Chapter 2: The OSI Model & TCP/IP Stack

The $440 Million Misunderstanding

On August 8, 2012, Knight Capital Group, one of America’s largest market makers, experienced a software deployment disaster that nearly destroyed the company. A technician forgot to copy updated trading software to one of eight servers. When the markets opened, that one misconfigured server began executing trades at an algorithm designed for testing—not live markets.

In 45 minutes, Knight Capital executed 4 million trades, buying and selling $7 billion worth of stocks they didn’t want. By the time someone noticed the anomaly, the company had lost $440 million.

What does this have to do with network layers? Everything.

The debugging process revealed a critical lesson: when troubleshooting complex systems, you need a systematic approach. Random guessing wastes precious time. Knight’s team initially suspected network issues, then application bugs, then database problems—jumping between layers without method. The layered network model we’ll explore in this chapter provides exactly this systematic approach.

When a network problem occurs, understanding whether it’s a physical cable issue (Layer 1), a switching problem (Layer 2), a routing misconfiguration (Layer 3), or an application bug (Layer 7) focuses your troubleshooting instantly. This chapter teaches you to think in layers—a skill that will make you a better network professional and a more effective security analyst.

---

Why Layers Matter

Imagine trying to mail a letter to someone in another country. You don’t personally carry the letter to its destination. Instead, you write your message, put it in an envelope with an address, and hand it to a postal service. The postal service handles the logistics—sorting, transportation, international customs, local delivery. At each stage, different specialists handle different aspects of getting your letter to its destination.

Computer networks work similarly. When you send data across a network, it passes through multiple layers of processing, each handling a specific aspect of communication. This layered approach makes networks manageable: each layer can focus on its job without worrying about the details of other layers.

The Power of Abstraction

A web developer doesn’t need to understand electrical signaling on copper cables, just as a hardware engineer doesn’t need to understand HTTP. Each specialist works at their layer, trusting that other layers will do their jobs.

Layer Focus	Specialist	Concern
Application protocols	Developer	”How do I format this API request?”
Transport reliability	Systems engineer	”Is TCP or UDP better here?”
Network routing	Network engineer	”Which path should packets take?”
Physical connectivity	Cabling technician	”Is this fiber splice clean?”

The Two Dominant Models

Two models describe network layers:

• OSI Model (7 layers): A theoretical framework developed by ISO, excellent for discussion and teaching
• TCP/IP Model (4 layers): The practical implementation that powers the internet

Understanding both helps you reason about how data moves through networks and where vulnerabilities can arise.

PRO TIP

In job interviews and professional discussions, people often reference OSI layers: “This seems like a Layer 2 problem” or “That’s handled at Layer 7.” Speaking in these terms demonstrates expertise—even though the actual protocols are TCP/IP.

---

The OSI Reference Model

The Open Systems Interconnection (OSI) model was developed by the International Organization for Standardization (ISO) in the late 1970s and early 1980s. It divides network communication into seven distinct layers, each with specific responsibilities.

Each layer provides services to the layer above it and relies on services from the layer below. This separation of concerns allows different technologies to be mixed and matched: you can change your physical medium from copper to fiber without affecting how your web browser works.

OSI Model The Seven Layers

OSI Model - The Seven Layers
    ═══════════════════════════════════════════════════════════

    Layer 7  │ Application   │ HTTP, DNS, SSH, SMTP
             │               │ User-facing network services
    ─────────┼───────────────┼─────────────────────────────────
    Layer 6  │ Presentation  │ SSL/TLS, JPEG, ASCII
             │               │ Data formatting and encryption
    ─────────┼───────────────┼─────────────────────────────────
    Layer 5  │ Session       │ NetBIOS, RPC
             │               │ Session management
    ─────────┼───────────────┼─────────────────────────────────
    Layer 4  │ Transport     │ TCP, UDP, QUIC
             │               │ End-to-end delivery, ports
    ─────────┼───────────────┼─────────────────────────────────
    Layer 3  │ Network       │ IP, ICMP, IPsec
             │               │ Logical addressing, routing
    ─────────┼───────────────┼─────────────────────────────────
    Layer 2  │ Data Link     │ Ethernet, WiFi, ARP
             │               │ Physical addressing, framing
    ─────────┼───────────────┼─────────────────────────────────
    Layer 1  │ Physical      │ Cables, signals, connectors
             │               │ Raw bit transmission
    ═══════════════════════════════════════════════════════════

Layer 1: Physical Layer

The Physical layer deals with the raw transmission of bits over a physical medium. It defines electrical voltages, cable specifications, connector types, and signal timing. When your NIC sends a “1” or “0,” the Physical layer determines what that actually means in terms of electrical current, light pulses, or radio waves.

Responsibilities:

• Bit-by-bit transmission and reception
• Physical medium specifications (cables, connectors)
• Signaling methods (electrical, optical, wireless)
• Encoding schemes (how bits are represented as signals)
• Physical topology

Examples: Ethernet cables (Cat5e, Cat6, Cat6a, Cat8), fiber optic cables, wireless radio frequencies, USB, DSL

Devices: Hubs, repeaters, network cables, modems

At this layer, there’s no concept of addressing or data organization—just raw bits flowing between directly connected devices.

Security Note: Physical layer attacks include cable tapping, signal interception, and jamming. Physical security (controlling who can access network cables and equipment) is the first line of defense. Wireless networks are inherently more vulnerable at this layer since anyone within range can receive signals.

** COMMON MISTAKE**

Overlooking physical problems. Before diving into complex debugging, always verify: Is the cable plugged in? Is the link light on? A surprising number of “network outages” are caused by loose cables or failed ports.

Layer 2: Data Link Layer

The Data Link layer provides node-to-node data transfer on a local network segment. It organizes raw bits into structured units called frames, handles physical addressing using MAC addresses, detects (and sometimes corrects) transmission errors, and controls access to the shared physical medium.

This layer is often divided into two sublayers:

• LLC (Logical Link Control): Interfaces with the Network layer, provides flow control and error handling
• MAC (Media Access Control): Controls how devices gain access to the medium and permission to transmit

Responsibilities:

• Framing (organizing bits into meaningful units)
• Physical addressing (MAC addresses)
• Error detection (CRC checksums)
• Media access control (who can transmit when)
• Flow control between adjacent nodes

Examples: Ethernet (IEEE 802.3), WiFi (IEEE 802.11), PPP (Point-to-Point Protocol)

Devices: Switches, bridges, network interface cards

Ethernet Frame Structure

Ethernet Frame Structure:
═══════════════════════════════════════════════════════════════════

┌──────────┬─────────┬─────────┬──────────┬──────────────────┬─────┐
│ Preamble │ Dest    │ Source  │ EtherType│     Payload      │ FCS │
│ 8 bytes  │ MAC     │ MAC     │ 2 bytes  │   46-1500 bytes  │4 byt│
│          │ 6 bytes │ 6 bytes │          │                  │     │
└──────────┴─────────┴─────────┴──────────┴──────────────────┴─────┘

Common EtherType Values:
0x0800 = IPv4    0x0806 = ARP    0x86DD = IPv6    0x8100 = VLAN Tag

Security Note: Many Layer 2 attacks exploit the trust inherent in local networks. ARP spoofing, MAC flooding, and VLAN hopping all target this layer. We’ll explore these attacks extensively in Part II, Chapter 2.

Layer 3: Network Layer

The Network layer enables data transfer between devices that may not be directly connected—they could be on different networks separated by many routers. This layer provides logical addressing (IP addresses) that identify devices globally, determines the path (routing) data should take through the network, and handles fragmentation when data is too large for a network segment.

While the Data Link layer gets frames from point A to point B on the same local network, the Network layer gets packets from any point to any other point, regardless of how many intermediate networks lie between them.

Responsibilities:

• Logical addressing (IP addresses)
• Routing (path determination)
• Packet forwarding
• Fragmentation and reassembly
• Handling different network technologies

Examples: IP (Internet Protocol), ICMP (Internet Control Message Protocol), IPsec

Devices: Routers, Layer 3 switches

IPv4 Packet Structure (Simplified)

IPv4 Packet Structure (Simplified):
═══════════════════════════════════════════════════════════════════

┌─────────┬─────────┬─────────────┬───────────────────────────────┐
│ Version │   IHL   │   TOS/DSCP  │         Total Length          │
│ 4 bits  │ 4 bits  │   8 bits    │          16 bits              │
├─────────┴─────────┴─────────────┼───────┬───────────────────────┤
│      Identification             │ Flags │    Fragment Offset    │
│         16 bits                 │ 3 bits│       13 bits         │
├─────────┬──────────┬────────────┴───────┴───────────────────────┤
│   TTL   │  Protocol│            Header Checksum                 │
│ 8 bits  │  8 bits  │              16 bits                       │
├─────────┴──────────┴────────────────────────────────────────────┤
│                      Source IP Address (32 bits)                │
├─────────────────────────────────────────────────────────────────┤
│                   Destination IP Address (32 bits)              │
├─────────────────────────────────────────────────────────────────┤
│                        Options (if any)                         │
├─────────────────────────────────────────────────────────────────┤
│                           Data                                  │
└─────────────────────────────────────────────────────────────────┘

Security Note: IP spoofing (forging source IP addresses), ICMP attacks, and routing manipulation occur at this layer. The lack of built-in authentication in IP makes many attacks possible. See Part II, Chapter 3.

Layer 4: Transport Layer

The Transport layer provides end-to-end communication services between applications running on different hosts. While the Network layer handles getting packets to the right computer, the Transport layer ensures they get to the right application on that computer and handles reliability and flow control.

The two primary protocols at this layer are TCP (Transmission Control Protocol), which provides reliable, ordered delivery with error checking and flow control, and UDP (User Datagram Protocol), which provides fast, connectionless delivery without guarantees.

Responsibilities:

• End-to-end message delivery
• Port numbers (identifying applications)
• Segmentation and reassembly
• Flow control (preventing overwhelming receivers)
• Error recovery (TCP)
• Congestion control (TCP)

Examples: TCP, UDP, QUIC, SCTP

Transport Layer Addressing

Transport Layer Addressing:
═══════════════════════════════════════════════════════════════════

    IP Address + Port Number = Socket

    ┌─────────────────────────────────────────────────────────────┐
    │  Your Computer                    Web Server                │
    │  192.168.1.100                    93.184.216.34             │
    │                                                             │
    │  ┌─────────────┐                  ┌─────────────┐           │
    │  │ Browser     │    ─────────►    │ Web Server  │           │
    │  │ Port: 52431 │                  │ Port: 443   │           │
    │  └─────────────┘    ◄─────────    └─────────────┘           │
    │                                                             │
    │  Socket: 192.168.1.100:52431      Socket: 93.184.216.34:443 │
    └─────────────────────────────────────────────────────────────┘

Security Note: TCP session hijacking, SYN floods, and port scanning are Transport layer attacks. The TCP three-way handshake, while elegant, has vulnerabilities that attackers exploit. See Part II, Chapter 4.

Layer 5: Session Layer

The Session layer manages sessions—ongoing conversations between applications. It establishes, maintains, and terminates these connections, handles synchronization and checkpointing (so long transfers can recover from interruption), and manages dialog control (full-duplex, half-duplex).

In practice, the Session layer’s functions are often incorporated into application protocols or the Transport layer. Pure Session layer protocols are rare in modern networking.

Responsibilities:

• Session establishment, maintenance, termination
• Synchronization and checkpointing
• Dialog control

Examples: NetBIOS, RPC (Remote Procedure Call), various application-specific session handling

Layer 6: Presentation Layer

The Presentation layer handles data formatting, ensuring that data from one system’s application layer can be understood by another’s. It deals with translation between different data formats, encryption and decryption, and compression.

Like the Session layer, the Presentation layer’s functions are often handled within applications themselves in modern systems. TLS/SSL encryption, while sometimes conceptually placed here, actually operates between the Transport and Application layers.

Responsibilities:

• Data format translation
• Encryption/decryption
• Compression/decompression
• Character encoding (ASCII, Unicode, etc.)

Examples: SSL/TLS (though debated), JPEG, MPEG, ASCII/EBCDIC conversion, gzip compression

Layer 7: Application Layer

The Application layer is where network-aware applications and services operate. This layer provides the interface between the network and user applications. HTTP for web browsing, SMTP for email, DNS for name resolution—these are all Application layer protocols.

Note that the “application” here doesn’t mean software like your web browser itself. Rather, it refers to the network protocols that applications use. Your browser is software that uses the HTTP protocol (Application layer) to communicate with web servers.

Responsibilities:

• Network services for applications
• Resource sharing
• Remote access
• Network management

Examples: HTTP, HTTPS, FTP, SMTP, DNS, SSH, DHCP, SNMP

Security Note: Application layer attacks include SQL injection, cross-site scripting (XSS), and DNS poisoning. These exploit vulnerabilities in how applications handle data. Part II, Chapter 5 covers many of these attacks.

Remembering the Layers

A common mnemonic for the OSI layers (from bottom to top):

Please Do Not Throw Sausage Pizza Away

• Physical
• Data Link
• Network
• Transport
• Session
• Presentation
• Application

Or from top to bottom: All People Seem To Need Data Processing

---

Data Encapsulation

When you send data over a network, it doesn’t travel as-is. Each layer adds its own header (and sometimes trailer) information, wrapping the data like nested envelopes. This process is called encapsulation.

Encapsulation Process

Encapsulation Process:
═══════════════════════════════════════════════════════════════════

Application Layer:
┌─────────────────────────────────────────────────────────────────┐
│                         DATA                                    │
└─────────────────────────────────────────────────────────────────┘
                                │
                                ▼
Transport Layer:
┌──────────┬──────────────────────────────────────────────────────┐
│ TCP HDR  │                    DATA                              │
└──────────┴──────────────────────────────────────────────────────┘
                                │
                                ▼
Network Layer:
┌──────────┬──────────┬───────────────────────────────────────────┐
│  IP HDR  │ TCP HDR  │                  DATA                     │
└──────────┴──────────┴───────────────────────────────────────────┘
                                │
                                ▼
Data Link Layer:
┌──────────┬──────────┬──────────┬────────────────────────┬───────┐
│ ETH HDR  │  IP HDR  │ TCP HDR  │         DATA           │  FCS  │
└──────────┴──────────┴──────────┴────────────────────────┴───────┘
                                │
                                ▼
Physical Layer:
┌─────────────────────────────────────────────────────────────────┐
│   101010001101001010101010100010101011010101010101001010101...  │
└─────────────────────────────────────────────────────────────────┘

At the sending host:

1. Your application creates data and passes it down
2. Each layer adds its header, creating a new Protocol Data Unit (PDU)
3. The Physical layer transmits the bits

At the receiving host:

1. The Physical layer receives bits
2. Each layer strips its header, reads its information, and passes the payload up
3. The application receives the original data

Protocol Data Units (PDUs)

Each layer’s PDU has a specific name:

Layer	PDU Name	Contains
Application	Data/Message	User data
Transport	Segment (TCP) / Datagram (UDP)	Transport header + data
Network	Packet	Network header + segment
Data Link	Frame	Data link header + packet + trailer
Physical	Bits	Binary representation of frame

TRY IT YOURSELF

Capture packets with Wireshark and watch encapsulation in action:

# Install Wireshark (if not already installed)
# Start capture on your interface
# Visit a website
# Click on a packet and expand each layer

You’ll see each layer nested inside the one below it—exactly as the encapsulation diagram shows.

Security Note: Understanding encapsulation is crucial for security. Packet crafting tools like Scapy let you manually build packets layer by layer, allowing security professionals to test how systems handle malformed or unexpected packets.

---

The TCP/IP Model

While the OSI model is academically comprehensive, the actual internet runs on the TCP/IP model (also called the Internet Protocol Suite). Developed by the U.S. Department of Defense in the 1970s, TCP/IP predates the OSI model and has a more practical, implementation-focused design.

The TCP/IP model consolidates the seven OSI layers into four (or sometimes five) layers:

OSI Model vs TCP/IP Model

OSI Model vs TCP/IP Model:
═══════════════════════════════════════════════════════════════════

    OSI Model                          TCP/IP Model
    ─────────                          ────────────
    
    ┌───────────────────┐              ┌───────────────────┐
    │   Application     │              │                   │
    ├───────────────────┤              │    Application    │
    │   Presentation    │   ────────►  │                   │
    ├───────────────────┤              │                   │
    │   Session         │              └───────────────────┘
    └───────────────────┘
    ┌───────────────────┐              ┌───────────────────┐
    │   Transport       │   ────────►  │    Transport      │
    └───────────────────┘              └───────────────────┘
    ┌───────────────────┐              ┌───────────────────┐
    │   Network         │   ────────►  │    Internet       │
    └───────────────────┘              └───────────────────┘
    ┌───────────────────┐              ┌───────────────────┐
    │   Data Link       │              │   Network Access  │
    ├───────────────────┤   ────────►  │   (Link Layer)    │
    │   Physical        │              │                   │
    └───────────────────┘              └───────────────────┘

TCP/IP Layer Overview

Network Access Layer (Link Layer): Combines OSI Layers 1 and 2. Handles physical connectivity and local network frame delivery. TCP/IP is largely agnostic about what happens here—it works over Ethernet, WiFi, PPP, or any other link technology.

Internet Layer: Corresponds to OSI Layer 3. IP (Internet Protocol) is the cornerstone, handling logical addressing and routing. ICMP and routing protocols also operate here.

Transport Layer: Corresponds to OSI Layer 4. TCP, UDP, and the newer QUIC provide end-to-end communication. TCP offers reliability; UDP offers speed; QUIC offers both (we’ll explore QUIC in Chapter 5).

Application Layer: Combines OSI Layers 5, 6, and 7. All high-level protocols (HTTP, DNS, SSH, etc.) operate here. Session management, data formatting, and encryption are handled by individual protocols rather than separate layers.

Why TCP/IP “Won”

The TCP/IP model became dominant for several reasons:

1. Practical origin: It was developed as a working implementation, not a theoretical framework
2. Simple design: Fewer layers mean less complexity
3. Flexibility: The Application layer consolidation allows protocols to implement exactly the features they need
4. Government adoption: Its use in ARPANET (the internet’s predecessor) gave it an early advantage
5. Open specifications: RFCs made the standards freely available

The OSI model remains valuable as a teaching and discussion framework—it’s more detailed and helps isolate specific functions. When troubleshooting, people often reference OSI layers: “This seems like a Layer 2 problem” is meaningful even though the actual protocols are TCP/IP.

THINK ABOUT IT

Why might a simpler 4-layer model be preferable for implementation, while a more detailed 7-layer model is better for education and discussion? Consider the trade-offs between specificity and practical usability.

---

Key Protocols by Layer

Here’s a quick reference mapping common protocols to both models:

Protocol	OSI Layer(s)	TCP/IP Layer	Function
Ethernet	1, 2	Network Access	LAN connectivity
WiFi (802.11)	1, 2	Network Access	Wireless LAN
ARP	2	Network Access	IP to MAC resolution
IP (v4, v6)	3	Internet	Logical addressing, routing
ICMP	3	Internet	Diagnostics, error messages
TCP	4	Transport	Reliable connections
UDP	4	Transport	Fast, connectionless
QUIC	4	Transport	Encrypted, multiplexed
HTTP/HTTPS	5, 6, 7	Application	Web communication
HTTP/2	5, 6, 7	Application	Multiplexed web
HTTP/3	5, 6, 7	Application	QUIC-based web
DNS	7	Application	Name resolution
TLS/SSL	5, 6	Application (typically)	Encryption
SMTP	7	Application	Email transfer
SSH	7	Application	Secure shell access
DHCP	7	Application	Dynamic IP assignment

---

Practical Troubleshooting with Layers

The Layer-by-Layer Approach

When something doesn’t work, start at Layer 1 and work your way up:

Systematic Troubleshooting Flowchart

Systematic Troubleshooting Flowchart:
═══════════════════════════════════════════════════════════════════

Layer 1: Physical
├── Is the cable connected?
├── Are the link lights on?
├── Is the wireless adapter enabled?
└── Try a different port/cable
    │
    ▼  Physical OK
    
Layer 2: Data Link
├── Is the NIC enabled? (ip link show)
├── Do you see traffic? (tcpdump)
├── Is the MAC address correct?
└── Try different switch port
    │
    ▼  Data Link OK
    
Layer 3: Network
├── Do you have an IP address? (ip addr)
├── Can you ping your gateway?
├── Can you ping external IPs (8.8.8.8)?
└── Check routing table (ip route)
    │
    ▼  Network OK
    
Layer 4: Transport
├── Is the service listening? (ss -tuln)
├── Is the port reachable? (nc -zv host port)
├── Are firewalls blocking traffic?
└── Check connection states
    │
    ▼  Transport OK
    
Layer 7: Application
├── Is DNS working? (dig example.com)
├── Does HTTP work? (curl http://...)
├── Check application logs
└── Test with known-working client

Real-World Troubleshooting Scenarios

Scenario 1: “The Internet is Down”

User reports they can’t access websites.

# Step 1: Layer 1 - Physical
$ ip link show
eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> ...
# No carrier = cable problem or switch issue

# After reconnecting cable:
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> ...
# Link is up, move to Layer 3

# Step 2: Layer 3 - Network
$ ip addr show eth0
inet 192.168.1.100/24 ...  # Good, we have an IP

$ ping 192.168.1.1  # Gateway
PING 192.168.1.1: 64 bytes from 192.168.1.1  # Gateway works

$ ping 8.8.8.8      # External IP
Request timeout  # Problem is beyond gateway

# Check ISP connectivity, modem, etc.

Scenario 2: “I Can’t Reach the Web Server”

Application reports connection failures to api.example.com.

# Step 1: Layer 3 - Can we reach the network?
$ ping api.example.com
64 bytes from 93.184.216.34: icmp_seq=1 ttl=56  # Reachable

# Step 2: Layer 4 - Is the port open?
$ nc -zv api.example.com 443
Connection to api.example.com 443 port [tcp/https] succeeded!

# Step 3: Layer 7 - Does the application protocol work?
$ curl -v https://api.example.com
* TLS handshake failed
* error:certificate has expired

# Problem found: SSL certificate expired (Layer 6/7 issue)

Scenario 3: “Some Packets Are Being Dropped”

Intermittent connectivity issues.

# Layer 2: Check for errors
$ ip -s link show eth0
RX: bytes  packets  errors  dropped  overrun  mcast
    123456 1000     15      3        0        0
TX: bytes  packets  errors  dropped  carrier  collsns
    78901  800      0       0        0        0

# 15 RX errors suggests physical/cable issues
# Could be bad cable, EMI interference, failing NIC

# Also check switch interface:
# show interface errors (on switch CLI)

PRO TIP

Document your troubleshooting steps as you go. This creates a log you can reference and shows others (or your future self) what you’ve already ruled out. Many organizations require this for change management.

---

Practical Example: Web Request Journey

Let’s trace what happens when you type “https://example.com” in your browser:

Complete Web Request Journey

Complete Web Request Journey:
═══════════════════════════════════════════════════════════════════

Your Computer                          example.com Server
═══════════════                        ══════════════════

1. APPLICATION LAYER                   │
   Browser creates HTTP GET request    │
   "GET / HTTP/1.1"                    │
                                       │
2. DNS RESOLUTION (Application)        │
   Browser asks: "What IP is           │
   example.com?"                       │
   DNS returns: 93.184.216.34          │
                                       │
3. TRANSPORT LAYER                     │
   TCP 3-way handshake:                │
   ──────────────────────────►        SYN
   ◄──────────────────────────        SYN-ACK
   ──────────────────────────►        ACK
                                       │
4. TLS HANDSHAKE (Transport/App)       │
   Key exchange, certificate           │
   verification, cipher selection      │
                                       │
5. HTTP REQUEST (encrypted)            │
   ══════════════════════════►         │
                                       │
6. At each router hop:                 │
   NETWORK LAYER                       │
   ┌─────────────────────────┐         │
   │ Read destination IP     │         │
   │ Consult routing table   │         │
   │ Decrement TTL           │         │
   │ Forward to next hop     │         │
   └─────────────────────────┘         │
                                       │
7. At each hop's link:                 │
   DATA LINK LAYER                     │
   ┌─────────────────────────┐         │
   │ Reframe with new        │         │
   │ source/dest MAC for     │         │
   │ next segment            │         │
   └─────────────────────────┘         │
                                       │
8. PHYSICAL LAYER                      │
   ┌─────────────────────────┐         │
   │ Electrical signals,     │         │
   │ light pulses, or        │         │
   │ radio waves             │         │
   └─────────────────────────┘         │
                                       ▼
                                   Server receives
                                   Process reverses
                                   Response sent back

The Journey in Detail

1. Application Layer: Your browser initiates an HTTPS request. First, DNS resolves “example.com” to an IP address (e.g., 93.184.216.34).

2. Transport Layer: TCP establishes a connection to port 443 (HTTPS) via the three-way handshake. TLS then performs its handshake for encryption.

3. Network Layer: IP addresses your packets—source is your IP, destination is 93.184.216.34. Your local routing table determines the first hop (your default gateway).

4. Data Link Layer: Your NIC creates Ethernet frames. ARP resolves your gateway’s IP to its MAC address. Frames are addressed MAC-to-MAC.

5. Physical Layer: Your NIC converts frames to electrical signals (if wired) or radio waves (if WiFi).

6. En route: Each router along the path reads the IP header (Layer 3), makes a routing decision, re-encapsulates the packet in a new frame (Layer 2) appropriate for the next hop, and transmits.

7. At the server: The process reverses. The server’s NIC receives the bits, reassembles the frame, extracts the packet, delivers the segment to the TCP stack, decrypts the TLS data, and hands the HTTP request to the web server application.

8. Response: The web server creates an HTTP response, and the entire process happens in reverse to deliver the webpage to your browser.

TRY IT YOURSELF

Trace a request’s path across the internet:

# See the routers between you and a destination
traceroute example.com     # Linux/macOS
tracert example.com        # Windows

# Each line is a router that processed your packet at Layer 3
# Notice how many hops it takes to reach common websites!

---

Modern Additions: Beyond the Classic Models

Where Does TLS Fit?

TLS/SSL is famously difficult to place in the OSI model. It provides:

• Encryption (Presentation layer function)
• Session management (Session layer function)
• But operates on top of TCP (above Transport layer)

In practice, TLS sits between Layer 4 and Layer 7, creating a secure channel that application protocols use. This is sometimes called “Layer 6.5” or just acknowledged as a cross-layer protocol.

QUIC: Blurring the Lines

QUIC (Quick UDP Internet Connections), used by HTTP/3, challenges traditional layer boundaries:

Traditional Stack QUIC Stack

Traditional Stack:          QUIC Stack:
─────────────────          ────────────
┌───────────────┐          ┌───────────────┐
│    HTTP/2     │          │    HTTP/3     │
├───────────────┤          ├───────────────┤
│     TLS       │          │     QUIC      │ ← Combines transport
├───────────────┤          │  (encryption  │   + encryption
│     TCP       │          │  + transport) │   in one layer
├───────────────┤          ├───────────────┤
│      IP       │          │     UDP       │
└───────────────┘          ├───────────────┤
                           │      IP       │
                           └───────────────┘

QUIC includes:

• Transport functions: Reliability, congestion control, multiplexing
• Security functions: Built-in TLS 1.3 encryption
• Session functions: Connection migration, 0-RTT resumption

This integration improves performance but complicates the clean layer separation. We’ll explore QUIC in depth in Chapter 5.

Service Mesh and Overlay Networks

Modern cloud architectures add additional layers:

Modern Cloud Network Stack

Modern Cloud Network Stack:
═══════════════════════════════════════════════════════════════════

    ┌─────────────────────────────────────────────────────────────┐
    │  Service Mesh (Istio, Linkerd)                              │
    │  - Service discovery, load balancing, mTLS                  │
    ├─────────────────────────────────────────────────────────────┤
    │  Container Network (CNI)                                    │
    │  - Pod networking, network policies                         │
    ├─────────────────────────────────────────────────────────────┤
    │  Overlay Network (VXLAN, Geneve)                            │
    │  - Virtual networks over physical infrastructure            │
    ├─────────────────────────────────────────────────────────────┤
    │  Traditional TCP/IP Stack                                   │
    │  - IP, TCP/UDP, Ethernet                                    │
    └─────────────────────────────────────────────────────────────┘

These concepts are explored in Chapters 9 (Cloud Networking) and 10 (Container Networking).

---

Security Implications by Layer

Layer	Attack Examples	Security Controls
1 - Physical	Cable tapping, jamming, theft	Physical security, locked rooms
2 - Data Link	ARP spoofing, MAC flooding, VLAN hopping	Port security, DAI, 802.1X
3 - Network	IP spoofing, ICMP attacks, route hijacking	Firewalls, ACLs, RPKI
4 - Transport	SYN floods, session hijacking, port scanning	Stateful firewalls, SYN cookies
5 - Session	Session fixation, replay attacks	Secure session management
6 - Presentation	SSL stripping, encoding attacks	HSTS, proper TLS config
7 - Application	SQL injection, XSS, DNS poisoning	WAF, input validation, DNSSEC

When analyzing security, thinking in layers helps isolate vulnerabilities and design defense in depth.

THINK ABOUT IT

Why is “defense in depth” (security controls at multiple layers) important? What happens if you only secure one layer?

---

Key Takeaways

1. The OSI model provides a seven-layer theoretical framework for understanding network communication

2. The TCP/IP model is the practical four-layer model that powers the internet

3. Encapsulation wraps data in successive headers as it descends through layers

4. Each layer has specific responsibilities and vulnerabilities

5. Protocols at each layer work together to enable end-to-end communication

6. Troubleshooting with layers provides a systematic approach: start at Layer 1, work up

7. Modern protocols like QUIC blur traditional layer boundaries for performance

---

Self-Assessment

1. Comprehension: A packet reaches a router. The router reads the IP header but ignores the TCP header. Why?

2. Application: You can ping a server’s IP (8.8.8.8) but cannot access google.com. At which layer is the problem likely occurring?

3. What if: If the Transport layer suddenly stopped working but the Network layer continued functioning, what would users experience?

---

Review Questions

1. What problem does the layered network architecture solve?
2. How does the OSI model differ from the TCP/IP model?
3. What is encapsulation, and why is it important?
4. At which layer does a router primarily operate? What about a switch?
5. Why might a security professional need to understand all layers of the network stack?
6. Where does TLS fit in the OSI model, and why is this question difficult to answer?

---

Key RFCs

• RFC 1122 - Requirements for Internet Hosts: Communication Layers
• RFC 1123 - Requirements for Internet Hosts: Application and Support
• RFC 9000 - QUIC: A UDP-Based Multiplexed and Secure Transport

---