Basics Story

Chapter #6 – Internet and Wi-Fi

internet architecture, world wide web, Wi-Fi standards, physical layer, security

6.0  Prologue

The internet is not a single network but a federation of thousands of independently operated networks exchanging reachability information through BGP and routing packets on a best-effort basis. Wi-Fi is the dominant last-hop medium connecting end devices to that infrastructure. Understanding both — how traffic crosses a global backbone and how it crosses the final ten meters wirelessly — is prerequisite knowledge for writing software that behaves correctly under real network conditions.

6.1  Internet Architecture

The internet is a mesh of autonomous systems (ASes) — independently managed address blocks operated by ISPs, cloud providers, universities, and enterprises. Each AS holds a globally unique ASN (autonomous system number) and exchanges routing information with its neighbors via BGP (covered in Chapter 3). ISPs are stratified by connectivity:
  • Tier 1: A small number of carriers (AT&T, Lumen, Telia, NTT) that peer globally with each other at no cost. They own submarine cables and land-based fiber backbones spanning continents and connect to every destination on the internet without paying transit fees.
  • Tier 2: Regional ISPs that peer freely with some networks but purchase transit from Tier 1 carriers to reach the rest of the internet.
  • Tier 3: Local access ISPs that buy all their transit from Tier 1 or Tier 2 providers and deliver last-mile connectivity to homes and businesses.
Peering vs. transit:
  • Peering — two networks exchange traffic between their respective customers at no cost. Both benefit from the direct path; neither pays the other.
  • Transit — one network pays another to carry its traffic to any destination on the internet. The paying network reaches the world; the transit provider earns revenue.
IXPs (Internet Exchange Points) are physical switching facilities where hundreds of networks connect to peer directly over a shared fabric. Major IXPs (DE-CIX Frankfurt, AMS-IX Amsterdam, Equinix IX) exchange several terabits per second, dramatically reducing the latency and cost of inter-network traffic compared to routing through transit providers. CDNs (Content Delivery Networks) cache content at hundreds of edge locations (Points of Presence, PoPs) distributed worldwide. When a client requests a resource, the CDN intercepts the DNS query and returns the IP address of the nearest PoP rather than the origin server. Cloudflare, Akamai, and AWS CloudFront collectively serve a large fraction of global web traffic. CDNs reduce round-trip latency, absorb traffic spikes, and mitigate DDoS attacks by distributing load across many edge nodes.

6.2  Packets and Flow Control

Packet types: internet traffic is carried in discrete packets; the type depends on which protocol layer produced it.
Name Protocol Purpose Header overhead
IP datagram IPv4 / IPv6 Carries all higher-layer data across routers; each router reads the destination address and forwards independently. 20 B (IPv4 min) / 40 B (IPv6)
TCP segment TCP (inside IP) Reliable, ordered byte stream; carries sequence/ack numbers, flags, and a window field for flow control. 20 B min (+ IP header)
UDP datagram UDP (inside IP) Unreliable, unordered delivery; no retransmission. Used for DNS, QUIC, video streaming, and real-time games. 8 B (+ IP header)
ICMP message ICMP (inside IP) Control and error reporting: Echo Request/Reply (ping), Destination Unreachable, Time Exceeded (traceroute). 8 B (+ IP header)
Flow control prevents a fast sender from overwhelming a slow receiver. TCP implements it through the receive window: the receiver advertises in every ACK how many bytes of free buffer space it has. The sender must not have more unacknowledged bytes in flight than the advertised window. As the receiver drains its buffer and sends ACKs, the window grows; if the application stops reading, the window shrinks to zero and the sender pauses. This is a receiver-driven mechanism — it protects a single endpoint. Congestion control protects the network itself. TCP infers congestion from packet loss or, with ECN (Explicit Congestion Notification), from router-marked packets, and reduces its sending rate accordingly:
  • Slow start: the sender begins with a congestion window (cwnd) of 1–10 segments and doubles it each round-trip until reaching the slow-start threshold or detecting loss. Despite the name, growth is exponential.
  • Congestion avoidance: above the threshold, cwnd grows by one segment per RTT (additive increase). On loss, it is halved (multiplicative decrease) — the AIMD (Additive Increase Multiplicative Decrease) algorithm that keeps TCP flows stable and fair when sharing a link.
  • Fast retransmit / fast recovery: three duplicate ACKs signal a dropped segment without waiting for a timeout. The sender retransmits immediately and enters fast recovery, halving cwnd rather than resetting to 1, so throughput recovers quickly.
  • ECN (Explicit Congestion Notification): a router near capacity marks IP packets instead of dropping them; the receiver reflects the mark back to the sender, which reduces rate before a drop occurs. Requires support in the router, sender OS, and receiver OS.
The effective throughput of a TCP connection is bounded by min(rwnd, cwnd) bytes per RTT, where rwnd is the receive window and cwnd is the congestion window. A high-latency link (large RTT) suppresses throughput even when both endpoints have spare capacity, which is why protocols such as QUIC and BBR were developed to make better use of high-bandwidth, high-latency paths.

6.3  The World Wide Web

The web is an application layer built on the internet, defined by three technologies:
  • URL (Uniform Resource Locator): identifies a resource by scheme (https), host (example.com), path (/articles/42), and optional query string or fragment.
  • HTTP (HyperText Transfer Protocol): request/response protocol for fetching and submitting resources (covered in Chapter 3).
  • HTML: markup language that describes document structure; the browser parses it into a DOM (Document Object Model) for rendering and scripting.
 Sequence of events for a browser loading https://example.com/page:
  1. Browser resolves example.com via DNS to an IP address.
  2. Browser opens a TCP connection; TLS handshake establishes session keys.
  3. Browser sends GET /page HTTP/2 with headers (Host, Accept, cookies).
  4. Server returns a response: status line, headers, and an HTML body.
  5. Browser parses the HTML, discovers sub-resources (CSS, JS, images), and fetches them in parallel over the existing HTTP/2 connection.
  6. Browser constructs the render tree, lays out and paints the page, then runs JavaScript event loops.
 REST APIs expose server-side resources over HTTP using standard methods:
Method Semantics Idempotent?
GET Retrieve a resource; must not modify state. Yes
POST Create a new resource or trigger an action. No
PUT Replace a resource entirely. Yes
PATCH Apply a partial update to a resource. No (by default)
DELETE Remove a resource. Yes
HTTP status codes communicate outcome. Key families: 2xx success (200 OK, 201 Created, 204 No Content), 3xx redirect (301 Moved Permanently, 302 Found, 304 Not Modified), 4xx client error (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests), 5xx server error (500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable).

6.4  Internet Security

The internet was designed for openness and interoperability, not security. Every layer — from the physical to the application — is a potential attack surface. Security is achieved by layering defenses at each level, because no single mechanism protects against every threat class. Common attack categories:
  • Eavesdropping / packet sniffing: an attacker with access to a network path captures unencrypted traffic. Defense: TLS everywhere; never transmit credentials or sensitive data over plain HTTP.
  • Man-in-the-middle (MITM): the attacker sits between client and server, relaying and optionally modifying traffic. Enabled by ARP spoofing on a LAN, a rogue access point, or BGP hijacking at internet scale. Defense: TLS with certificate validation; HSTS (HTTP Strict Transport Security) prevents downgrade to plain HTTP.
  • Denial-of-Service (DoS) / Distributed DoS (DDoS): floods a target with traffic to exhaust its bandwidth, CPU, or connection-table capacity. Amplification attacks use protocols with asymmetric request/response size (DNS, NTP, SSDP) to multiply small attacker bandwidth into massive volume. Defense: rate limiting, traffic scrubbing services (Cloudflare, AWS Shield), anycast routing to distribute load across many ingress points.
  • DNS poisoning / spoofing: fraudulent DNS responses redirect users to malicious servers while the address bar shows the legitimate hostname. Defense: DNSSEC (cryptographically signed DNS records); DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt the query so it cannot be tampered in transit.
  • BGP hijacking: a malicious or misconfigured AS announces more-specific prefixes for IP space it does not own, attracting traffic intended for the legitimate owner. Defense: RPKI (Resource Public Key Infrastructure) lets prefix owners publish cryptographically signed route origin authorizations that routers can validate.
  • Injection attacks (SQL, command, LDAP): user-supplied input is interpreted as code rather than data. An unsanitized SQL query can expose or destroy a database; a command injection can execute arbitrary shell commands. Defense: parameterized queries / prepared statements; never build queries by string-concatenating user input.
  • Cross-Site Scripting (XSS): malicious script is injected into pages served by a trusted site and executes in victims’ browsers, stealing session cookies or credentials. Defense: output encoding at render time; Content Security Policy (CSP) header restricts which script sources the browser will execute.
  • Cross-Site Request Forgery (CSRF): a victim’s authenticated session is exploited by a third-party page that silently issues state-changing requests to a trusted site on the victim’s behalf. Defense: CSRF tokens (server-issued random values validated on every mutating request); SameSite=Strict or Lax cookie attribute.
  • Phishing / social engineering: attackers impersonate trusted entities to trick users into revealing credentials or installing malware. Defense: multi-factor authentication (MFA); FIDO2/WebAuthn hardware security keys are phishing-resistant because they bind the credential to the origin URL.
Defense-in-depth layers:
  • Transport security (TLS 1.3): authenticates the server via certificate, negotiates ephemeral keys for forward secrecy, and encrypts all application data. HSTS preload lists enforce TLS even on first contact.
  • Firewalls: stateful packet inspection filters by source/destination IP, port, and connection state. Next-generation firewalls add deep packet inspection and application-layer awareness.
  • Intrusion Detection / Prevention (IDS/IPS): monitor traffic for known attack signatures or anomalous behavior and alert (IDS) or block (IPS).
  • Web Application Firewalls (WAF): filter HTTP requests for common attack patterns (SQL injection, XSS, path traversal) before they reach application code.
  • Least privilege and network segmentation: services expose only the ports they require; database and admin tiers are isolated from public-facing segments so a breach in one zone does not propagate freely.
CWE Top 25 Most Dangerous Software Weaknesses: MITRE publishes a ranked list of software weaknesses most frequently exploited in real-world attacks. The 2025 list is led by out-of-bounds writes, cross-site scripting, SQL injection, use-after-free, and missing authorization — weaknesses at the application layer that are routinely exploited over the network. Directing defensive effort toward these weaknesses yields the highest reduction in exploitable attack surface. See: MITRE CWE Top 25 (2025).

6.5  Wi-Fi Standards

IEEE 802.11 is the standard family governing wireless LAN. Each generation extended throughput, range, or spectrum efficiency:
Brand Standard Max Throughput Bands Key Additions
Wi-Fi 4 802.11n 600 Mbps 2.4 / 5 GHz MIMO, 40 MHz channel bonding
Wi-Fi 5 802.11ac 3.5 Gbps 5 GHz only MU-MIMO (downlink), 80/160 MHz channels, 256-QAM
Wi-Fi 6 802.11ax 9.6 Gbps 2.4 / 5 GHz OFDMA, BSS Coloring, Target Wake Time, 1024-QAM
Wi-Fi 6E 802.11ax 9.6 Gbps 2.4 / 5 / 6 GHz 1.2 GHz of new unlicensed 6 GHz spectrum
Wi-Fi 7 802.11be 46 Gbps 2.4 / 5 / 6 GHz Multi-link operation, 320 MHz channels, 4096-QAM
Frequency bands:
  • 2.4 GHz: only 3 non-overlapping 20 MHz channels (1, 6, 11) within the 83.5 MHz allocation. Provides longer range and better wall penetration than 5 GHz but is congested in dense environments; Bluetooth and microwave ovens share the band.
  • 5 GHz: 25 non-overlapping 20 MHz channels available in the US. Shorter range than 2.4 GHz but far less congested and supports wider channel bonding (40/80/160 MHz).
  • 6 GHz (Wi-Fi 6E and 7): 59 non-overlapping 20 MHz channels; no legacy 802.11a/b/g/n/ac devices permitted. The cleanest available Wi-Fi spectrum.
CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) is the medium-access protocol used by all 802.11 variants. Before transmitting, a station listens to determine whether the channel is idle. If busy, it backs off for a random interval drawn from a contention window, then retries. Unlike Ethernet’s CSMA/CD, collisions cannot be detected over radio, so avoidance is essential. The hidden node problem — where two stations cannot hear each other but both reach the access point — is addressed by optional RTS/CTS handshaking.

6.6  Wi-Fi Physical Layer

OFDM (Orthogonal Frequency-Division Multiplexing) divides a channel into many narrow parallel subcarriers, each modulated at a low symbol rate. A 20 MHz 802.11g channel uses 52 data subcarriers. Parallel transmission makes OFDM highly resistant to multipath interference — where signals reflected off walls arrive at the receiver slightly delayed — because the symbol duration is long relative to the delay spread. OFDMA (Wi-Fi 6+) extends OFDM by subdividing subcarriers into resource units (RUs) and assigning different RUs to different clients simultaneously. Where OFDM serves one client per transmission, OFDMA serves many, reducing latency in high-density environments such as stadiums, offices, and apartment buildings. MIMO (Multiple Input Multiple Output) places multiple antennas at both transmitter and receiver to send independent spatial streams over the same channel, multiplying throughput. An access point described as 4×4:4 has 4 transmit antennas, 4 receive antennas, and supports 4 spatial streams; the throughput is up to four times that of a 1×1 link under the same conditions. MU-MIMO (Multi-User MIMO) extends MIMO to serve several clients simultaneously. The access point uses beamforming to direct each spatial stream toward its target client by adjusting the phase relationship of signals across its antenna array. A sounding exchange between AP and client measures the channel matrix needed to compute the beamforming weights. Channel bonding combines adjacent 20 MHz channels into 40, 80, or 160 MHz channels, doubling or quadrupling the raw data rate at the cost of reducing the number of usable non-overlapping channels. In the congested 2.4 GHz band, bonding beyond 20 MHz is impractical; in the 6 GHz band it is the primary throughput strategy.

6.7  Wi-Fi Security

Protocol Year Cipher Status
WEP 1999 RC4, 40-bit key, 24-bit IV Broken; key recoverable from ~50,000 packets. Do not use.
WPA (TKIP) 2003 RC4 + per-packet keys Deprecated; emergency fix while 802.11i was finalized.
WPA2 (802.11i) 2004 AES-CCMP, 128-bit Widely deployed; vulnerable to KRACK (2017) on unpatched clients.
WPA3 2018 AES-GCMP, SAE key exchange Current standard; forward secrecy, PMF mandatory.
KRACK (Key Reinstallation Attack, 2017): a man-in-the-middle attacker can replay and retransmit WPA2 handshake messages to force nonce reuse in the session key, allowing decryption or forgery of traffic on unpatched clients. Patched in OS updates; WPA3’s SAE handshake is not vulnerable to this class of attack. WPA3 Personal — SAE (Simultaneous Authentication of Equals): replaces the WPA2 PSK four-way handshake with a Dragonfly-based zero-knowledge proof. Each session negotiates a unique key even when the same passphrase is used, providing forward secrecy: capturing past encrypted traffic gives no advantage after the passphrase is compromised. WPA3 Enterprise: mandates a 192-bit security suite (GCMP-256, HMAC-SHA-384) for networks requiring higher assurance. Organizations also deploy 802.1X/EAP: each client authenticates to a RADIUS server with individual credentials (certificate or username/password via EAP-TLS or PEAP). The RADIUS server issues per-user, per-session encryption keys, so compromising one device does not expose traffic of other users. Protected Management Frames (PMF / 802.11w) are mandatory in WPA3. They authenticate deauthentication and disassociation frames, preventing attackers from forcing clients off a network with forged management packets (deauth flood attacks).

6.8  Epilogue

Wi-Fi and the internet together close the gap between running software and delivering it to users: packets travel across a federated backbone of autonomous systems and descend through ISP tiers, and the final hop is wireless. The next chapter examines the programming languages used to write software that runs across this infrastructure.

6.9  References

RFC 9110 – HTTP Semantics
How the Internet Works – Cloudflare Learning
Wi-Fi 6 Certification – Wi-Fi Alliance
Wi-Fi Security – Wi-Fi Alliance
KRACK Attacks – Vanhoef & Piessens
MITRE CWE Top 25 Most Dangerous Software Weaknesses (2025)