The OSI model is a teaching crutch. The model that actually matters is TCP/IP four-layer, and the questions that recur are: where is latency coming from, where is reliability enforced, and where is congestion controlled.
TCP vs UDP, decision-grade
| TCP | UDP | |
|---|---|---|
| Delivery | Reliable, in-order | Best-effort |
| Connection | Handshake (1-RTT, plus TLS) | None |
| Congestion control | Yes (Cubic, BBR) | None — you implement it or DoS yourself |
| Head-of-line blocking | Yes | No |
| Use when | You want a stream and don’t want to handle loss | You want frames, low latency, or your own reliability layer (QUIC, DNS, video) |
QUIC = UDP + the reliability and congestion-control parts of TCP, but per-stream and userspace. HTTP/3 runs on QUIC specifically to dodge TCP head-of-line blocking when one packet is dropped.
TCP’s failure modes
- Slow start. A new connection starts with a tiny cwnd and ramps up. For short connections this dominates — hence connection pooling and HTTP keep-alive.
- Bufferbloat. Routers buffering aggressively to avoid drops cause RTT to balloon. CoDel/fq_codel queue management fixes it; BBR sidesteps it by pacing.
- Nagle + delayed ACK. Two well-meaning optimizations that compose into 200ms latency spikes.
TCP_NODELAYon small request/response protocols. - TIME_WAIT. A socket in TIME_WAIT for 2Ă—MSL after close. High-churn clients exhaust ephemeral ports; reuse connections instead of fixing this with
tcp_tw_reuse.
Latency budget — know it cold
| Hop | Order of magnitude |
|---|---|
| Same datacenter RTT | ~0.5ms |
| Same region, cross-AZ | ~1ms |
| Cross-continent RTT | ~80ms (US ↔ EU), ~150ms (US ↔ APAC) |
| TLS handshake | 1–2 RTT (TLS 1.3 vs 1.2) |
| DNS lookup, cold | 20–100ms |
A user in Singapore hitting a us-east-1 service pays ~180ms just for the TCP+TLS+request roundtrip before you do any work. CDN, regional replicas, or accepting it — but acknowledge the budget.
Ports & protocols that matter
| Port | Protocol | Used for |
|---|---|---|
| 53 | UDP/TCP | DNS |
| 80 | TCP | HTTP |
| 443 | TCP/UDP | HTTPS, HTTP/3 (QUIC) |
| 22 | TCP | SSH |
| 5432 | TCP | Postgres |
| 6379 | TCP | Redis |
DNS is a distributed cache
Lookups are: stub resolver → recursive resolver → root → TLD → authoritative. Each hop honors TTLs. Implications: TTL is your failover knob. Short TTL = fast cutover, more lookup load. A 30s TTL is a reasonable production default for active records; 24h for static.
What TLS gives you
- Confidentiality: nobody on the path reads the payload.
- Integrity: nobody flips bits without detection.
- Server authentication: you’re talking to who you think (via the cert chain — only as good as the trust store).
- It does not give you client authentication (mTLS does), DDoS protection, or replay protection at the application layer (you build that).
TLS 1.3 is 1-RTT, TLS 1.2 is 2-RTT — measurable on cold connections. Always 1.3.