TCP/IP Protocol Suite: How the Internet Works
The TCP/IP protocol suite, also called the Internet Protocol Suite, is the set of communication protocols that powers the internet and most private networks. Originally developed in the 1970s by Vint Cerf and Bob Kahn for the US Department of Defense’s ARPANET project, TCP/IP was designed to be robust, decentralized, and media-independent. The core protocols were formalized in RFC 1122 and RFC 1123 (1989), which defined the host requirements still followed today. This guide covers the layered architecture, IP (IPv4 and IPv6), TCP in detail (connection management, flow control, congestion control), UDP, ICMP, and the key application protocols that run over the transport layer.
Architecture of TCP/IP
The TCP/IP model has four layers, each providing services to the layer above. Unlike the seven-layer OSI model, TCP/IP was designed from implementation experience and maps directly to real protocols.
Application Layer
The application layer encompasses protocols that user-facing applications use to communicate over the network. Each protocol uses a well-known port number: HTTP/HTTPS (80/443), DNS (53), SMTP (25, 587), SSH (22), DHCP (67/68), NTP (123). Applications choose either TCP or UDP as the transport protocol based on their reliability and latency requirements.
Transport Layer
The transport layer provides end-to-end data delivery between applications. TCP (Transmission Control Protocol, RFC 9293) provides reliable, connection-oriented, in-order delivery with flow control and congestion control. UDP (User Datagram Protocol, RFC 768) provides lightweight, connectionless, best-effort delivery with minimal overhead.
Internet Layer
The internet layer — the “IP” in TCP/IP — handles logical addressing and packet forwarding. Internet Protocol (IPv4, RFC 791; IPv6, RFC 8200) defines the addressing scheme and packet format. ICMP (Internet Control Message Protocol, RFC 792) provides error reporting and diagnostic functions. ARP (RFC 826) resolves IP addresses to MAC addresses on local Ethernet segments.
Network Access Layer
The network access layer (sometimes called the link layer) handles framing, media access, and physical transmission. It includes Ethernet (IEEE 802.3), Wi-Fi (IEEE 802.11), and PPP (RFC 1661). The network access layer is implementation-specific — TCP/IP operates identically regardless of whether the underlying medium is copper, fiber, or radio.
Internet Protocol
IP is the workhorse of the internet layer. Each IP packet (datagram) contains a header with source and destination addresses, and a payload carrying the transport-layer segment.
IPv4 Packet Header
The IPv4 header is typically 20 bytes (60 bytes with options). Fields include: Version (4), IHL (header length), Type of Service (used by DSCP/QoS), Total Length, Identification (for fragmentation), Flags, Fragment Offset, TTL, Protocol (6=TCP, 17=UDP, 1=ICMP), Header Checksum, Source IP (32 bits), Destination IP (32 bits). The TTL field, decremented by each router, prevents packets from circulating forever if a routing loop exists.
IPv6 Improvements
IPv6 (RFC 8200) uses 128-bit addresses (340 undecillion) and a streamlined header. Fixed-length 40-byte header with no checksum (removed, relying on layer-2 error detection), no fragmentation (handled by the sender via Path MTU Discovery), and a Flow Label field for per-flow processing. The extension header mechanism replaces IPv4’s variable-length options with optional chained headers — routing headers, fragmentation headers, authentication headers. IPv6 eliminates NAT and restores the end-to-end principle.
TCP in Detail
TCP provides a reliable, connection-oriented, byte-stream service. It ensures data arrives at the destination complete, in order, and without duplicates.
Connection Establishment (Three-Way Handshake)
- SYN: The client sends a TCP segment with the SYN flag set, an initial sequence number (
client_isn), and optionally TCP options (MSS, window scale, selective ACK permitted). - SYN-ACK: The server responds with SYN and ACK flags set, its own initial sequence number (
server_isn), and acknowledgment of the client’s SYN (client_isn + 1). - ACK: The client sends an ACK of the server’s SYN (
server_isn + 1).
After this exchange, both sides can send data. The three-way handshake adds one round-trip time (1-RTT) to connection setup. TCP Fast Open (RFC 7413) reduces this to 0-RTT for repeat connections by caching cryptographic cookies.
Flow Control
TCP flow control prevents a fast sender from overwhelming a slow receiver. The receiver advertises a receive window (rwnd) in every TCP segment, indicating how much buffer space remains. The sender must not transmit more unacknowledged data than the rwnd. The window scale option (RFC 7323) extends the 16-bit window field from 65,535 bytes to up to 1 GB.
Congestion Control
TCP congestion control prevents the network itself from being overloaded. Algorithms include:
Slow start: The sender begins with a congestion window (cwnd) of 10 segments (RFC 6928). For each ACK received, cwnd increases by one segment — effectively doubling every RTT. Slow start continues until packet loss is detected or the ssthresh (slow-start threshold) is reached.
Congestion avoidance: After ssthresh, cwnd increases by one segment per RTT (linear growth, additive increase).
Fast retransmit: If the sender receives three duplicate ACKs for the same sequence number, it retransmits the missing segment immediately without waiting for the retransmission timer to expire.
Fast recovery: After fast retransmit, cwnd is halved and congestion avoidance resumes.
Modern TCP variants include Cubic (default in Linux, optimized for high-bandwidth links) and BBR (Bottleneck Bandwidth and Round-trip, model-based congestion control that does not rely on packet loss as a congestion signal). BBR is used by Google’s internal WAN and YouTube, achieving 2-10x throughput improvement over Cubic on paths with shallow buffers.
Connection Termination
A TCP connection closes through a four-way handshake: one side sends FIN, the other ACKs then sends its own FIN, the first side ACKs. The side that sends the first FIN enters TIME_WAIT state for 2×MSL (Maximum Segment Lifetime, typically 60 seconds). TIME_WAIT ensures that delayed segments from the closed connection expire before the same (IP, port) tuple is reused.
UDP
UDP provides minimal transport: port numbers, length, and an optional checksum. No connection setup, no acknowledgment, no ordering, no flow control. Use cases: DNS queries (single request-response), VoIP (real-time, loss-tolerant), video streaming (occasional glitch is better than a retransmission delay), DHCP (broadcast-based, cannot wait for connection setup), NTP (connectionless time synchronization).
ICMP
ICMP (RFC 792) is not a transport protocol but an ancillary protocol used by IP. Ping sends ICMP Echo Request (type 8) and receives Echo Reply (type 0). Traceroute sends UDP probes with incrementing TTL; each router returns ICMP Time Exceeded (type 11). ICMP also reports Destination Unreachable (type 3) — network (code 0), host (code 1), protocol (code 2), port (code 3), fragmentation needed (code 4, used for PMTUD).
Application Protocols
DNS (port 53, UDP for queries, TCP for zone transfers) translates domain names to IP addresses. DHCP (UDP 67/68) provides automated IP address assignment. HTTP/HTTPS (TCP 80/443) serves web content. SMTP (TCP 25, 587) delivers email. SSH (TCP 22) provides encrypted remote access. SNMP (UDP 161/162) monitors network devices.
FAQ
Q: What is the difference between TCP and UDP for video streaming?
A: Most video streaming (YouTube, Netflix) uses TCP because the player can buffer several seconds of video, hiding retransmission latency. Low-latency streaming (WebRTC, Zoom) uses UDP over RTP because they cannot tolerate TCP’s head-of-line blocking, but they add their own error correction at the application layer.
Q: How does TCP handle out-of-order packets?
A: TCP assigns a sequence number to each byte. The receiver buffers out-of-order segments and delivers them to the application only when the sequence gap is filled. The receiver sends duplicate ACKs for the missing byte, triggering fast retransmit on the sender.
Q: What is the TCP window scale option?
A: The window scale option (RFC 7323) multiplies the 16-bit window field by a scale factor (0-14). Without scaling, the maximum window is 65,535 bytes — severely limiting throughput on high-bandwidth, high-latency paths (the bandwidth-delay product problem). With scaling, the window can reach 1 GB.
Q: Why does IPv6 not have a checksum?
A: IPv6 relies on layer 2 (Ethernet CRC) and upper-layer checksums (TCP/UDP checksum mandatory for IPv6). Removing the IP checksum reduces per-hop processing overhead — one less header field to recompute at each router. IPv4’s header checksum was needed because errors could corrupt the header in transit; modern link-layer technologies have negligible undetected error rates.
Q: What is a TCP half-open connection?
A: A connection in which one side has lost state (crashed, rebooted) while the other side believes the connection is active. The surviving side sends data but receives no acknowledgment, eventually timing out. TCP keepalives (RFC 1122, configurable interval, typically 2 hours) detect half-open connections.
Internal Links
- HTTP and HTTPS Guide — application-layer protocols over TCP
- DNS Guide — how DNS uses both TCP and UDP
- IP Addressing Guide — layer-3 addressing detail
References
- RFC 791, “Internet Protocol”
- RFC 793, “Transmission Control Protocol” (original specification, replaced by RFC 9293)
- RFC 9293, “Transmission Control Protocol (TCP)”
- RFC 768, “User Datagram Protocol”
- RFC 8200, “Internet Protocol, Version 6 (IPv6) Specification”
- RFC 5681, “TCP Congestion Control”
- Fall, K. R. and Stevens, W. R., TCP/IP Illustrated, Volume 1: The Protocols, 2nd ed., Addison-Wesley, 2011
- Kurose, J. F. and Ross, K. W., Computer Networking: A Top-Down Approach, 8th ed., Pearson, 2021, Section 3 (“Transport Layer”)
- Tanenbaum, A. S. and Wetherall, D. J., Computer Networks, 6th ed., Pearson, 2021, Section 6 (“The Transport Layer”)
For a comprehensive overview, read our article on Cabling Standards.
For a comprehensive overview, read our article on Cdn Guide.