Module 1 of 21 · Foundations

What network models are for

15 min read 3 outcomes Interactive quiz + diagram

By the end of this module you will be able to:

  • Explain why layered models exist and what problem they were built to solve
  • Tell the difference between the OSI reference model and the Internet architecture without forcing a perfect match
  • Name the first communication function to check when a service stops working

1.1 What a reference model actually is

Think of a reference model like an architectural blueprint for a building. The blueprint does not buildthe building. It gives every contractor (electricians, plumbers, structural engineers) a shared plan so they can work independently without breaking each other's work.

A network reference model works the same way. It splits communication into layers, where each layer has one job. The layer that moves electrical signals along a cable does not need to know about web browsers. The layer that handles web requests does not need to worry about voltage levels on the wire.

Reference model vs. live network: blueprint vs. building

ISO/IEC 7498-1 calls itself a reference model; that means the document coordinates protocol design, it does not run on the wire.

The reference model is a blueprint; the live network is the building Two parallel four-level stacks side by side. The left stack is the BLUEPRINT: each row carries a layer number (L7, L4, L3, L1) and the abstract role the OSI reference model defines for that layer. The right stack is the BUILDING: the same rows filled with the real protocols a live network runs (HTTP, TCP, IP, Ethernet). Four horizontal arrows labelled 'describes' connect each blueprint row to its matching building row. Layer 4 is emphasised in both stacks because it is where most live troubleshooting starts. BLUEPRINT ISO/IEC 7498-1 Reference model defines the roles L7 Role User-facing responsibility L4 Role End-to-end delivery L3 Role Cross-network addressing L1 Role Signal on the medium BUILDING RFC 1122 Live network fills the roles L7 HTTP browser to web server L4 TCP byte-stream, retransmits L3 IP routed across the internet L1 Ethernet cable, fibre, or RF describes built by ransfordsnotes.com

You do not deploy the OSI model. You use it to describe what you deployed.

Before ISO published the OSI model in 1984, every major vendor (IBM, DEC, Honeywell) had its own proprietary networking system. If you learned IBM's SNA, that knowledge was useless when you sat down in front of DEC's DECnet. There was no shared vocabulary for asking "which part of the communication broke?"

The purpose of this International Standard is to provide a common basis for the coordination of standards development for the purpose of systems interconnection, while allowing existing standards to be placed into perspective within the overall Reference Model.

ISO/IEC 7498-1:1994 - Clause 1, Scope

Separate teams needed to design protocols for different parts of the communication stack without stepping on each other. The model gave them a coordination framework. It was never meant to be deployed as software.

Hubert Zimmermann, the original architect, published six principles for deciding where one layer should end and the next should begin. He wrote these in a 1980 IEEE paper, four years before the model was formally published:

Create a boundary at a point where the description of services can be small and the number of interactions across the boundary is minimised.

Zimmermann, 1980 - Section III, Principles

Seven layers came from this principle. Each boundary had to be narrow enough that you could change the implementation on one side without redesigning the other. Three layers would have been too few (too many responsibilities per layer). Fifteen would have been too many (too much overhead crossing boundaries).

You do not deploy the OSI model. You use it to describe what you deployed. It is a shared vocabulary, not a wiring diagram.

With the purpose of a reference model established, the next step is to see how it divides communication into layers and what responsibility each layer carries.

1.2 How the seven layers fit together

Each layer in the OSI model has a specific responsibility. Data starts at the top (Application layer, where a user clicks "send") and moves down through each layer, picking up headers along the way. On the receiving end, the process reverses. Each layer strips its header and passes the data up.

Here is a quick summary. We will cover each layer in more detail in Module 1.4.

Layer 7, Application. Where software talks to the network. Your browser, email client, or API call lives here. Protocols: HTTP, SMTP, DNS.

Layer 6, Presentation. Handles how data is represented for the application: character encoding, serialisation formats, and cryptographic presentation of data. In the Internet stack these functions are normally implemented by application libraries and protocols rather than by a separate deployed layer.

Layer 5, Session. Describes dialogue management, checkpoints, recovery, and long-lived conversations. Modern systems still need those functions, but HTTP cookies, WebSocket connections, RPC frameworks, and application state usually implement them.

Layer 4, Transport. Responsible for reliable delivery between two endpoints. TCP guarantees delivery and ordering. UDP skips those guarantees for speed.

Layer 3, Network. Handles addressing and routing across networks. IP addresses live here. Routers operate at this layer, deciding which path a packet takes.

Layer 2, Data Link. Moves data between devices on the same local network segment. MAC addresses operate here as local link identifiers. They are often assigned by the network interface vendor, but modern operating systems can change or randomise them. Switches work at this layer.

Layer 1, Physical. The actual electrical signals, light pulses, or radio waves on the wire, fibre, or air. Cables, connectors, and voltage levels.

The diagram below names each layer with its single responsibility and one real-world protocol that operates there. Layer 4 Transport is marked because that is the layer most live troubleshooting starts with: if the transport never connects, nothing above it can run.

The seven OSI layers each own a single responsibility

From the user click at L7 down to electrical signal on the wire at L1, each layer carries the data unit one step closer to the medium.

The seven OSI layers each own a single responsibility Two coordinated views, both full prose-column width. The top view is the OSI seven-layer stack. Each row shows the layer number L7 to L1, the layer name, the responsibility, the Protocol Data Unit name in a pill, and a real protocol example. The bottom view is the encapsulation flow: five cards left to right show the data unit growing wrappers from Application data through Segment, Packet, Frame, to Bits on the wire. Each step's new header is highlighted in red. The Transport layer (L4) is emphasised in both views because it is where most live troubleshooting starts. OSI · 7 LAYERS · ISO/IEC 7498-1 L7 Application Where software speaks to the network DATA HTTP, SMTP, DNS L6 Presentation Encoding, compression, encryption DATA TLS, JSON L5 Session Conversation state between two systems DATA WebSocket L4 Transport Reliable delivery between two endpoints SEGMENT TCP, UDP, QUIC L3 Network Addressing and routing across networks PACKET IP L2 Data Link Local-segment delivery, MAC addresses FRAME Ethernet, Wi-Fi L1 Physical Electrical, optical, or radio signals BITS Cables, fibre, RF ENCAPSULATION · EACH LAYER ADDS A HEADER DATA Application data L7 / L6 / L5 TCP DATA Segment L4 TCP IP DATA Packet L3 TCP IP ETH DATA Frame L2 TCP IP ETH DATA Bits on wire L1 built by ransfordsnotes.com

Each layer carries an unchanged payload from above and adds its own header. The data unit's name changes at each level: Data, Segment, Packet, Frame, Bits.

You have seen what each layer does in isolation. The next question is how the OSI model relates to the Internet stack engineers actually use, and why both remain useful.

1.3 Two models, one reality

OSI defines seven layers. The Internet (TCP/IP) uses four. People sometimes treat these as rivals, but they describe the same underlying communication at different levels of detail.

OSI came from a standards body (ISO) trying to create a universal framework. TCP/IP came from researchers (DARPA) building a working network. OSI won the vocabulary. TCP/IP won the deployment. Both survived because they do different jobs.

essentially combines the functions of the top two layers -- Presentation and Application -- of the OSI reference model.

RFC 1122 - Section 1.1.3, Internet Protocol Suite

The exact RFC 1122 sentence names Presentation and Application, not Session. The broader teaching point is that the Internet model does not expose separate OSI Session and Presentation layers; application protocols and libraries implement those responsibilities inside the application space.

When you troubleshoot a live system, you typically use the four-layer Internet model because it matches how protocols are actually implemented. When you need to describe a responsibility precisely ("this is a transport-layer function"), OSI vocabulary is more specific.

The map below shows how the two models line up. The TCP/IP Application layer absorbs three OSI layers; the TCP/IP Link layer absorbs two; Transport and Network map across one-to-one.

How OSI's seven layers map to the four TCP/IP layers

RFC 1122 says the Internet application layer absorbs OSI Presentation and Application functions; in practice, session responsibilities also live inside application protocols rather than a separate TCP/IP layer.

OSI is a reference model; TCP/IP is the operational stack Two columns side by side. The left column lists the seven OSI layers L7 to L1. The right column lists the four TCP/IP layers Application, Transport, Internet, Link. The Application card spans the three OSI rows it absorbs (L7, L6, L5) and shows each absorbed layer as an inner dashed ghost rectangle. The Link card spans two OSI rows (L2, L1) and shows them as inner ghosts. Transport and Internet map one-to-one to OSI L4 and L3. OSI · 7 LAYERS TCP/IP · 4 LAYERS L7 Application HTTP, DNS, mail L6 Presentation TLS records, formats L5 Session conversation state L4 Transport TCP, UDP, QUIC L3 Network IP routing L2 Data Link Ethernet, Wi-Fi L1 Physical wire, fibre, RF RFC 1123 absorbs APPLICATION L7 Application HTTP, DNS, mail L6 Presentation TLS records, formats L5 Session conversation state RFC 1122 §4 Transport RFC 1122 §3 Internet RFC 1122 §2 absorbs LINK L2 Data Link Ethernet, Wi-Fi L1 Physical wire, fibre, RF built by ransfordsnotes.com

TCP/IP and OSI describe the same reality. RFC 1122 maps Internet Application against OSI Presentation and Application, while modern application protocols also carry session responsibilities.

Good engineers use both depending on context, the same way a builder might use metric drawings for structural work and imperial for plumbing fittings. Knowing when to use which model matters more than memorising either one.

Common misconception

TCP/IP replaced the OSI model.

TCP/IP is a set of protocols you run on real networks. OSI is a reference framework you use to describe what those protocols do. You use TCP/IP protocols and describe their behaviour using OSI vocabulary. CompTIA Network+ N10-009 (Objective 1.1) tests both, because both are useful in practice.

Common misconception

The Session and Presentation layers do not exist in modern networking.

The functions exist under different names. HTTP persistent connections and WebSocket handle long-lived conversations. TLS protects and transforms application data. JSON, XML, and Protocol Buffers define data representation. TCP/IP does not expose dedicated Session and Presentation layers, but the work they described still happens.

Knowing the two models is theoretical. A real outage shows how a failure at one layer cascades through others in ways that only make sense when you can name what each layer is supposed to do.

1.4 When layers fail each other

On August 30, 2020, CenturyLink (now Lumen Technologies) had a five-hour outage that took down Amazon, Twitter, Microsoft, Cloudflare, Reddit, Hulu, and Discord.

The root cause was one badly written Flowspec rule. Flowspec is a BGP extension that lets engineers distribute firewall rules across a network using the same protocol that handles routing (BGP, or Border Gateway Protocol, the system that tells routers how to reach different networks).

The rule was too broad. It matched BGP traffic itself. So every router that received the rule immediately blocked its own BGP connections. When BGP dropped, the routers stopped receiving the bad rule, so BGP came back. When BGP restored, the rule propagated again, and BGP dropped again. A persistent on-off loop across the entire network.

Users saw websites go unreachable (Layer 7). The actual problem was a routing configuration at Layer 3 destroying the protocol that carried it. Without understanding the layer separation, the oscillating pattern makes no sense. With it, the explanation is straightforward: a Layer 3 control-plane function was carrying a rule that killed Layer 3 itself.

Symptoms almost always show up one or two layers away from the actual cause. A user sees "website unreachable." The real problem might be DNS, routing, TLS, or a physical cable. A model gives you the vocabulary to trace backwards.

The outage example shows why layer thinking matters. This final section turns that insight into a practical starting point you can apply the next time a service stops working.

1.6 Where to start when something breaks

When a service fails, resist the urge to guess. Instead, identify the first communication function that stopped working.

A web request goes through these steps, in order:

1. The browser asks DNS for an IP address.
2. The operating system opens a TCP connection to that IP address.
3. TLS negotiates encryption (for HTTPS sites).
4. HTTP sends the actual request and receives a response.

Each step depends on the one before it. If DNS fails, nothing else can happen. If TCP connects but TLS fails, you know the problem is between Layer 4 and Layer 6.

Four checkpoints between a URL and a response

DNS, TCP, TLS, and HTTP each leave a distinct failure signature, and each step depends on the one before it.

Four checkpoints between a URL and a response Four cards in a horizontal chain: DNS, TCP, TLS, HTTP. Each card splits into two visual zones. The top zone shows what the step produces on success (an IP address from DNS, a completed handshake from TCP, a verified channel from TLS, a 2xx response from HTTP). The bottom red-soft zone shows the most common failure signatures (NXDOMAIN, Timeout, Cert error, 5xx). Three 'only then' arrows carry the dependency between adjacent steps. REQUEST STEP 1 RFC 1034 DNS SUCCEEDS WITH Hostname resolves to an IP address. FAILS WITH NXDOMAIN SERVFAIL STEP 2 RFC 9293 TCP SUCCEEDS WITH Three-way handshake with the server completes. FAILS WITH Connect timeout RST refused STEP 3 RFC 8446 TLS SUCCEEDS WITH Cert verified, keys exchanged, channel ready. FAILS WITH Cert expired name mismatch STEP 4 RFC 9110 HTTP SUCCEEDS WITH Server returns 2xx with the response body. FAILS WITH 5xx server error 4xx app error only then only then only then built by ransfordsnotes.com

Start at the top. The first step that fails is where the investigation begins.

Start at the top (can you resolve the domain name?) and work down. The first function that fails is where your investigation begins.

Compare these two statements from the same incident:

"The website is down."

"DNS resolution for this domain returns SERVFAIL from three different resolvers, which suggests the authoritative nameserver is unreachable."

Both people noticed the same symptom. Only the second person told you something you can act on. That is what a model gives you.

Core distinctions

  • A reference model splits communication into layers so that teams can build and troubleshoot each part independently.
  • OSI gives you precise vocabulary for describing responsibilities. TCP/IP matches how real protocols are implemented. You need both.
  • Symptoms almost always appear one or two layers away from the real cause. Trace backwards.
  • When a service fails, name the first communication function that stopped. That is where you start.

Standards and sources cited in this module

  1. ISO/IEC 7498-1:1994, Open Systems Interconnection Basic Reference Model

    Clause 1 (Scope) and Clause 5 (Architecture principles)

    Defines why layered models exist and the criteria for placing layer boundaries. Quoted in Section 1.1 to establish the purpose of the model.

  2. Zimmermann, H. (1980). OSI Reference Model

    IEEE Transactions on Communications, COM-28(4):425-432

    The original design paper with six principles for determining layer boundaries. Quoted in Section 1.1 to explain why there are seven layers.

  3. RFC 1122, Requirements for Internet Hosts: Communication Layers

    Section 1.1.3, Internet Protocol Suite

    Defines the four-layer Internet architecture. Quoted in Section 1.3 to show that the Internet application layer absorbs OSI application and presentation responsibilities without creating a perfect OSI-to-TCP/IP overlay.

  4. CompTIA Network+ N10-009 Exam Objectives

    Domain 1.0, Objective 1.1: OSI reference model

    Current certification standard for networking professionals. Referenced to show that both OSI and TCP/IP knowledge are expected in industry.

  5. Cloudflare Blog: Understanding How Facebook Disappeared from the Internet

    Published October 4, 2021

    Independent technical analysis of the Facebook/Meta outage. Used as the opening case study (Section 1.1) to show cross-layer failure cascading.

  6. Cloudflare Blog: Analysis of Today's CenturyLink/Level(3) Outage

    Published August 30, 2020

    Independent analysis of the BGP Flowspec loop. Used in Section 1.4 to show a control-plane function destroying its own infrastructure.

You now know why layered models exist and how to use them to describe failures precisely. The next module shows what actually happens inside each layer when data moves down the stack: encapsulation turns your application data into frames on the wire, and each header tells the next device what to do.

Module 1 of 21 in Foundations