The OSI Reference Model — Seven Layers and How They Map to TCP/IP thumbnail

The OSI Reference Model — Seven Layers and How They Map to TCP/IP

⏱ approx. 18 min views 185 likes 0 LOG_DATE:2026-05-09
TOC

The ISO Basic Reference Model (a.k.a. the OSI Reference Model) is the 1984 international standard (ISO/IEC 7498) that organises network communication into seven layers. As an actual protocol stack it lost to TCP/IP, but it survives as the shared vocabulary for asking "which layer is this problem at?". This article covers the history, the role of each of the seven layers, encapsulation, the mapping to TCP/IP, and how the model is used in practice today.

01

A short history of the OSI Reference Model #

In the 1970s, IBM had SNA (1974), DEC had DECnet, and Burroughs / Honeywell / Univac all had their own protocols. Computers from different vendors essentially could not talk to each other. Building a multi-vendor environment meant standing up translation gateways for every pair.

In parallel, the US ARPANET had Vint Cerf and Bob Kahn publishing the initial TCP design in 1974 (RFC 675), and the two-layer separation that became TCP/IP was already taking shape.

1977 — ISO SC16 established
Led by Charles Bachman, the seven-layer model is drafted. Each layer is designed with a tidy relationship: it provides services upward and consumes services downward.
1984 — ISO 7498 published
Standardised after seven years of debate. ITU-T republished the same content as X.200. A theoretical model meticulously specifying "what communication ought to look like" is complete.
Late 1980s — OSI vs TCP/IP
The US government tried to mandate OSI adoption via GOSIP, but TCP/IP was already shipping with BSD UNIX 4.2 — free and simple.
1990s — Commercial Internet explodes
Cisco commercialising TCP/IP routers settled the question. By 1995 the US government had effectively withdrawn GOSIP. The OSI protocol family itself never gained traction.
Today — only the seven-layer model survived
Phrasing like "that's an L7 problem", "this is purely L2", "L3/L4 separation" is the norm — the implementation is TCP/IP but the conversation is in OSI terms.
▸ Why the OSI protocol family lost

The X.400 mail-stack spec — including ASN.1 BER — runs into literally thousands of pages. OSI was the "specify the beautiful design first, build it later" waterfall approach; TCP/IP was the "ship something that works and standardise as you go" agile approach. The lesson lines up exactly with the broader history of software development.

02

The seven-layer model at a glance #

The OSI Reference Model splits communication into seven layers. Higher layers are closer to the application; lower layers are closer to the hardware. Each layer consumes the service provided by the layer immediately below and provides a service to the layer immediately above.

L Layer name Role PDU Representative protocols
L7 Application What the user directly touches Data / Message HTTP, SMTP, DNS, SSH, FTP, IMAP
L6 Presentation Character encoding, encryption, compression Data TLS, ASCII, Unicode, JPEG, MIME
L5 Session Establishing, maintaining, and tearing down connections Data NetBIOS, RPC, SOCKS, SIP
L4 Transport End-to-end delivery Segment / Datagram TCP, UDP, QUIC, SCTP
L3 Network Addressing and routing Packet IPv4, IPv6, ICMP, OSPF, BGP
L2 Data Link Delivery between adjacent nodes Frame Ethernet, Wi-Fi, PPP, ARP
L1 Physical Electrical, optical, and radio signals Bit / Symbol Copper, fiber, radio, RJ-45
03

The lower four layers (L1–L4) in detail #

L1 — Physical Layer #

Sends and receives bits (0/1) as physical signals (voltage, light, radio). The world of cables, connectors, and bits.

  • Encoding for electricity, light, and radio (NRZ, Manchester, 4B/5B, PAM)
  • Connector shapes and pin layouts (RJ-45, SFP, USB-C)
  • Voltage, frequency, modulation, and clock synchronization

Representative specs: Ethernet PHY (10BASE-T through 10GBASE-SR), optical fibre (single / multimode), wireless (802.11 PHY, Bluetooth), RS-232, DSL, DOCSIS.

Typical failures: cable breaks, badly-seated connectors, dead SFPs, power noise. "Ping fails and the LED isn't even lit" lives here.

L2 — Data Link Layer #

Delivers frames correctly between two adjacent nodes — either within the same LAN segment or at the two ends of the same point-to-point link.

  • Framing (using a preamble to split the bit stream into meaningful units)
  • MAC addresses (6 bytes = 48 bits, globally unique)
  • Error detection (FCS / CRC)
  • Media access control (CSMA/CD, CSMA/CA, token passing)
  • VLAN tagging (802.1Q)

Internally L2 is split into the LLC sub-layer (802.2, connecting upper layers) and the MAC sub-layer (media access). Representative protocols: Ethernet (802.3), Wi-Fi (802.11), PPP, ARP (L2.5), STP, LACP.

Switches are the canonical L2 device. They forward frames to the appropriate port based on a MAC address table.

L3 — Network Layer #

Carries packets to a destination across different networks. The world of global-scale routing.

  • Logical addressing (IP addresses)
  • Path selection (routing table + protocol)
  • Fragmentation (when an MTU is exceeded)
  • Error reporting (ICMP)

Representative protocols: IPv4, IPv6, ICMP, IPsec, OSPF, IS-IS, BGP (inter-AS routing, the spine of the Internet). Routers are the canonical L3 device.

L4 — Transport Layer #

Provides logical end-host-to-end-host connections. L3 gets you to the right machine by IP address; L4 identifies which application (port) inside the machine should receive the data.

  • Port numbers (16 bits, 0–65535)
  • Connection management (TCP three-way handshake)
  • Retransmission, ordering, and flow control (TCP)
  • Congestion control (cwnd, BBR, CUBIC)

Representative protocols: TCP (reliable delivery — HTTP, SSH, SMTP), UDP (best-effort — DNS, VoIP), QUIC (the foundation under HTTP/3, with TLS 1.3 built in), SCTP, DCCP.

▸ Which layer does a firewall live at?

Traditional firewalls operate at L3+L4 (filtering by IP / port). An L7 firewall (WAF) inspects HTTP URLs, methods, and headers. Products marketed as "Next-Gen Firewalls" cut across L3–L7 in their analysis.

04

The upper three layers (L5–L7) in detail #

L5 — Session Layer #

Manages the "dialogue (session)" that spans multiple messages — establishing, maintaining, tearing down, and inserting sync points (checkpoints).

The session layer OSI originally envisaged (X.225) was a heavyweight mechanism that inserted sync points into long dialogues so they could be resumed after a failure, but in TCP/IP TCP at L4 and the application at L7 together cover session management, so L5 has very little independent presence.

Things commonly called L5 in TCP/IP context: NetBIOS Session Service, RPC, SOCKS proxies, SIP (VoIP signalling), PPTP, L2TP (VPN tunnels).

L6 — Presentation Layer #

Handles conversion of data "representation" — character encoding, encoding, compression, and encryption all live here.

  • Character encoding conversion (ASCII ↔ EBCDIC ↔ UTF-8)
  • Data serialisation (ASN.1 / BER / DER, JSON, XML)
  • Encryption (TLS / SSL)
  • Compression (gzip, deflate)
  • Media conversion (JPEG, MP3, MPEG)

In OSI terms TLS is classified as L6, but in TCP/IP implementations it's often described as a thin layer that "sits above TCP and below HTTP", living somewhere between L4 and L7.

L7 — Application Layer #

The layer closest to the user's applications. The concrete protocols here are designed around the purpose of the application. This is where the OSI ideal "upper layers need not know the details of lower layers" is most cleanly realised.

Representative protocols: HTTP / HTTPS / HTTP/2 / HTTP/3, SMTP / IMAP / POP3, DNS, SSH, FTP / SFTP, NTP, SNMP, MQTT.

05

Encapsulation and decapsulation #

Each time data is handed from an upper layer to a lower one, that layer's header is added. Eventually L1 emits it as a bit stream, and the receiver peels the layers back off in reverse order.

Sender-side encapsulation — headers stack up from top to bottom
# L7 Application: HTTP request [ HTTP Data ] # L4 TCP: src/dst ports added [ TCP hdr | HTTP Data ]Segment # L3 IP: src/dst IPs added [ IP hdr | TCP hdr | HTTP Data ]Packet # L2 Ethernet: src/dst MAC + FCS added [ Eth hdr | IP hdr | TCP hdr | HTTP Data | FCS ]Frame # L1 Physical: emitted as bits onto the wire 10101100 11001010 01110001 ...

Rough header sizes:

  • Ethernet: 14 bytes (header) + 4 bytes (FCS) = 18 bytes
  • IP: 20 bytes (IPv4) / 40 bytes (IPv6)
  • TCP: 20 bytes (no options) / up to 60 bytes
  • TLS: after the handshake, a 5-byte record header + AEAD tag
▸ The relationship between MTU and MSS

Since every payload always gets a stack of tens of bytes of headers, the application payload (MSS) you can send on an Ethernet MTU of 1500 is around 1460 bytes for TCP. Over VPN or PPPoE it shrinks further. The classic "only big files get stuck" symptom traces back to MTU mismatch.

06

Mapping to the TCP/IP model #

The TCP/IP model used in practice is most often described as a 4-layer or a 5-layer model, and they map onto OSI's seven layers as follows:

OSI layer TCP/IP 4-layer TCP/IP 5-layer (DoD) Representative protocols
L7 Application Application Application HTTP, SSH, DNS, SMTP
L6 Presentation (inside Application) Application TLS, MIME, JSON
L5 Session (inside Application) Application NetBIOS, SOCKS, SIP
L4 Transport Transport Transport TCP, UDP, QUIC
L3 Network Internet Network IPv4, IPv6, ICMP
L2 Data Link Link Data Link Ethernet, Wi-Fi, PPP
L1 Physical (inside Link) Physical Copper, fiber, radio

The conventional view in implementation: OSI L5/L6/L7 are merged into the Application layer in TCP/IP, and OSI L1/L2 are folded into the Link layer in the TCP/IP 4-layer model.

07

A shared language for triage #

Walking up from the bottom (bottom-up troubleshooting) when somebody reports "the site won't load" is the basic discipline of network operations.

Per-layer triage commands
# L1 — link check (cable / NIC / SFP) $ ip link show 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 # L2 — is ARP resolving? $ ip neigh show 192.168.1.1 dev eth0 lladdr aa:bb:cc:dd:ee:ff REACHABLE # L3 — does ping (ICMP) reach the destination IP? $ ping -c 3 8.8.8.8 $ traceroute 8.8.8.8 # L4 — is the port actually open? $ nc -vz example.com 443 Connection to example.com 443 port [tcp/https] succeeded! # L5-L7 — what's happening at the TLS / HTTP layer? $ curl -vI https://example.com $ openssl s_client -connect example.com:443
08

Security controls organised by layer #

Security thinking also uses "which layer do we defend at?" as a basic axis.

Layer Example attacks Example defences
L1 Cable wiretapping, EM emanation snooping Physical security, shielding
L2 MAC spoofing, ARP poisoning, VLAN hopping Port Security, DAI, 802.1X
L3 IP spoofing, DDoS, route hijacking uRPF, BCP 38, RPKI
L4 SYN flood, port scan SYN cookies, firewalls
L5-L7 TLS MITM, XSS, SQL injection, CSRF TLS, WAF, input validation
▸ Defence is layered by default

A single-layer control can be bypassed. Defence in depth — overlapping controls across multiple layers — is the iron rule. Run an L7 WAF, an L4 IDS, and L3 RPKI in parallel so that if one drops, the others still catch the attack.

Vendor products classified by layer #

  • L2 switches (pure MAC switches) vs L3 switches (with built-in routing)
  • L4 load balancers (TCP/UDP) vs L7 load balancers (inspect HTTP content, e.g. nginx, F5)
  • L4 firewalls vs L7 firewalls (WAF)
  • L7 proxies (HTTP proxies; SOCKS is L5)

Product selection conversations very often start with "which layer is it operating at?".

09

Summary #

The ISO Basic Reference Model is a rare creature: it lost as a real protocol stack, but won as a thinking framework. Implementations are TCP/IP territory, but whenever you need to argue "which layer is the problem at?" or "which layer should this control live at?" or "which layer should this functionality move to?", the OSI model gives everyone the same seven-level scale to talk on. That is its lasting value.

  • As the first doorway into learning networks
  • As the language for triage in operations
  • As the framework for stacking security defences
  • As an axis for comparing product capabilities

The OSI seven layers are the first concept you pick up and the last one you put down. Once you can move up and down between them, complex symptoms like "why is HTTPS slow?" or "why does ping work but HTTP doesn't?" stop being puzzling and become tractable.

𝕏 Post B! Hatena