How the Network Stack Works — Layers, Models, and Where Everything Fits
When your browser loads a web page, dozens of things happen in a precise sequence: DNS resolves the name, a TCP connection is established, TLS encrypts it, HTTP requests the page, and the response flows back through every layer in reverse. Each step is handled by a different protocol, and each protocol operates at a different layer of the network stack.
The layered model is how networking is organized. Each layer has one job, depends on the layer below it, and provides a service to the layer above it. Understanding the layers explains why protocols exist, where they fit, and how they interact.
The TCP/IP Model — What the Internet Actually Uses
The TCP/IP model (also called the Internet model) has four layers. This is the practical model — it matches how real networking software is structured.
| Layer | Name | What it does | Protocols |
|---|---|---|---|
| 4 | Application | What the user sees — web pages, email, APIs | HTTP, DNS, SMTP, SSH, FTP |
| 3 | Transport | Reliable (or unreliable) delivery between processes | TCP, UDP, QUIC |
| 2 | Internet | Addressing and routing across networks | IP (IPv4, IPv6), ICMP |
| 1 | Link | Physical delivery on a single network segment | Ethernet, Wi-Fi, ARP |
Data flows down the stack when sending and up the stack when receiving. Each layer wraps the data from the layer above with its own header — this is called encapsulation.
When you send an HTTP request:
- Application — HTTP formats the request:
GET /index.html HTTP/1.1 - Transport — TCP adds source/destination ports, sequence numbers, checksums
- Internet — IP adds source/destination IP addresses, TTL
- Link — Ethernet adds source/destination MAC addresses, frame check sequence
The result is a packet (technically a frame at the link layer) that contains nested headers — like envelopes inside envelopes. At each hop on the network, the link layer header is stripped and replaced, but the IP and TCP headers travel end-to-end.
The OSI Model — The Theoretical Reference
The OSI (Open Systems Interconnection) model has seven layers. It was designed by the ISO in 1984 as a theoretical framework. No protocol maps perfectly to all seven layers, but the model is universally used as a vocabulary for discussing networking.
| OSI Layer | Name | TCP/IP equivalent | What it does |
|---|---|---|---|
| 7 | Application | Application | User-facing protocols (HTTP, DNS) |
| 6 | Presentation | Application | Data encoding, encryption, compression |
| 5 | Session | Application | Connection management, sessions |
| 4 | Transport | Transport | End-to-end delivery (TCP, UDP) |
| 3 | Network | Internet | Addressing and routing (IP) |
| 2 | Data Link | Link | Frames on a local network (Ethernet) |
| 1 | Physical | Link | Bits on a wire (voltages, light pulses) |
The main difference: OSI splits the application into three layers (application, presentation, session) that TCP/IP combines into one. In practice, TLS roughly corresponds to the presentation layer, and HTTP handles both session and application concerns. But the boundaries are blurry — QUIC merges transport and presentation into one protocol.
When people say "layer 7 load balancer" or "layer 4 firewall," they're using OSI numbers: layer 7 means it inspects HTTP content, layer 4 means it routes based on TCP/UDP ports.
Where Does Each Protocol Fit?
Here's where every protocol covered in this section sits:
Application HTTP/1.1 HTTP/2 HTTP/3 DNS SSH SMTP
| | | | | |
Presentation [TLS] [TLS] [ integrated ]
| | | | | |
Session [TCP manages sessions] [QUIC]
| | | | | |
Transport TCP TCP QUIC UDP TCP TCP
| | | | | |
Internet IP (v4 / v6)
|
Link Ethernet / Wi-Fi
Notice how QUIC breaks the layering: it's a transport protocol that also handles encryption (presentation) and multiplexing (session). This is intentional — the strict layering of TCP + TLS created the RST-on-close problem because two independent protocols had independent shutdown sequences. QUIC eliminates this by being one protocol.
Why Do Layers Matter?
Modularity — each layer can be replaced independently. Switch from HTTP/1.1 to HTTP/2 without changing TCP. Switch from IPv4 to IPv6 without changing HTTP. Switch from Ethernet to Wi-Fi without changing IP. Each layer is a contract: "I provide this service, regardless of what's below me."
Debugging — when something breaks, layers help you isolate the problem. Can you ping the server? (IP works.) Can you connect on the port? (TCP works.) Does the TLS handshake complete? (Certificates work.) Does the HTTP response come back? (Application works.) Each layer narrows the search.
tcpdump — packet captures show headers at every layer. Understanding what you're looking at (IP header, TCP header, TLS record, HTTP request) requires knowing the layer model.
Security boundaries — firewalls operate at different layers. A layer 3 firewall filters by IP address. A layer 4 firewall filters by port. A layer 7 firewall (WAF) inspects HTTP content. eBPF can attach at multiple layers — XDP at the link layer, TC at the network layer, socket filters at the transport layer.
What Doesn't Fit Neatly?
The layered model is a simplification. Real protocols don't always respect boundaries:
QUIC — transport + encryption + multiplexing in one protocol. Runs on UDP but implements TCP-like reliability, TLS-like encryption, and HTTP/2-like multiplexing. It deliberately violates strict layering to solve problems that layering created.
TLS — sits between transport and application. It's not a transport protocol (it doesn't provide delivery guarantees). It's not an application protocol (it doesn't define content). It's a "session/presentation" layer in OSI terms, but in TCP/IP it's just "something the application uses."
VPNs — WireGuard creates a virtual network interface. It encapsulates IP packets inside UDP packets — putting network-layer data inside transport-layer data. This is "tunneling," and it inverts the normal layer ordering.
DNS — uses UDP for most queries (transport layer) but the protocol itself is application-layer. DNS-over-HTTPS puts DNS inside HTTP inside TLS inside TCP — four layers of encapsulation.
The model is a guide, not a law. Use it to organize your thinking, but don't be surprised when protocols cross boundaries.
Next Steps
Now that you understand the stack, dive into each layer:
- How TCP Works — the transport layer that guarantees reliable delivery.
- How UDP Works — the transport layer that trades reliability for speed.
- How DNS Works — name resolution at the application layer using UDP.
- How HTTP Works — the application protocol that runs the web.
- How TLS Works — the encryption layer between transport and application.
- How QUIC Works — the protocol that merges transport, encryption, and multiplexing.