Intelligence notes

How the Internet Physically Works — Packets, Protocols, and the Infrastructure Beneath

16 min read

How the Internet Physically Works — Packets, Protocols, and the Infrastructure Beneath

Series: Information Infrastructure — The Physical Internet · Part 1 of 8

The Internet Is Not a Cloud

The cloud metaphor obscures the strategic reality. Every packet of data that crosses a border, every video stream that loads on a phone, every diplomatic cable that moves between embassies travels across a measurable physical substrate: fiber-optic glass, copper, routers in concrete buildings, antennas bolted to towers, and — for more than 99% of intercontinental traffic — submarine cables resting on the seabed (TeleGeography, 2023; Fact). The qualifier matters. That 99% figure applies to intercontinental traffic; a substantial share of global internet activity never crosses an ocean because content delivery networks cache it locally. But when data does need to move between continents, it almost certainly moves through a cable, not a satellite. Satellites carried 0.37% of US international capacity in the most recent precise FCC measurement (FCC, 2013; Fact), and no updated precision figure has been published since.

This article maps the logical architecture that runs on top of that physical substrate — packet switching, the TCP/IP stack, the Border Gateway Protocol, the Domain Name System, internet exchange points, and Tier-1 backbones. It traces where each layer creates a chokepoint, where each protocol assumes trust that adversarial geopolitics no longer extends, and where the geography of the internet collides with the geography of state power. Subsequent articles in this series will go deeper into Fiber Optic Transmission, submarine cable geopolitics, and Economic Chokepoints — Coercive Statecraft. This piece establishes the foundation.

How Data Moves — Packet Switching and the TCP/IP Stack

The internet’s foundational design choice was packet switching, a deliberate break from the circuit-switched architecture of the legacy telephone network (PSTN). In circuit switching, a dedicated end-to-end path is reserved before any data flows; the path remains allocated for the entire call. In packet switching, data is fragmented into discrete packets, each carrying its own source and destination address. Each packet travels independently. No path is pre-established. (Fact.)

This produces a specific operational pattern called store-and-forward. A router receives a complete packet, reads the destination address, consults its routing table to select the next hop, and transmits the packet onward. The router makes that decision independently of every other router on the path. Two packets in the same conversation can take different routes, arrive out of order, and be reassembled at the destination. The architecture is resilient — a router failure reroutes traffic automatically — but it is also stateless in a way that has profound security consequences. No router along a path has authoritative knowledge of where a packet is going or where it has been. It trusts the addresses written on the packet.

The packet’s journey is governed by a layered protocol stack. The TCP/IP four-layer model structures the work:

  • Application Layer — HTTP, DNS, SMTP, and the protocols that applications speak directly.
  • Transport Layer — TCP for reliable delivery (acknowledgments, retransmission of lost packets, ordered reassembly) or UDP for fast, stateless delivery used by DNS queries, video conferencing, and real-time gaming.
  • Internet Layer — IP and ICMP. This is where addressing and routing live. Every packet carries an IP source and destination at this layer.
  • Network Access Layer — Ethernet, Wi-Fi, and the physical transmission protocols that move bits over a specific medium.

The older OSI seven-layer model decomposes the same work more finely (Physical → Data Link → Network → Transport → Session → Presentation → Application) and remains the reference vocabulary for network engineers. The two models are interoperable; OSI Layer 3 corresponds to TCP/IP’s Internet Layer, OSI Layer 4 to TCP/IP’s Transport Layer. Routing happens at Layer 3. Reliability is enforced at Layer 4. (Fact.)

The analytical point: every packet on the global internet is, at its core, a structured envelope with a source address, a destination address, and a payload, moving hop-by-hop through routers that each make an independent forwarding decision. The next question is how those routers decide.

The Routing Brain — BGP, Autonomous Systems, and the Global Table

The internet is not one network. It is a network of approximately 77,900 active Autonomous Systems (ASes) as of January 2026, announcing roughly 1.05 million prefixes in the global IPv4 routing table (Geoff Huston / APNIC annual BGP review, January 2026; Fact). An Autonomous System is an administrative unit — a telecom operator, a large enterprise, a cloud provider, a university, a government network — that announces which blocks of IP address space it can reach.

The protocol that stitches these 77,900 networks into a coherent global internet is the Border Gateway Protocol (BGP). BGP is a path-vector protocol: each AS announces, to its neighbors, which prefixes it can reach and the AS-path required to reach them. Neighboring ASes pass that announcement to their neighbors, prepending their own AS number to the path. Over time, every router participating in BGP builds a view of every reachable prefix and at least one path to each.

When multiple paths to the same prefix exist — which is the normal case — BGP applies a priority hierarchy to select one:

  1. LOCAL_PREF — operator-set preference for outbound paths.
  2. AS-PATH length — shorter paths preferred (a proxy for proximity).
  3. MED (Multi-Exit Discriminator) — neighbor-signaled preference among multiple links between the same pair of ASes.
  4. Origin — IGP-learned routes preferred over EGP-learned routes.

The mechanics are unremarkable. The geopolitics are not. BGP was designed in the late 1980s for a research and academic network where every participant was trusted. Routing announcements are not cryptographically verified in most deployments. An AS that announces a prefix it does not own — whether by accident, by misconfiguration, or by intent — will frequently have that announcement propagated globally before any human notices. The protocol assumes good faith.

Resource Public Key Infrastructure (RPKI) is the partial fix. RPKI allows the legitimate holder of an IP prefix to publish a cryptographically signed Route Origin Authorization (ROA) declaring which AS is permitted to originate that prefix. Routers configured to perform Route Origin Validation (ROV) can then reject announcements that fail validation. As of 2024, approximately 40–50% of ASes had published ROAs for their address space (NIST / NIC.br RPKI monitoring; Fact). The majority of the global routing table remains unverified. RPKI also only addresses one class of attack — origin hijacks. It does not protect against AS-path manipulation, where an attacker inserts itself mid-path while leaving the origin AS correct.

BGP as a Geopolitical Vulnerability

Three confirmed incidents illustrate how the trust assumption fails in practice.

Pakistan Telecom, 24 February 2008. At 18:47 UTC, Pakistan Telecom (AS17557) advertised the prefix 208.65.153.0/24, a more-specific announcement than YouTube’s legitimate 208.65.152.0/22. The Pakistani government had ordered domestic ISPs to block YouTube; the engineers attempted to null-route the prefix internally but accidentally leaked the announcement to their upstream, PCCW Global, which propagated it without filtering. Because BGP prefers more-specific prefixes, the hijack absorbed global YouTube traffic within roughly 15 seconds. Service was disrupted globally until 21:01 UTC, when YouTube announced an even more-specific /25 to reclaim traffic and PCCW withdrew the leaked route. (RIPE NCC case study; Fact.) Pakistan Telecom remains the most thoroughly documented confirmed BGP hijack on the public record.

China Telecom, 8 April 2010. China Telecom announced routes for approximately 50,000 IP prefixes for 18 minutes, affecting traffic to US .gov and .mil domains among many others. The incident was politically amplified by a US-China Economic and Security Review Commission report that cited a figure of “15% of internet traffic” being diverted — a figure that has since been debunked. BGPmon’s contemporaneous forensic assessment found actual diverted traffic at roughly 0.015% of global traffic, orders of magnitude smaller than the headline. Intentionality is disputed; BGPmon assessed the event as more likely accidental than deliberate. The “15% of traffic” figure should not be cited; it remains in circulation only because the original USCC report continues to be quoted uncritically. (Citizen Lab 2012; BGPmon 2010; Fact on technical details, Assessment on intent.)

Rostelecom, 1 April 2020. Russian state operator Rostelecom announced approximately 8,000 prefixes belonging to Google, AWS, Facebook, Cloudflare, Amazon, and others. The leak propagated through Level 3 and Hurricane Electric, two major transit providers that did not filter. Networks that had implemented RPKI ROV — notably Telia and NTT — were unaffected. Forensic analysis attributed the event to a BGP optimizer misconfiguration rather than deliberate hijack. (ThousandEyes, MANRS forensic analysis; Fact on technical details, Assessment on intent.)

The pattern across all three is consistent. A single AS makes an erroneous or malicious announcement. Major Tier-1 transit providers propagate it without filtering. Global traffic is redirected within seconds. Networks that have deployed validation are protected; the majority that have not are not. (See BGP Routing for the technical deep-dive in this series.) The protocol’s trust model collapses under adversarial conditions, and adversarial conditions are now the operating environment.

The DNS Layer — Naming and Governance

The Domain Name System translates human-readable domain names into IP addresses. Almost nothing on the internet works without it. A user typing intelligencenotes.com triggers a recursive lookup that begins, ultimately, at the root zone — the authoritative directory of every top-level domain.

The root zone is served by 13 named root server identities (A through M), operated by 12 independent operators (Verisign operates both A-root and J-root). Each identity is implemented through anycast — many physical servers across the world responding to the same IP address — for resilience and performance. As of December 2025 there were approximately 1,954 physical root server instances globally (Internet Society Pulse; Fact).

The governance pattern is consequential. US entities operate or contract the majority of root server identities: Verisign (A, J), Cogent (C), University of Maryland (D), NASA (E), ISC (F), US Department of Defense (G), and US Army Research Lab (H). Only a minority of identities are operated outside the United States. The anycast deployment is genuinely globally distributed — Beijing, Moscow, São Paulo, and Tehran all host root server instances — but the legal and contractual authority over the operators sits overwhelmingly in US jurisdiction. (Fact.)

This is the governance geometry that drives sustained interest in DNS sovereignty projects (see Digital Sovereignty). The technical performance of DNS is not the issue; the policy authority over which strings exist, which TLDs are added, and which zones could in principle be modified is the issue. ICANN’s stewardship of the IANA functions, the multistakeholder model, and the absence of any documented instance of the US government using root authority for coercive purposes are all genuine features of the current system. They are also features that depend on continued US restraint, which is a policy choice rather than a technical guarantee. (See DNS Infrastructure for the full mapping.)

Where Traffic Aggregates — IXPs and Tier-1 Backbones

Routers exchange traffic with each other in two settings: at internet exchange points (IXPs), where many networks meet in a neutral facility to peer directly, and across transit links, where one network pays another to carry its traffic.

The world’s largest IXPs by self-reported peak traffic (Fact, with methodology caveat):

IXPPeak ThroughputDateNotes
IX.br (Brazil, network aggregate)40 Tbps aggregate; 22 Tbps São Paulo single siteApril 2025Distributed network across multiple Brazilian cities
DE-CIX (global aggregate)25 Tbps global; 18.22 Tbps Frankfurt single siteNovember 2025Frankfurt is largest single-location peak globally
AMS-IX (Amsterdam)14.113 TbpsDecember 2024Single-location
LINX (London, aggregate)10.841 TbpsSeptember 2024Distributed across London region
MSK-IX (Moscow)7.7 TbpsFebruary 2025Single largest Russian IXP

The methodology caveat is important: IX.br and DE-CIX global figures aggregate traffic across distributed networks, while Frankfurt’s 18.22 Tbps is the single largest peak at any one physical location. PCH data indicates 163 countries host at least one IXP as of May 2026 (Fact), meaning IXPs are now globally distributed even where backbone ownership remains concentrated.

Above the IXP layer sit the Tier-1 backbone operators — networks that exchange traffic with every other Tier-1 on a settlement-free basis and therefore reach the entire global routing table without paying for transit. There is no certifying authority; Tier-1 status is defined functionally. The confirmed list (Fact) includes:

  • AT&T (AS7018, United States)
  • Cogent (AS174, United States)
  • Lumen/CenturyLink (formerly Level 3, United States)
  • Arelion / Telia Carrier (AS1299, Sweden) — assessed by Kentik (2023) as currently the best-connected backbone globally
  • NTT Communications (AS2914, Japan)
  • Verizon (AS701, United States)
  • Tata Communications (AS6453, India)
  • GTT (United States)
  • Deutsche Telekom / T-Systems (AS3320, Germany)
  • Sparkle (Telecom Italia, Italy)
  • PCCW Global (Hong Kong)

Tier-1 status is not static. In February 2024, Cogent withdrew European peering from NTT, causing measurable latency increases for traffic between affected regions. (Fact.) The episode demonstrates that the settlement-free peering relationships underpinning Tier-1 status are commercial agreements that can be revoked, and that the resulting topology change is a real operational risk — not a theoretical one. The geographic and corporate distribution of Tier-1s is also notable: roughly half are headquartered in the United States, two in Europe, two in East Asia, one in India. The footprint of the United States in the backbone layer is structural, not incidental. China and Russia are not represented at Tier-1 level; their largest carriers (China Telecom, Rostelecom) reach the global table through transit and peering arrangements rather than settlement-free Tier-1 status. (Assessment: this asymmetry is one structural driver of both Chinese and Russian sovereign internet initiatives — covered in subsequent articles.)

The Cable Foundation

Everything above runs on physical infrastructure. More than 99% of intercontinental data traffic moves through submarine cables (TeleGeography 2023; Fact). Each cable is a bundle of fiber-optic strands encased in steel and polyethylene, lying on the seabed across roughly 1.4 million kilometers of route. Cables make landfall at a small number of landing stations per country — frequently fewer than ten. Those landing stations connect, through terrestrial fiber, to the IXPs and Tier-1 backbones described above.

The strategic geometry compresses dramatically at this layer. A handful of chokepoints — the Red Sea, the Strait of Malacca, the Luzon Strait, the English Channel approaches, the Suez canal corridor — concentrate cable density to a degree that makes physical disruption a coherent strategic option. The 2024 Red Sea cable cuts (multiple cables severed in February 2024 during Houthi maritime operations against shipping in the Bab el-Mandeb) demonstrated that intercontinental connectivity between Europe, Africa, and Asia can be measurably degraded by attacks on a few kilometres of seabed. Repair vessels are scarce, repair queues are weeks long, and the maritime jurisdictions involved are contested. (See Fiber Optic Transmission and forthcoming articles in this series for the cable-specific analysis.)

The protocols described above — packet switching, BGP, DNS — assume that physical connectivity exists. They route around individual link failures gracefully. They do not route around the simultaneous loss of multiple cables across the same chokepoint, because in that case the alternative paths do not exist at any layer.

Strategic Implications

Five implications follow from the architecture mapped above.

1. The internet’s geography is more concentrated than its rhetoric. A protocol stack designed for decentralization has, over four decades of commercial deployment, produced a topology in which a small number of Tier-1 backbones, a small number of IXPs, a small number of cable chokepoints, and a small number of root-server operators carry a disproportionate share of global traffic and authority. The decentralization argument is true at the protocol layer and increasingly false at the operational layer.

2. BGP’s trust model is incompatible with adversarial geopolitics. The protocol assumes that announcements are accurate. The empirical record (Pakistan 2008, China 2010, Russia 2020, and dozens of less-documented incidents) shows that announcements are routinely inaccurate, that propagation is faster than detection, and that even partial RPKI deployment leaves the majority of the routing table unprotected. The structural fix — full RPKI ROV adoption — is technically available and politically slow.

3. DNS governance is a policy choice, not a technical guarantee. The root zone functions because the operators choose to cooperate and US authorities choose not to coerce. Both choices are durable but neither is irreversible. Sovereign-DNS projects in China, Russia, and increasingly in BRICS+ forums are responses to this geometry, not paranoid fantasies about it. (See China, Russia, Five Eyes Architecture.)

4. The Tier-1 peering layer is a commercial system with strategic consequences. The Cogent-NTT 2024 dispute demonstrated that settlement-free peering can be withdrawn between sessions, that the resulting performance degradation is measurable, and that no authority outside the parties themselves can compel resolution. This is fine in normal commercial conditions and dangerous in a crisis.

5. The physical substrate is the binding constraint. Every protocol described above assumes the existence of fiber. The 2024 Red Sea cuts, the recurring Baltic cable incidents, and the contested maritime chokepoints make clear that the physical layer is the layer where state and proxy actors have demonstrated both capability and intent to disrupt. The remainder of this series (Parts 2–8) will trace those physical vulnerabilities in detail. See SYNTHESIS for the series synthesis.

The cloud metaphor cost analysts a generation of clarity about where the internet actually lives. Recovering that clarity — packet by packet, AS by AS, cable by cable — is the analytical prerequisite for everything that follows under Cyber Warfare and hybrid-threats analysis.

Sources

Primary technical sources (High confidence):

  • Geoff Huston / APNIC — BGP in 2026 — The BGP Table (annual review, January 2026). AS count and prefix count.
  • TeleGeography — Submarine Cable Map and Annual Report (2023 confirmation of the >99% intercontinental figure).
  • FCC — International Bureau Report (2013). Satellite share of US international capacity at 0.37%; most recent precision figure.
  • Internet Society Pulse — Root server instance count, December 2025.
  • Packet Clearing House (PCH) — IXP directory, May 2026. 163 countries with at least one IXP.
  • Kentik — State of the Internet Backbone (2023). Arelion best-connected assessment.

BGP hijack incidents (High confidence on technical details):

  • RIPE NCC — YouTube Hijacking: A RIPE NCC RIS Case Study (2008). Pakistan Telecom incident.
  • Citizen Lab — China’s Cyberspace Authority and the 2010 BGP Incident (2012); BGPmon contemporaneous analysis (2010). China Telecom incident; “15% of traffic” figure debunked.
  • ThousandEyes — Internet Report: Rostelecom BGP Leak (April 2020); MANRS forensic write-up. Rostelecom incident.

IXP traffic figures (Medium-High confidence — operator self-reported):

  • IX.br (NIC.br) — Operator dashboards, April 2025.
  • DE-CIX — Press release, November 2025 Frankfurt record.
  • AMS-IX, LINX, MSK-IX — Operator-published peak statistics, dates as cited.

Tier-1 and peering (High confidence on identity; Medium on dynamics):

  • Cogent–NTT February 2024 European peering dispute — Multiple industry trade press confirmations and BGP telemetry from RIPEstat and PeeringDB.

Methodology notes (Gap labels):

  • Gap: No updated post-2013 precision figure for satellite share of intercontinental traffic. The >99% submarine cable figure is a confirmed lower bound, not a precise measurement.
  • Gap: Global RPKI ROA coverage figures vary by measurement methodology and reporting body; the 40–50% range reflects 2024 NIST and NIC.br monitoring and may have shifted since.
  • Caveat: IXP peak figures are operator self-reported and not independently audited. Distributed-network aggregates (IX.br, DE-CIX global) are not directly comparable to single-site peaks (Frankfurt, AMS-IX).

Series navigation: This is Part 1 of 8 in Information Infrastructure — The Physical Internet. Subsequent parts cover submarine cables, terrestrial fiber, satellite alternatives, IXPs and peering geography, DNS and root governance, sovereign internet initiatives, and the strategic chokepoint map.

Graph View

Backlinks