The Internet Is Not A Seven Layer Network
RFC1122 Specifies Only Four Layers in The Internet Protocol Stack
It is a common misperception that the Internet is based upon the ISO 7-Layer Model. It is not. It is based upon a software protocol stack defined in RFC1122 that has several differences from the ISO specification.
Only Four Layers!
The second question I always ask someone I’m interviewing for a network security position is, “How many layers are in the Internet Protocol stack?” Invariably the answer given is “seven.” That’s wrong! The correct answer is four. (Arguably, five could be considered a semi-correct answer, but we will get to that in a minute.) Don’t believe me? Read the RFC that defines the IP stack!
I don’t know whether it is more sad or disgusting that so very few network security “experts” have actually read the standards upon which the protocols they are securing are based. After all, how can you properly secure something when you don’t correctly understand its design? All too often, this is just another case of memorizing the standard security mantra without really understanding it.
As per RFC1122, the layers in the IETF’s Internet Protocol Stack are:
- Application
- Transport
- Internet
- Link
However, the RFC-defined layers strictly define the software stack. The RFC discusses the presence of physical connectivity below the Link layer, but does not specify it explicitly. Since the RFC is only defining the software stack, it ignores all the hardware aspects of its implementation. So, it is arguably also correct to specify a “Physical” layer below the link layer, and this is the common practice.
In the IETF stack, there is no distinction made between what the ISO 7-Layer Model calls the Session, Presentation, and Application layers — it is all simply the Application layer in the IETF stack. Many books (and documents on the Internet) try to force-fit various IP-based protocols into the ISO stack’s Session and Presentation layers. Worse, many professional certification courses do the same. However, if you read the RFCs that define those protocols, they all specify everything above the Transport layer as Application layer, as per the IETF stack.
To properly secure a network protocol, you need to understand the standards upon which its implementation is based. That means that you have to actually break down and read the RFCs. Just because a textbook or a certification exam claims that the Internet is based on the ISO 7-Layer Model, it does not make that information correct. RTFRFCs!
Summary
The Internet is not based upon the ISO’s 7-layer network model. Rather, it is based upon the IETF’s specifications in various RFCs. RFC1122 specifies the layers of the protocol stack upon which the Internet and all its protocols are based.
The official definition of the IETF’s Internet Protocol Stack defines the following layers:
- Application
- Transport
- Internet
- Link
- Physical (implied, but not specified)
Bottom line: The standard security mantra that “the Internet is based on the ISO 7-Layer Model” is flat out incorrect.
Which leads to the obvious question: How can we possibly secure our networks when we are basing our security assumptions upon an incorrect understanding of how the protocols we are attempting to secure are defined, designed, and implemented?
Notes
Just for clarity and completeness:
- The ISO 7-Layer Model’s proper name is: The ISO/CCITT Basic Reference Model for Open Systems Interconnection, ISO Standard 7498, and CCITT/ITU-T Standard X.200.
- RFC1122’s proper name is: Internet Standard RFC1122, Requirements for Internet Hosts—Communication Layers.
Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.
