Network Protocols: Service Interface, Peer Interface, and the Hourglass Model — Blog

What a protocol is

A protocol is an abstract object that defines how two entities communicate. Each protocol defines two interfaces:

Service interface: The API the protocol exposes to processes on the same machine. For TCP, this is the socket API — connect, send, recv, close. The service interface defines what operations local applications can invoke.

Peer interface: The format and semantics of messages exchanged between the same protocol running on different machines. For TCP, this is the segment format — SYN, ACK, FIN flags, sequence numbers, window size. The peer interface defines how the protocol on machine A talks to TCP on machine B.

Machine A                              Machine B
┌──────────┐                          ┌──────────┐
│ App      │                          │ App      │
│          │  ← service interface →   │          │
│   TCP    │ ════════════════════════ │   TCP    │ ← peer interface
│          │  ← service interface →   │          │
│   IP     │ ════════════════════════ │   IP     │ ← peer interface
│   Eth    │ ════════════════════════ │   Eth    │ ← peer interface
└──────────┘                          └──────────┘

Each layer's peer interface defines the messages exchanged across the network. Each layer's service interface defines the API it presents to the layer above.

The layering principle: encapsulation

Each layer wraps the layer above's data with its own header (and sometimes trailer):

Application data: "GET / HTTP/1.1\r\n..."
         ↓ TCP adds: [src_port, dst_port, seq, ack, flags, ...] + data
TCP segment: [TCP header][HTTP data]
         ↓ IP adds: [src_ip, dst_ip, ttl, protocol, ...] + segment
IP packet: [IP header][TCP header][HTTP data]
         ↓ Ethernet adds: [dst_mac, src_mac, ethertype] + packet + [FCS]
Ethernet frame: [Eth header][IP header][TCP header][HTTP data][FCS]

Each layer at the receiver strips its own header and passes the payload up. No layer needs to understand layers above or below it — TCP doesn't know about HTTP content, Ethernet doesn't know about TCP sequence numbers.

IP is the narrow waist of the internet — any link technology below, any protocol above

ConceptNetworking

The internet's hourglass design puts IP at the single convergence point. Below IP: Ethernet, WiFi, fiber, cellular, satellite — all different link technologies, all capable of carrying IP packets. Above IP: TCP, UDP, QUIC, ICMP — all running over IP. Above TCP/UDP: HTTP, SMTP, DNS, SSH — all applications. This means a new link technology (5G) can carry IP immediately without any change to TCP or HTTP. A new application protocol (HTTP/3) can run over IP without changing routers. IP is the minimal common denominator that makes this interoperability possible.

Prerequisites

TCP/IP model
OSI model
Encapsulation

Key Points

Service interface: the API a protocol exposes to the layer above (socket API for TCP).
Peer interface: the message format for communicating with the same protocol on a remote host.
Each layer only needs to know its direct neighbors — not the full stack.
IP's minimalism (best-effort, connectionless) is intentional: reliability is handled by TCP above, not IP.

Protocol layers in practice

Application Layer:  HTTP, HTTPS, DNS, SMTP, FTP, SSH, WebSocket
Transport Layer:    TCP (reliable stream), UDP (datagram), QUIC
Network Layer:      IP (IPv4, IPv6), ICMP, routing protocols (BGP, OSPF)
Link Layer:         Ethernet, WiFi (802.11), PPP, cellular (LTE)
Physical Layer:     electrical signals, optical, radio

The "OSI model" has 7 layers; TCP/IP typically uses 4. The distinction matters less than the principle: each layer has a well-defined interface to its neighbors and communicates with its peer on the remote host using a defined protocol.

The layers can be violated in practice. QUIC runs over UDP (transport layer) but implements its own reliability (traditionally TCP's job). TLS runs between application and transport layers. Tunneling (VPN) wraps IP packets inside other IP packets. The model is a useful abstraction, not a strict rule.

An HTTP request goes through a proxy. The proxy adds X-Forwarded-For to the request. Which protocol layer is this change happening at?

easy

X-Forwarded-For is an HTTP header. HTTP runs at the application layer.

ANetwork layer — the proxy modifies the IP source address
Incorrect.IP NAT does modify source addresses at the network layer. But X-Forwarded-For is an HTTP header, not an IP field. The proxy adds the original source IP to an application-layer HTTP header.
BApplication layer — the proxy reads and modifies the HTTP request before forwarding
Correct!X-Forwarded-For is an HTTP header. Adding or modifying HTTP headers requires the proxy to operate at the application layer — it must parse the HTTP request, modify headers, and re-serialize. This is a Layer 7 proxy (application proxy), as opposed to a Layer 4 proxy that forwards TCP streams without inspecting the application-layer content. nginx in proxy_pass mode, AWS ALB, and Envoy all operate at Layer 7 to add headers like X-Forwarded-For.
CTransport layer — the proxy reads TCP segment headers
Incorrect.TCP headers contain port numbers, sequence numbers, and flags — not application data. X-Forwarded-For is HTTP content, not TCP header content.
DLink layer — the proxy modifies MAC addresses during forwarding
Incorrect.Routers and switches modify MAC addresses at the link layer during forwarding. HTTP headers are application-layer content, not link-layer content.

Hint:Which OSI layer does HTTP operate at? What does a proxy need to understand to modify HTTP headers?