networking · level 1

The Layered Model

Link → IP → TCP → TLS → HTTP.

150 XP

The Layered Model

Every network conversation is a stack of agreements. When a browser fetches a page, it does not speak directly to iron on the floor of a data center — it speaks to a chain of abstractions, each one hiding the layer below. Understanding those layers is the first step to reasoning about why things go wrong.

Analogy

Sending data across the internet is like mailing a document through the international postal system. Your letter (HTTP) goes into a tamper-proof security envelope (TLS), which goes into a courier's branded pouch (TCP, which numbers and tracks every pouch so none get lost), which is bundled into a labelled crate with a destination city (IP), which is loaded onto whichever truck is going the next leg of the trip (Ethernet or Wi-Fi). At each border crossing the truck changes but the crate, pouch, envelope, and letter are untouched. When something goes wrong, the diagnosis is "which wrapper failed?" — was the truck never dispatched, or did the city label smudge, or did the security envelope fail to seal?

Five layers that cover the web

Layer Name What it owns
1 Link Moving bits between two machines on the same wire or radio cell. Ethernet frames, Wi-Fi, MAC addresses.
2 IP Moving packets between any two machines across many hops. IP addresses, routing, TTL.
3 TCP / UDP Multiplexing streams over one IP connection. Ports, flow control, reliability (TCP) or speed (UDP).
4 TLS Encrypting and authenticating a TCP stream. Certificates, symmetric keys negotiated per session.
5 HTTP Request/response semantics. Methods, headers, status codes, bodies.

The division is not academic. When a connection times out you ask: is DNS broken? Is the TCP handshake completing? Is TLS negotiating? Is the server returning 5xx? Each question maps to a different layer.

How packets nest

Encapsulation is the mechanical trick. Each layer wraps the layer above in its own header before handing it down:

┌─────────────────────────────────┐
│ Ethernet frame                  │
│  ┌──────────────────────────┐   │
│  │ IP packet                │   │
│  │  ┌───────────────────┐   │   │
│  │  │ TCP segment       │   │   │
│  │  │  ┌─────────────┐  │   │   │
│  │  │  │ TLS record  │  │   │   │
│  │  │  │  ┌────────┐ │  │   │   │
│  │  │  │  │  HTTP  │ │  │   │   │
│  │  │  │  └────────┘ │  │   │   │
│  │  │  └─────────────┘  │   │   │
│  │  └───────────────────┘   │   │
│  └──────────────────────────┘   │
└─────────────────────────────────┘

The receiver strips headers in reverse order. The Ethernet card strips the frame, the OS kernel strips the IP packet, the kernel TCP stack strips the TCP segment, the TLS library decrypts the record, and finally your code reads the HTTP body.

What each layer owns (and what it ignores)

Link does not know what an IP address is. It knows the MAC address of the next hop. Routers rewrite the Link header at every hop; the IP header travels end-to-end unchanged (except TTL).

IP does not know what a port is. It routes datagrams by address alone and does not care whether they arrive in order or at all.

TCP does not know what a hostname is. It connects to an IP and port. It re-orders segments, retransmits lost ones, and applies backpressure when the receiver is slow.

TLS does not know what HTTP is. It just encrypts bytes flowing through a TCP connection, verifying the server's certificate along the way.

HTTP does not know which IP address it is talking to. It sends text — method, path, headers, body — over whatever stream is underneath it.

Why the layering matters for debugging

Run curl -v https://example.com and read the output in layer order:

  1. DNS resolution → IP layer concern
  2. * Connected to example.com (1.2.3.4) port 443 → TCP layer complete
  3. * TLSv1.3 handshake → TLS layer complete
  4. > GET / HTTP/2 → HTTP layer sending
  5. < HTTP/2 200 → HTTP layer receiving

When something breaks, which step fails tells you which layer to investigate.

MTU and fragmentation

The Link layer imposes a maximum frame size — typically 1500 bytes on Ethernet. IP packets that exceed this are fragmented at the IP layer and reassembled at the destination. TCP knows about this and sizes its segments to avoid it: the maximum segment size (MSS) is negotiated during the handshake and is set below the path MTU.

Fragmentation is expensive and breaks some firewalls. Path MTU Discovery (PMTUD) probes the path to find the largest unfragmented packet size.

IPv4 vs IPv6

IP addresses come in two flavors. IPv4 addresses are 32 bits (four octets: 192.168.1.1). IPv6 addresses are 128 bits (eight groups of four hex digits: 2001:0db8::1). The internet is mid-transition. Most servers are dual-stack, listening on both. Clients prefer IPv6 when available via a mechanism called Happy Eyeballs.

A note on TLS at layer 4

Some diagrams put TLS between TCP and HTTP (as above). Others omit it or call it "session layer". The exact layer number does not matter — what matters is that TLS is a session-scoped encryption wrapper that requires TCP to be up before it can negotiate, and that HTTP sits on top of it.

TLS 1.3 eliminated the extra round trip that TLS 1.2 required. With TLS 1.3, the handshake is one round trip instead of two, and the server's certificate arrives in the same flight as the server's key material.