Module 3 of 21 · Foundations

How OSI maps to TCP/IP, and where the mapping breaks

14 min read 3 outcomes Interactive mapper + quiz

By the end of this module you will be able to:

  • Map OSI layers to the four-layer Internet architecture and explain where the fit is clean
  • Explain why Presentation and Session are handled inside application protocols rather than as separate layers
  • Avoid simplistic layer placement claims for protocols like TLS, QUIC, and ARP

3.1 Where the two models agree

In Module 2, you learned the PDU names at each layer (frame, packet, segment, data). Now we need to connect those layers to the model the Internet actually uses. Three areas map cleanly between OSI and TCP/IP.

Physical + Data Link maps to the Link layer. OSI splits the bottom into two layers: Physical (electrical signals, cables, connectors) and Data Link (Ethernet framing, MAC addresses, error detection). TCP/IP combines these into a single Link layer. Both models agree on what happens here: bits become frames, MAC addresses handle local delivery, and the technology varies by network type (Ethernet, Wi-Fi, fibre).

Network maps to the Internet layer.This is the cleanest one-to-one match. IP addresses, routing decisions, packet forwarding, and TTL counting all live here in both models. When someone says "Layer 3," everyone agrees they mean IP and routing.

Transport maps to Transport. TCP provides reliable, ordered delivery with flow control. UDP provides fast, connectionless delivery. Port numbers, segmentation, and congestion control live here in both models. No ambiguity.

For Layers 1 through 4, the models agree on almost everything. The disagreements start at Layer 5.

The clean mapping at the lower layers makes the gap at the top all the more striking. At Layer 5, the two models part ways.

3.2 The application-space mismatch at the top

OSI defines three layers above Transport: Session (Layer 5), Presentation (Layer 6), and Application (Layer 7). The Internet model has one: Application.

In the OSI vision, each of these would be a separate, interchangeable protocol. Session protocols would manage dialogue state. Presentation protocols would handle encoding and encryption. Application protocols would handle user-facing functions. You could mix and match them independently.

That vision did not become the normal deployed Internet architecture. RFC 1122 explicitly maps OSI Presentation and Application into the Internet Application layer. The Session layer is different: TCP/IP does not expose it as a separate layer, so dialogue state is normally implemented by application protocols, libraries, or transport features. HTTP manages cookies and persistent connections. TLS provides a secure channel. JSON and XML provide serialised data formats.

essentially combines the functions of the top two layers -- Presentation and Application -- of the OSI reference model.

RFC 1122 - Section 1.1.3, Internet Protocol Suite

This is the exact RFC 1122 mapping statement. It names OSI Presentation and Application, not Session. Session responsibilities still exist in real systems, but TCP/IP does not expose a separate Session layer in the Internet host architecture.

Think of it like a building renovation. OSI designed a seven-story building with dedicated floors for session management, data formatting, and application logic. TCP/IP made the upper floors less rigid. The functions are still there, but they are usually implemented inside application-space protocols, libraries, or transport designs rather than as three separately exposed Internet layers.

The OSI to TCP/IP map has deliberate mismatch zones

Application responsibilities, security, and transport behaviour do not line up one-to-one.

Where OSI and TCP/IP do not line up neatly Two columns side by side. The left column lists the seven OSI layers L7 to L1. The right column lists the four TCP/IP layers Application, Transport, Internet, Link. The TCP/IP Application card spans the OSI upper-layer responsibility area, with RFC 1122 explicitly naming Presentation and Application while session responsibilities are commonly implemented in protocols, libraries, or transports. Transport maps one-to-one with L4, Internet maps one-to-one with L3, and Link covers L2 and L1. L7 Application L6 Presentation L5 Session L4 Transport L3 Network L2 Data Link L1 Physical RFC 1122/1123 Application ONE APPLICATION SPACE RFC 1122 §4 Transport RFC 1122 §3 Internet RFC 1122 §2 Link 2-INTO-1 MAPPING OSI · 7 LAYERS TCP/IP · 4 LAYERS built by ransfordsnotes.com

Use the mismatch zones as warnings, not as exceptions to memorise. RFC 1122 maps OSI Presentation and Application to the Internet Application layer; session responsibilities are usually implemented by protocols, libraries, or transports.

That upper-layer mismatch is just the most visible break in the neat mapping. Several protocols go further and actively span layers in both models.

3.3 Protocols that refuse to pick a layer

Some protocols were designed to solve problems, not to satisfy reference models. They span multiple layers because the engineering demanded it.

TLS (Transport Layer Security).TLS normally sits between TCP and HTTP in HTTPS over TCP. It performs a handshake, authenticates peers with certificates, derives traffic keys, encrypts records, and protects record integrity. In OSI vocabulary, those are mostly Presentation and Session responsibilities. TLS does not provide TCP's delivery guarantees, so calling it Layer 4 is too broad for TCP-based HTTPS. In TCP/IP terms it belongs to the application space even though many applications use it as a transparent secure channel.

QUIC (RFC 9000).QUIC goes further. It is a UDP-based transport protocol that integrates TLS 1.3 encryption directly into its connection handshake. RFC 9001 states that "QUIC assumes responsibility for the confidentiality and integrity protection of packets." QUIC also provides stream multiplexing (multiple independent data streams within one connection), which OSI would call a Session-layer function. In TCP/IP terms, QUIC is a transport protocol. In OSI terms, it spans Layers 4, 5, and 6 by design.

ARP (Address Resolution Protocol).ARP translates IP addresses (Layer 3) into MAC addresses (Layer 2). ARP packets have no IP header. They are broadcast on the local Ethernet segment using their own frame format. They serve Layer 3 but operate at Layer 2. Engineers often call ARP "Layer 2.5" because neither model handles it cleanly.

ICMP (Internet Control Message Protocol).RFC 792 describes ICMP with a famous paradox: it "uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP." ICMP packets ride inside IP packets (like a transport protocol would), but ICMP has no port numbers and carries no application data. It is a control protocol for IP itself. Both models put it at Layer 3, but its encapsulation inside IP makes it look like it sits above IP.

Common misconception

Every protocol belongs to exactly one layer.

Protocols are built to solve engineering problems, not to satisfy models. TLS sits between TCP and application protocols while performing presentation and session-like work. QUIC spans Layers 4-6 because it is the transport and includes TLS 1.3 plus multiplexed streams. ARP bridges Layers 2 and 3. ICMP lives at Layer 3 but rides inside Layer 3 packets. When a protocol does not fit neatly into one layer, that is a limitation of the model, not a flaw in the protocol.

TLS and QUIC show why strict layer maps fail

HTTPS over TCP and HTTP/3 over QUIC place security and transport state differently.

TLS and QUIC show why strict layer maps fail Two parallel five-layer stacks. The left stack is HTTPS OVER TCP: HTTP on top, TLS 1.3 below it as the emphasis row, then TCP, IP, Link. The right stack is HTTP/3 OVER QUIC: HTTP/3 on top, QUIC plus TLS 1.3 below as a single emphasis row, then UDP, IP, Link. The TLS boundary sits in row two of both stacks but the QUIC version folds the transport and security responsibilities into one layer while the TCP version keeps them separate. HTTPS OVER TCP TLS above TCP, security after handshake HTTP Application request and response TLS 1.3 Channel confidentiality and integrity TCP Byte stream with retransmits IP Packet across the network Link Frame on the medium HTTP/3 OVER QUIC TLS 1.3 integrated into transport HTTP/3 (RFC 9114) Application frames over QUIC streams QUIC + TLS 1.3 Streams, recovery, and security in one UDP Connectionless datagrams (substrate) IP Packet across the network Link Frame on the medium SECURITY BOUNDARY same level, different fold built by ransfordsnotes.com

The real question is which component owns the state you are testing. HTTPS over TCP and HTTP/3 over QUIC place TLS at different points in the stack.

Knowing which protocols cross boundaries is useful, but nothing cements it like mapping the layers yourself.

3.4 Map it yourself

Use the tool below to map each OSI layer to its TCP/IP equivalent. Remember: the mapping at the bottom (Layers 1-2 to Link) and middle (Layers 3-4) is straightforward. The interesting part is at the top, where the OSI vocabulary is more detailed than the Internet model exposes.

Notice the note at the bottom of the tool: "A protocol can span boundaries." That is the key lesson. The mapping gives you a useful mental model, but do not treat it as an absolute rule. Real protocols cross boundaries whenever the engineering requires it.

With the model mapped accurately, we can apply the vocabulary to real infrastructure decisions where the layer choice has direct cost and security implications.

3.5 When the mapping matters in practice

Layer terminology shows up constantly in infrastructure conversations. Getting the mapping right helps you ask better questions and avoid buying the wrong product.

L4 vs L7 load balancers. An L4 load balancer routes connections based on IP addresses and port numbers. It is fast because it does not read packet content. An L7 load balancer terminates connections, reads HTTP headers (URLs, cookies, methods), and makes routing decisions based on application data. If your service needs content-based routing for API traffic, you need L7. If you need raw throughput for non-HTTP traffic, L4 is simpler and faster.

Firewall layers.A traditional stateful firewall inspects Layers 3 and 4 (IP addresses, ports, TCP flags). It cannot see what is inside the HTTP request. A next-generation firewall (NGFW) uses deep packet inspection to read application content at Layer 7. Some vendors market L3/L4 firewalls as having "application awareness" because they map port numbers to application names. That is still L4 logic wearing an L7 label.

When to use which vocabulary.Use OSI layer numbers when troubleshooting ("the problem is at Layer 3") because the seven layers give you a more specific checklist. Use TCP/IP vocabulary when writing code or reading RFCs because it matches how protocols are actually implemented. Most engineers use OSI numbers as shorthand even when they are thinking in TCP/IP terms. Saying "L7" is faster than saying "Application layer," and everyone understands it.

3.6 Check your understanding

Why does the OSI-to-TCP/IP mapping break down at the upper layers?

A vendor claims their firewall provides 'Layer 7 application awareness.' How would you verify that claim?

QUIC combines transport, encryption, and multiplexing in one protocol. Which OSI layers does it span?

Your team needs to route API traffic to different backends based on the URL path (/api/users vs /api/orders). Do you need an L4 or L7 load balancer?

Core distinctions

  • Layers 1 through 4 map cleanly between OSI and TCP/IP. The disagreements start at Layer 5, where three OSI layers collapse into one TCP/IP Application layer.
  • Session and Presentation functions still exist (HTTP sessions, TLS encryption, JSON formatting) but are handled inside applications, not as separate protocol layers.
  • TLS, QUIC, ARP, and ICMP all cross layer boundaries. When a protocol does not fit one layer, that is a limitation of the model, not a flaw in the protocol.
  • Use OSI layer numbers for troubleshooting specificity. Use TCP/IP vocabulary for code, RFCs, and implementation conversations. Good engineers use both.

Standards and sources cited in this module

  1. RFC 1122, Requirements for Internet Hosts: Communication Layers

    Section 1.1.3, Internet Protocol Suite

    Defines the four-layer Internet architecture. Quoted in Section 3.2 for the precise Presentation-and-Application comparison, with separate course text explaining why OSI Session responsibilities are also implemented inside application protocols.

  2. RFC 9000, QUIC: A UDP-Based Multiplexed and Secure Transport

    Full specification

    Defines QUIC's cross-layer design combining transport, encryption, and multiplexing. Referenced in Section 3.3 as the primary example of a protocol that spans Layers 4-6.

  3. RFC 9001, Using TLS to Secure QUIC

    Section 4, Carrying TLS Messages

    Documents how QUIC absorbs the TLS record layer. Quoted in Section 3.3.

  4. RFC 792, Internet Control Message Protocol

    Introduction

    Contains the famous paradox: ICMP 'uses IP as if it were a higher level protocol' but 'is actually an integral part of IP.' Referenced in Section 3.3.

  5. CompTIA Network+ N10-009 Exam Objectives

    Domain 1.0, Objective 1.1: OSI reference model

    Tests OSI layer knowledge and the relationship between OSI and TCP/IP models. Referenced in Sections 3.1 and 3.5.

  6. Palo Alto Networks: Layer 3 vs Layer 7 Firewall

    Cyberpedia article

    Explains the practical difference between L3/L4 and L7 firewalls. Referenced in Section 3.5.

With both models mapped, Module 4 gives each OSI layer a practical purpose: what devices live there, which protocols operate there, and what breaks when that layer fails. This is the checklist you will use every time you troubleshoot.

Module 3 of 21 in Foundations