Friday, April 27, 2007

An alternate explanation of the OSI model

I was talking to a friend who mentioned that NetBIOS is a "Session Layer" protocol. This isn't true. You see it often classified that way because (1) there are no Session Layer protocols so that layer is empty, and (2) NetBIOS doesn't fit in any layer very well, so that seems as good a place to put it as any, (3) it uses some words that sound like they might be the same thing (NetBIOS has a service it calls "session", but it's more of a transport-layer service).

The "OSI Model" that everyone learns isn't actually correct. In the 1970s, each computer company had their own networking standards that couldn't talk to each other. So, the international standards organization created a group to create networking standards, the OSI group. Half a decade later, the first thing they could agree on was a blueprint for how they were going to design standards. This "OSI Model" is not a model for how existing networks were designed (such as the Internet), but how the OSI group WANTED to design networks. Since they mostly wanted to design networks for the terminal applications of the 1970s, rather than "peer-to-peer" or "client-server" applications that now dominate the Internet, it was obsolete even before it was standardized.

As a result, the upper 3 layers of the model don't actually exist. There are no Session Layer, Presentation Layer, or Application Layer protocols as envisioned in the early model (although many would argue that today's application protocols are close enough to an Application Layer). The bottom four layers, though, fairly accurately describe today's networks (although not completely).

The biggest problem with the OSI model is that it has created a culture where people have narrow ideas about how networks are supposed to work. For example, TCP has "byte-streaming" model that isn't supported by OSI's packet (or "PDU" aka "protocol data unit") model. Therefore, you have subtle bugs in e-mail gateways, FTP servers, IDS appliances, etc. because the designers haven't fully understood how byte-streaming works. When I describe networking to people, I often get told by other people that I am "wrong", because I'm describing it in a way that doesn't match the official model.

For example, I like to describe networking with the "as-far-as" model. Each layer is responsible for only getting the data part of the way to the destination. Layer 1 only worries about getting the data as far as the local wire (or into the air in the case of wi-fi). It's not worried about anybody receiving the data. Layer 2 worries about getting data across that wire to the next hop, such as to your nearest router or access point. Layer 3 worries about getting data from hop-to-hop as far as the destination machine. Layer 4 worries about getting data to the receiving application on that machine (the destination machine might be running a web browser, chat program, and e-mail client - this layer makes sure the right application on the machine gets the data).

Another way of describing the layers would be the "unit" model. Layer 1 sends bits. Layer 2 sends frames. Layer 3 sends packets. Layer 4 sends streams. Thus, Layer 1 sends bits out in to the air. Layer 2 makes sure a bundle of bits ("frame") reaches the next hops. Layer 3 sends packets from hop to hop across the Internet to the target machine. Layer 4 sends streams of data to the target application.

What's the difference between a Layer 2 "frame" and a Layer 3 "packet"? That's still hard to explain. Back in the early 1990s, I worked on the "Certified Network Expert" certification for sniffer users. The committee who came up with the test had created a question where the right answer was that: a router changed the MAC addresses in a frame. While this is what appears to happen (sniff the Ethernet on both sides of a router, you'll see that the frames/packets are largely identical except for the MAC addresses), that's not what conceptually happens. A frame is like an envelope. Imagine sending a letter to somebody, who removes it from the envelope, puts it into a new envelope, and sends it onto somebody else. The envelopes look identical, but with different addresses, so it looks like the middleman just changed the addresses, but what really happened is that he stripped off the envelope and put a new one on.

Thus, a "frame" is an envelope for a packet that gets it from one hop to the next. A router strips off the envelope when it receives it across a link, the creates a new envelope to send across the next link. In other words, the Layer 2 "frame" is like a picture frame, where the Layer 3 "packet" is the picture.

Another way of looking at the difference between a frame and a packet is that the information in the frame only travels as far as the next hop, but the information in the packet goes all the way across the Internet. The person who receives the packet knows your IP address (Layer 3 address), but does not know your MAC address (Layer 2 address).

Finally, another way to understand the layers is the addresses. The Layer 1 address is the physical port on your computer where you plug in the wire. The Layer 2 address is your MAC address of your Ethernet or WiFi adapter. The Layer 3 address is your IP address. The Layer 4 address is the address of the application running on your machine (i.e. the port number).


mokum von Amsterdam said...

Very very nice write up that I will now make madatory reading for all people I talk layers with :D
It will cut end, & point-less discusion to half, instantly. Thank you!

Freedom_Addict said...

Good job and well done! Now I just need to understand level 2,3,4 switches and routers and brouters and bridges...

Unknown said...

This is a wonderful explanation, this will help me a lot in my Cisco Network Fundamentals course!