OSI Reference Model Explained: 7 Layers and TCP/IP Mapping thumbnail

OSI Reference Model Explained: 7 Layers and TCP/IP Mapping

⏱ approx. 24 min views 72 likes 0 LOG_DATE:2026-05-09
TOC

The OSI Reference Model (ISO 7-Layer Model) #

The ISO Basic Reference Model, more commonly the OSI Reference Model (Open Systems Interconnection Reference Model), is the conceptual model that breaks network communication into seven layers. It was standardized as ISO/IEC 7498 in 1984. Its grand goal was "computers from different vendors should be able to communicate using the same protocols", and ITU-T re-published the same content as X.200.

The TCP/IP stack (IP / TCP / HTTP) that actually powers the Internet was already in use in parallel with the OSI standardization effort, and the OSI protocol family proper went on to see almost no real-world deployment. Yet the OSI 7-layer model survived as a shared language for arguing "which layer is the problem in?" or "which layer should this functionality live at?", and remains the foundation of every network engineer, security engineer, and incident responder.

1. History of the OSI reference model #

1.1 1970s — The era of proprietary protocols #

In the 1970s, the connection scheme between mainframes and terminals was completely vendor-specific. IBM's SNA (Systems Network Architecture, 1974), DEC's DECnet, and the protocols of Burroughs, Honeywell, and Univac were all proprietary, leaving machines from different vendors essentially unable to talk to each other. To stand up a multi-vendor environment, you had to build a translation gateway for every pairing.

In parallel, the US ARPANET had Vint Cerf and Bob Kahn published the proto-TCP design in 1974 (RFC 675), and the world was evolving toward the TCP/IP two-layer split. But that was still a research network at the time; commercial adoption was years away.

1.2 1977 — ISO/TC97/SC16 stands up #

In 1977, ISO (the International Organization for Standardization) created SC16 (Open Systems Interconnection), with a determination to design a vendor-neutral standard protocol suite. That same year, a 7-layer architecture was proposed, led by Charles Bachman. The "seven" was the result of long debate over how to modularize communication functions, and each layer was carefully designed to "provide service to the layer above" and "consume service from the layer below" in a clean tower.

1.3 1984 — ISO 7498 published #

After seven years of debate, ISO 7498 "Information processing systems — Open Systems Interconnection — Basic Reference Model" was published in 1984. ITU-T (then CCITT) recommended the same content as X.200. The OSI model became a remarkably complete theoretical framework defining "how communication ought to be done."

But defining a theoretical model and shipping working protocols are very different problems. Around the same time, OSI's own concrete protocols (X.400 mail, X.500 directory, CLNP at the network layer, TP4 at transport, …) were also being standardized, but they suffered from "the spec is too thick, the implementations too slow" and "vendors don't put real engineering effort into them."

1.4 Late 1980s — The "OSI vs TCP/IP" war #

In the late 1980s, the US government made OSI migration a national strategy, attempting through GOSIP (Government OSI Profile) to mandate OSI for federal agencies. Postal, telephone, and telegraph (PTT) administrations across Europe also pushed OSI. But meanwhile:

  • TCP/IP was already running (BSD UNIX 4.2 shipped a standard implementation; ARPANET cut over from NCP in 1983)
  • It was free (BSD source code)
  • It was simple, with short implementations

On top of that, Cisco and others started shipping commercial TCP/IP routers, and the explosion of the commercial Internet in the 1990s decisively tipped the balance to TCP/IP. In 1995 the US government effectively retired GOSIP.

1.5 1990s onward — "Only the OSI model survived" #

OSI's protocol stack wasn't adopted, but the OSI 7-layer model itself spread widely as the shared frame for talking about networks. "That's an L7 problem", "this completes at L2", "decouple it between L3 and L4" — even when the implementation is TCP/IP, the conversation is conducted in OSI vocabulary, and that's the standard to this day.

2. The seven-layer picture #

The OSI reference model splits the communication function into the following seven layers. Higher layers are closer to the application; lower layers are closer to the hardware. Each layer uses the service provided by the layer immediately below and provides service to the layer immediately above.

OSI 7-layer model — role and example protocols per layer Higher = closer to application (humans) / Lower = closer to hardware (electrical signals) L7 Application Application layer / what the user touches HTTP / SMTP / DNS / SSH / FTP / IMAP / POP3 / SNMP / Telnet PDU: Data / Message app ↔ app L6 Presentation Presentation layer / encoding, encryption, compression TLS / SSL / ASCII / Unicode / JPEG / MP3 / MIME / ASN.1 PDU: Data representation conversion L5 Session Session layer / connection setup, keepalive, teardown NetBIOS / RPC / SOCKS / NFS (parts) / SIP control PDU: Data dialog sync, checkpoints L4 Transport Transport layer / end-to-end delivery TCP / UDP / QUIC / SCTP / DCCP PDU: Segment / Datagram identified by port L3 Network Network layer / addressing & routing IP (v4/v6) / ICMP / IPsec / OSPF / BGP / IS-IS PDU: Packet identified by IP address L2 Data Link Data Link layer / hop-to-hop delivery Ethernet / Wi-Fi (802.11) / PPP / ARP / VLAN / MPLS PDU: Frame identified by MAC address L1 Physical Physical layer / electrical, optical, radio signals copper / fiber / radio / RJ-45 / RS-232 / voltage levels PDU: Bit / Symbol physical medium PDU = Protocol Data Unit. The "data unit" name each layer works with

3. Layer-by-layer responsibilities #

3.1 Layer 1 — Physical Layer #

The layer that sends and receives bits (0 / 1) as physical signals — voltage, light, radio waves. "The world of cables, connectors, and bits."

Responsibilities:

  • Encoding of electrical / optical / radio signals (NRZ, Manchester, 4B/5B, PAM)
  • Connector form factor and pinout (RJ-45, SFP, USB-C)
  • Voltage levels / frequency / modulation
  • Synchronization (clocking)

Notable specs:

  • Ethernet PHY (10BASE-T, 1000BASE-T, 10GBASE-SR)
  • Optical fiber (single-mode / multi-mode)
  • Radio (802.11 PHY, Bluetooth PHY)
  • RS-232 / RS-485 / V.24 (serial)
  • DSL / DOCSIS (last-mile)

Failure modes: cable cuts, bad connector seating, faulty SFP modules, power-noise issues. When ping doesn't go through and the link LED isn't even lit, suspect this layer.

3.2 Layer 2 — Data Link Layer #

The layer that delivers a frame correctly between two adjacent nodes — within the same LAN segment, or both ends of the same point-to-point link.

Responsibilities:

  • Framing (start / stop bits or preambles to chunk a bit stream)
  • Addressing (MAC address: 6 bytes = 48 bits, globally unique)
  • Error detection (FCS / CRC)
  • Media access control (CSMA/CD, CSMA/CA, token passing)
  • Flow control (PAUSE frame; Wi-Fi RTS/CTS)
  • VLAN tagging (802.1Q)

L2 is often split into two sublayers:

  • LLC (Logical Link Control, 802.2) — interface to upper layers
  • MAC (Media Access Control) — media access

Notable protocols:

  • Ethernet (IEEE 802.3) — overwhelming share
  • Wi-Fi (IEEE 802.11)
  • PPP (Point-to-Point Protocol)
  • ARP — IP→MAC resolution (strictly L2.5)
  • STP / RSTP — switch-loop prevention
  • LACP — link aggregation

Switches are the canonical L2 device: a MAC table forwards frames out the right port.

3.3 Layer 3 — Network Layer #

The layer that carries packets across different networks to a destination. The world of planet-scale routing.

Responsibilities:

  • Logical addressing (IP addresses)
  • Path selection (routing tables + routing protocols)
  • Fragmentation (when MTU is exceeded)
  • Error notification (ICMP)
  • Address translation (NAT spans L3+L4 strictly)

Notable protocols:

  • IPv4 / IPv6 — the main stage
  • ICMP / ICMPv6 — errors / control
  • IPsec — IP-layer encryption (VPN)
  • OSPF / IS-IS — IGP (intra-organization routing)
  • BGP — EGP (inter-AS routing, the spine of the Internet)

Routers are the canonical L3 device: pick a path from a destination IP, forward.

3.4 Layer 4 — Transport Layer #

The layer that handles logical end-to-end connections between hosts. Up through L3 we get to a host by IP; L4 is what identifies which application (port) to deliver to. Reliability / ordering / multiplexing live here.

Responsibilities:

  • Port numbers (16 bits, 0–65535) to identify applications
  • Connection management (TCP three-way handshake)
  • Retransmission / ordering (TCP)
  • Flow control (TCP window)
  • Congestion control (TCP cwnd, BBR, CUBIC)
  • Multiplexing / demultiplexing (many connections per host)

Notable protocols:

  • TCP (Transmission Control Protocol) — reliable delivery (HTTP, SSH, SMTP)
  • UDP (User Datagram Protocol) — best effort (DNS, VoIP, gaming)
  • QUIC — UDP-based, the substrate of HTTP/3 (TLS 1.3 baked in)
  • SCTP — multi-streaming / multi-homing
  • DCCP — UDP plus congestion control

Firewalls are typically L3+L4 (IP / port filtering). L7 firewalls go further up.

3.5 Layer 5 — Session Layer #

The layer that manages a dialog (session) spanning multiple messages — connection setup, keepalive, teardown, and inserting synchronization checkpoints.

OSI's original conception of a session layer was a heavy one (X.225 et al.) where you'd insert sync points across long dialogs and resume from there after a fault. In the TCP/IP world, TCP at L4 and applications themselves at L7 share the session-management work, so the L5 layer doesn't have a strong independent presence.

Notable protocols (called "L5" in TCP/IP discourse):

  • NetBIOS Session Service
  • RPC session management
  • SOCKS proxy
  • SIP (Session Initiation Protocol) — VoIP / IMS signaling
  • PPTP / L2TP — VPN tunnels

In practice, L5 / L6 / L7 are often fused together in implementations.

3.6 Layer 6 — Presentation Layer #

The layer responsible for translating data representation. Character sets, encodings, compression, and encryption are classified here.

Responsibilities:

  • Character set conversion (ASCII ↔ EBCDIC ↔ UTF-8)
  • Data encoding (ASN.1 / BER / DER, JSON, XML, MessagePack)
  • Encryption (TLS / SSL — strictly straddles L4/L5/L6)
  • Compression (gzip, deflate)
  • Media transformation (JPEG, MP3, MPEG)

In OSI terms TLS is classified as L6, but in TCP/IP implementations, it's described as a thin layer "above TCP, below HTTP" — somewhere in L4–L7.

3.7 Layer 7 — Application Layer #

The layer closest to the user's application. HTTP, SMTP, DNS, SSH, FTP, IMAP/POP3, … — the concrete protocols designed for the application's purpose all live here.

This is where application implementers work directly, treating L1–L6 as "a black box that the lower stack handles for me." OSI's ideal — "an upper layer doesn't need to know the lower layer's details" — is realized most beautifully at L7.

Notable protocols:

  • HTTP / HTTPS / HTTP/2 / HTTP/3 — Web
  • SMTP / IMAP / POP3 — email
  • DNS — name resolution
  • SSH — remote shell
  • FTP / SFTP — file transfer
  • NTP — time sync
  • SNMP — network management
  • MQTT — IoT messaging

4. Encapsulation and decapsulation #

Each time data passes from an upper layer to the layer below, that layer's header (and sometimes a trailer) is added, and at the bottom the physical layer pushes a stream of bits onto the wire. The receiver peels the layers off in reverse. This pair is called encapsulation / decapsulation.

Sender-side encapsulation — headers stack up top to bottom The receiver does the exact reverse, peeling headers and handing data up L7 Application: Data (e.g. an HTTP request) L7 L5/L6 hdr enc / TLS L7 Data (the payload flows through unchanged) L5-L6 TCP hdr src/dst port Segment = TCP hdr + (upper-layer data) L4 IP hdr src/dst IP Packet = IP hdr + Segment L3 Eth hdr src/dst MAC Frame = Eth hdr + Packet + FCS FCS CRC L2 10101100 11001010 ... (bits emitted on the wire) L1 The receiver does the exact reverse — each layer strips its own header and hands up • L1 → L2: bits are decoded and recognized as a Frame; FCS catches errors • L2 → L3: the Eth header is stripped, leaving the Packet • L3 → L4 → L7: headers come off in order, finally delivering L7 Data to the app

Real header sizes for intuition:

  • Ethernet: 14 byte (header) + 4 byte (FCS) = 18 bytes
  • IP: 20 bytes (IPv4) / 40 bytes (IPv6)
  • TCP: 20 bytes (no options) / up to 60 bytes
  • TLS: a 5-byte record header plus an AEAD tag after the handshake

The total of all those headers means a few dozen bytes always ride on top of the payload, so over an Ethernet MTU of 1500 bytes you typically have ~1460 bytes of TCP application payload per packet.

5. Mapping OSI to the TCP/IP model #

The TCP/IP model that's actually used is usually described in 4 layers, sometimes 5 (the DoD model). The rough mapping to OSI's 7:

OSI layer TCP/IP 4-layer TCP/IP 5-layer (DoD) Example protocols
L7 Application Application Application HTTP, SSH, DNS, SMTP
L6 Presentation (in Application) Application TLS, MIME, JSON
L5 Session (in Application) Application NetBIOS, SOCKS, SIP
L4 Transport Transport Transport TCP, UDP, QUIC
L3 Network Internet Network IPv4, IPv6, ICMP
L2 Data Link Link Data Link Ethernet, Wi-Fi, PPP
L1 Physical (in Link) Physical copper, fiber, radio

TCP/IP folds OSI L5/L6/L7 into Application, and the 4-layer view collapses OSI L1/L2 into Link — that's the implementation-level convention.

6. Why TCP/IP won #

A "vendor-neutral, beautifully complete OSI" lost to a "research-network-grown, scrappy TCP/IP". The reasons are roughly four:

1. Working code came first. TCP/IP was running on ARPANET in 1983. OSI's protocol family didn't have shipping implementations until the late 1980s. Implementation beats specification — that was the field's logic.

2. It was simple. TCP/IP was designed as "just enough to work"; OSI was designed as "every conceivable use case folded in." OSI's specs were thicker, and its implementation cost was overwhelming (the X.400 mail stack, ASN.1 BER and all, was literally "thousands of pages").

3. It was open and free. The BSD TCP/IP implementation was available at the source-code level. Most OSI stacks were vendor commercial products, with cost and compatibility headaches.

4. Both academia and industry pulled together. TCP/IP was extended from both sides — universities and vendors, growing as the de facto standard. OSI was committee-driven, and field input took years to make it back into the spec.

The ironic truth: OSI was waterfall — "define a beautiful spec, then implement"; TCP/IP was agile — "ship something that works, then standardize incrementally." It was a lesson that aligns perfectly with the history of software development itself.

7. Why the OSI model is still relevant #

The implementation is TCP/IP, but the OSI model is still the framework for troubleshooting and teaching.

7.1 Common vocabulary for triage #

Take "the website is down" as the incident:

  • L1: Is the cable plugged in? Is the link light on?
  • L2: Does ARP resolve? Is it in the MAC table?
  • L3: Does ping (ICMP) reach the IP? Is the routing table correct?
  • L4: Is the port open? (telnet / nc to check)
  • L5–L7: Did the TLS handshake succeed? What's the HTTP status code?

This bottom-up troubleshooting approach is still front-line in network operations.

7.2 Layered framing for security #

Defenders also think in terms of "which layer to defend at":

Layer Example attack Example countermeasure
L1 Cable tapping, electromagnetic interception Physical security, shielding
L2 MAC spoofing, ARP poisoning, VLAN hopping Port Security, DAI, 802.1X
L3 IP spoofing, DDoS, route hijacking uRPF, BCP 38, RPKI
L4 SYN flood, port scans SYN cookies, firewalls
L5–L7 TLS MITM, XSS, SQL injection, CSRF TLS, WAF, input validation

The principle is defense in depth across multiple layers.

7.3 Vendor-product taxonomy #

Network and security products are categorized almost entirely by OSI layer:

  • L2 switch (pure MAC switch) / L3 switch (router-capable)
  • L4 load balancer (TCP/UDP) / L7 load balancer (looks at HTTP content — e.g. nginx, F5)
  • L4 firewall / L7 firewall (WAF)
  • L7 proxy (HTTP proxy; SOCKS is L5)

Even buying decisions start from "which layer does it operate at?".

8. Conclusion #

The ISO Basic Reference Model is the rare case of "a loser as a wire protocol, but still the standard as a way of thinking." Implementations are dominated by TCP/IP, but when discussing "which layer is the problem in?", "which layer do I defend at?", or "which layer should this functionality live at?", OSI's seven-step scale is the common ruler everyone reaches for.

As an entry point for learning networks, and as the lingua franca for triage, security design, and product selection in real operations, the OSI 7-layer model is the first thing to learn and the last thing you stop using. Once you can reason from the bottom up and freely traverse top to bottom, even compound problems like "why is HTTPS slow" or "ping works but HTTP fails" stop being mysterious.