TCP/IP — the four-layer model that actually runs the internet
8 min
OSI is the textbook model. TCP/IP is the one your laptop, the routers between your laptop and the server, and the server itself are actually built around. Where OSI has 7 layers, TCP/IP has 4 — but they map to the same physical realities.
The four layers
| TCP/IP layer | What lives here | Maps to OSI | |---|---|---| | Application | HTTP, DNS, SMTP, SSH, TLS — whatever a user-facing program speaks | 5, 6, 7 | | Transport | TCP, UDP, SCTP, QUIC — end-to-end delivery semantics | 4 | | Internet | IPv4, IPv6, ICMP, IPsec — routing across networks | 3 | | Link / Network Access | Ethernet, 802.11, PPP — bits on the local medium | 1, 2 |
Some textbooks call the bottom layer "Network Access," others "Link," others lump in the physical separately. The model is more of a guideline than the IETF cares to enforce.
Why the merge?
OSI's Session and Presentation layers ended up empty in practice — by the time IETF was building the internet, encryption (TLS) and session management (e.g., HTTP cookies, QUIC streams) were absorbed by application-layer protocols. The Application layer in TCP/IP just contains all the protocols that aren't dealing with packets or routing.
OSI's Physical and Data Link, on the other hand, are tightly bound — Ethernet "the protocol" specifies both the bit-on-the-wire encoding (L1) and the framing (L2). Splitting them out adds bureaucratic clarity but no operational value.
Each layer's identifier
| Layer | Identifies what with what | |---|---| | Application | A specific service (TCP/UDP port: 80 for HTTP, 443 for HTTPS, 53 for DNS) | | Transport | A specific connection (the 5-tuple: src IP + src port + dst IP + dst port + protocol) | | Internet | A specific host (IP address) | | Link | A specific NIC on the local link (MAC address) |
When you connect to https://example.com:
- Application decides: "I need to speak HTTPS on port 443 to example.com."
- Transport opens a TCP connection: source port (random, eg 49231) → dest port 443.
- Internet picks the right local interface and routes the packet to the destination IP.
- Link wraps the packet in an Ethernet frame to the next-hop's MAC and transmits it.
At every router along the way, the Internet layer makes the routing decision; the Link layer is rebuilt for each hop. The Transport and Application layers ride end-to-end and never inspect intermediate routers.
Why this matters operationally
Troubleshooting always starts at the bottom:
- Is the link up? Cable plugged, light on optic, switch port forwarding?
- Is the internet layer reachable?
ping,traceroute, routing table sane? - Is the transport opening?
telnet host 443ornc, does it connect or RST? - Is the application speaking the expected protocol?
curl -v,openssl s_client?
A user complaint about a slow website is, at heart, a question about which layer is the problem. Knowing the model is knowing how to ask the question.
What to remember
- TCP/IP has 4 layers: Application, Transport, Internet, Link.
- It maps directly onto OSI but collapses what real protocols actually merge.
- Each layer has a specific identifier — port, 5-tuple, IP, MAC.
- Troubleshoot from bottom up; ask "which layer is broken" rather than "the network is broken."