For example, grouping addresses by department, region, or function enables more granular application of firewall rules and access control lists (ACLs). It also allows easier identification of traffic sources during incident response or performance analysis.

2. Use Redundancy and Dynamic Routing Protocols

Deploying redundant network paths and devices helps ensure high availability and fault tolerance at Layer 3. This includes using multiple routers, redundant uplinks, and dynamic routing protocols that can detect failures and reroute traffic. Protocols like OSPF and BGP provide fast convergence and route recalculation when links or nodes go down, maintaining uninterrupted communication.

Redundancy should be combined with careful route design to prevent loops and suboptimal routing. Administrative distances, route metrics, and fallback paths must be configured correctly to avoid instability or black-holing. Regular testing of failover scenarios ensures that redundancy mechanisms work as expected during real outages.

3. Implement Strong ACL and Firewall Policies

Access control lists (ACLs) and firewalls are essential tools for controlling Layer 3 traffic flow based on IP addresses, protocols, and port numbers. Carefully crafted ACLs limit traffic to what is necessary for business operations, reducing the attack surface and minimizing the risk of unauthorized access or lateral movement within the network.

ACLs should be applied at the network perimeter and within internal segments to enforce segmentation and zero trust principles. In addition to static rules, dynamic policies based on identity, context, or time of day can further refine access control. All changes to ACLs and firewall policies should follow a controlled process with proper validation and auditing.

4. Monitoring, Logging, and Anomaly Detection

Continuous monitoring of Layer 3 activity provides visibility into network health, performance, and security. Logs from routers, firewalls, and intrusion detection systems (IDS) can be aggregated and analyzed to detect anomalies such as unexpected traffic patterns, route changes, or access violations. Tools like NetFlow or IPFIX can help track traffic flows and identify irregular behaviors.

Anomaly detection systems, especially those using machine learning, can flag subtle deviations that may indicate threats like DDoS attacks or compromised hosts. Layer 3 logs are also essential for incident investigation and compliance. To be effective, logging systems must be scalable, timestamp-synchronized, and protected from tampering.

5. Document and Monitor IP Allocations

Maintaining up-to-date documentation of IP address allocations helps avoid conflicts, supports incident response, and aids in troubleshooting. IP address management (IPAM) tools can automate the tracking of address assignments, lease expirations, and subnet utilization, providing visibility into current and historical usage.

Active monitoring of IP address usage can also detect unauthorized devices, rogue DHCP servers, or address spoofing attempts. Regular audits ensure that IP allocations remain aligned with organizational policies, and help reclaim unused address space. Accurate documentation is especially important in networks using both IPv4 and IPv6, where manual tracking becomes error-prone at scale.

Network Security with Exabeam

A security operations platform strengthens network security, specifically focusing on OSI Layer 3, the network layer. The platform gathers and analyzes various data sources, including logical addresses, routing table updates, and packet forwarding events. This comprehensive data collection offers insight into how data packets are routed across different networks, including logical addressing, path determination, and fragmentation. By establishing baselines for typical Layer 3 operations, the platform can pinpoint deviations that may signal a security breach or an attack vector.

When suspicious events emerge, such as uncharacteristic routing updates, ping-based attacks, DDoS traffic surges, or IP fragmentation anomalies, the platform integrates these findings with broader security intelligence. This integration helps contextualize Layer 3 anomalies within the larger threat environment, enabling security teams to understand the potential ramifications and source of an attack. The system’s capability to monitor routing behavior and packet flows across layers assists in linking malicious Layer 3 actions to particular networks or devices.
Through advanced analytics and behavioral modeling, the platform facilitates the discovery of intricate Layer 3 attacks that might bypass conventional signature-based defenses. The objective is to provide security teams with practical insights to effectively investigate and react to threats. This strategy cultivates a more resilient security stance by addressing vulnerabilities and malicious activities specifically targeting the fundamental network routing and addressing mechanisms.