Saturday, August 31, 2019

Thread on the OSI model is a lie

I had a Twitter thread on the OSI model. Below it's compiled into one blogpost

Yea, I've got 3 hours to kill here in this airport lounge waiting for the next leg of my flight, so let's discuss the "OSI Model". There's no such thing. What they taught you is a lie, and they knew it was a lie, and they didn't care, because they are jerks.
You know what REALLY happened when the kid pointed out the king was wearing no clothes? The kid was punished. Nobody cared. And the king went on wearing the same thing, which everyone agreed was made from the finest of cloth.
The OSI Model was created by international standards organization for an alternative internet that was too complicated to ever work, and which never worked, and which never came to pass.
Sure, when they created the OSI Model, the Internet layered model already existed, so they made sure to include today's Internet as part of their model. But the focus and intent of the OSI's efforts was on dumb networking concepts that worked differently from the Internet.
OSI wanted a "connection-oriented network layer", one that worked like the telephone system, where every switch in between the ends knows about the connection. The Internet is based on a "connectionless network layer".
Likewise, the big standards bodies wanted a slightly different way of how Ethernet should work, with an LLC layer on top of Ethernet. That never came to pass. Well, an LLC layer exists in WiFi packets, but as a vestigial stub like an appendix.
So layers 1 - 4 are at least a semblance of reality, incorporating Ethernet and TCP/IP, but it's layers 5 - 6 where is goes off the rails. There's no Session or Presentation Layer in modern networks.
Sure, the concepts exist, but not as layers, and not with the functionality those layers envisioned.
For example, the Session Layer wanted "synchronization points" to synchronize transactions. Their model never worked, and how synchronization happens on the Internet is vastly more complex, with pretty much everybody designing their own method.
For example, how Google does Paxos synchronization at scale is a big reason for their success. It's an incredibly tough problem for which it's impractical to create a standard. In any case, you wouldn't want it as a "layer".
Sure, HTTP has "session cookies" and SSL has a "session" concept, but that doesn't make these "session layer" protocols.
The OSI Presentation Layer (layer 6) is even more stupider. It was based on dumb terminals connected to mainframes. It was laughably out-of-date before it was even created. Back then, terminals needed to negotiate control codes and character sets.
It's not simply "dumb terminals", it's the fact most everyone was still stuck on the concept that computer networks were for human-computer communications, rather than computer-computer communications.
The OSI Model they teach is a retconned (retroactive continuity) one that just teaches the TCP/IP model and calls it the OSI Model, and does major handwaving over the non-existent Session and Presentation layers.
Intermission: As a side not to this thread, let me answer this. It's because Netscape invented SSL, and Microsoft hated Netscape, so forced the standards body to change the name to TLS.
Sure, HTTP has "session cookies" and SSL has a "session" concept, but that doesn't make these "session layer" protocols.
I've never understand why the "Secure *Socket Layer*" was renamed to "*Transport Layer* Security" in the new version published in 1999, yet most people still seem to refer to it as "SSL" (including Qualsys!)
See Thomas W.'s other Tweets
It's the same reason the French insist that "ISO" stands for "International Organization for Standardization". I don't put up with that nonsense, because I'm a troll.
You know what REALLY happened when the kid pointed out the king was wearing no clothes? The kid was punished. Nobody cared. And the king went on wearing the same thing, which everyone agreed was made from the finest of cloth.
The OSI Model was created by international standards organization for an alternative internet that was too complicated to ever work, and which never worked, and which never came to pass.
31 people are talking about this
So back to our story. I suppose "OSI Model" can be justified if if everyone taught the same thing, if it were all based on the same specification. But it isn't. Everyone makes up their own version, like which where to put SSL. (The correct answer is "Transport Layer", btw).
As for the question "in which layer does encryption belong?", the correct answer is "all the layers". And then some.
So this is a myth. The DoD mandated GOSIP, it never mandated TCP/IP. I mean, they did mandate working systems. Since GOSIP never worked, and TCP//IP was the only working alternative, that sorta mandated it.
Yea, I've got 3 hours to kill here in this airport lounge waiting for the next leg of my flight, so let's discuss the "OSI Model". There's no such thing. What they taught you is a lie, and they knew it was a lie, and they didn't care, because they are jerks.
Oh, but there was the whole GOSSIP stack that implemented it and was taken seriously - 'till the DoD mandated TCP/IP .
See Tim Panton's other Tweets
What happened is that shipping systems came with an OSI stack that sometimes would get communication between two systems if they were the same vendor, but also TCP/IP for when things had to work.
You still see OSI nonsense in industrial control systems (port 102 = OSI Transport Layer on top of TCP). That's because regulatory bodies are stronger in those areas, able to force bad ideas on people no matter how unworkable.
Morons call for "realpolitik", that we could solve problems if only government had the will to overcome objections. But a government with enough political power to overcome objections is how we get bad ideas like OSI.
My first time pentesting a powerplant was sniffing traffic, finding TCP/102 .... and within an hour having an ASN.1 buffer overflow in a critical protocol that crossed firewalls.
So let's discuss X.509 and LDAP, which both technically descend from the OSI standards bodies. DAP was a typical bloated, unimplementable OSI protocol, so that's why we have "Lightweight DAP" or "LDAP".
My first time pentesting a powerplant was sniffing traffic, finding TCP/102 .... and within an hour having an ASN.1 buffer overflow in a critical protocol that crossed firewalls.
This rant seems incomplete with some mention of The Directory and its surviving vestiges like X.509 and LDAP.
See Daniel Franke's other Tweets
X.509 was a typical OSI standard written to serve the interests of big vendors instead of customers, who wanted to charge lots of money for certificates, hindering the adoption of encryption until LetsEncrypt put a stop to that nonsense TWO DECADES later.
You millennials have no concept how freakin' long two decades is, and how that's an unreasonable amount of time to not have free certificates for websites.
Here's what you post-millenials/Gen-Z/whatever need to do. When you are in class and they start teaching the OSI model, stand up and shout "THIS IS BS" and walk out of the room. Better yet, organize your classmates to follow you.
"What is the OSI Model?" It's the fact that the local network is independent from the Internet, and the Internet is independent of the applications that run on top of it. It's the fact you can swap WiFi for Ethernet, or IPv6 for IPv4, or Signal for WatsApp
Yea, I've got 3 hours to kill here in this airport lounge waiting for the next leg of my flight, so let's discuss the "OSI Model". There's no such thing. What they taught you is a lie, and they knew it was a lie, and they didn't care, because they are jerks.
I did not understand everything so please correct me if I'm wrong - is OSI model a bunch of poorly separated responsibilities?
See Paweł Duda's other Tweets
When we eventually move to IPv7, we won't need to upgrade Ethernet switches. Ethernet and WiFi have no clue what are doing on top of them. Ancient alternatives like XNS or Novel or NetBEUI also work fine on the latest 802.11ax/WiFi6 router you just bought.
There are a few more subdivisions. Layer 1 (Physical) gets the raw bits transmitted on the wire (or into air). Layer 2 (Link) gets packets across your local network to the next router. Layer 3 (IPv4/IPv6) gets packets from one end of the Internet to the other.
Layer 4 (TCP/UDP) gets packets to one of many apps running on your machine to one of many apps running on the server. It may also retransmit lost packets. Layer 7 consists of a bunch of different protocols that services those apps.
No, the OSI Model doesn't have its place. You can teach how layered networking works without teaching the OSI version. The OSI version messes it up rather than clarifying things.

Layers existed before the OSI Model. They didn't invent the idea. They coopted and changed the idea. When you redefine it back again, you only confuse students. They can pass your test, but no some other test like the CISSP, because the answers won't match. Because it's made up.

3 comments:

popgoesweasel said...

Great post. I had to learn ISO when I was selling cisco (the orgianl spelling is with a small o as it was from San Francisco) products among other vendors. I lived at layer 1 and two. I also remember selling devices that allowed you to see what was happening to the data streams of vendors like IBM and Uniwhak (UNIVAC for you whippersnappers). RS233 was king in those days and 9600 bps was like a phenomenal transmission speed on full duplex four wire analog phone lines.

Alberto said...

Many, many years ago I was involved for some time in the transition of a network of VAXes from DECnet phase IV (proprietary protocol) to DECnet phase V (OSI compliant). It was something between a nightmare and a psychopath's delirium from any practical standpoint.

Bogdan Golab said...

In case you miss it:
https://blog.ipspace.net/2019/09/response-osi-model-is-lie.html