A lot of networking courses end where the interesting problems start. You finish the textbook knowing what a TCP segment is, but the first time something breaks in production it's about retransmits or a TLS handshake or a DNS cache. This study path bridges that gap. It walks the textbook in order, then keeps going into the operational details that show up in incidents and design reviews. The reading list is the one working network engineers actually recommend, and the deep dives are protocol-by-protocol walkthroughs you can come back to when you need a specific answer.
Link, network, transport, application. Every layer offers a service to the one above and uses the one below. The OSI seven-layer model is more granular than what actually ships in any production stack; the four-layer TCP/IP model is closer to how engineers usually think about the boundaries.
A finite chunk of bytes with a header (which says where it is going, where it came from, and which layer this is) and a payload (which carries the data for the next layer up). Headers nest: an HTTP request travels inside a TLS record, inside a TCP segment, inside an IP packet, inside an Ethernet frame.
Three identifiers at three layers. The MAC address picks the next hop on the local network; the IP address picks the destination machine across networks; the port number picks the receiving socket on that machine. Each layer makes decisions without knowing the layers above.
TCP delivers an ordered, retransmitted, congestion-controlled byte stream — bytes go in, the same bytes come out the other end, in order, eventually. UDP delivers individual messages, best-effort: they might arrive, they might arrive out of order, they might be duplicated. A lot of higher-layer engineering is about turning one of these into something closer to the other.
A socket is a kernel data structure exposed to programs as a file descriptor. The kernel demultiplexes incoming packets to the right socket using the five-tuple: protocol, source IP, source port, destination IP, destination port. No two TCP sockets on the same machine can share that five-tuple, and everything else is configurable.
Eleven well-defined states with well-defined transitions. The happy path is SYN_SENT → ESTABLISHED → TIME_WAIT. CLOSE_WAIT means the peer has closed the connection and your application has not yet acknowledged that by closing on its side, which is almost always a bug. TIME_WAIT is normal — it's the state a socket sits in for around a minute after close, so the kernel can absorb any straggling packets.
TCP has to share each network path with every other connection on it without overwhelming the slowest link. Reno halves the window on a loss and grows linearly. CUBIC, the modern Linux default, scales the growth curve to high-bandwidth networks. BBR estimates the bottleneck bandwidth and minimum round-trip time directly and paces against those rather than reacting to loss. Which algorithm a connection uses tends to matter more for throughput than the hardware does.
The two endpoints agree on a cipher suite, exchange certificates, derive a shared secret, and start encrypting. TLS 1.3 does this in a single round-trip; if the two have spoken before, 0-RTT is possible (with some replay caveats). The SNI extension tells the server which certificate the client wants; the ALPN extension picks which application protocol — usually HTTP/1.1 vs HTTP/2 — to speak inside the encrypted tunnel.
Translates names to IP addresses using a tree of zones with explicit delegation between them. The stub resolver on the client asks a recursive resolver, which walks the tree from the root down to the authoritative nameserver for the name and caches what it learns along the way. Caches sit at every layer, which is both why DNS is fast on average and why "it sometimes returns the wrong answer" is a recurring production story.
Inside a single network, an interior protocol like OSPF or IS-IS computes shortest paths over a shared link-state database. Between networks, BGP carries reachability information between autonomous systems, choosing routes based on each operator's policy rather than shortest path. The internet works because the policies are mostly compatible; outages tend to be moments when they aren't.
Network Address Translation maps many private IP addresses to one public address by keeping a table of port mappings. Different flavours — full-cone, restricted-cone, port-restricted, symmetric — determine whether direct peer-to-peer connections will work or whether you need to relay through a third party. WebRTC, online games, and torrent clients all rely on STUN, TURN, and ICE to negotiate around NAT.
The general problem of distributing incoming connections across many backends. Layer-4 load balancing operates on the four-tuple in the kernel and is fast; layer-7 inspects the HTTP request itself and is more flexible. Anycast does the work at the routing layer; DNS load balancing does it in the resolver answer; consistent hashing distributes connections within a single load balancer in a way that tolerates backend changes. Each picks a different trade-off between speed, flexibility, and connection stability.
| What | Value |
|---|---|
| Same datacentre RTT | ~0.2–0.5 ms |
| Same metro RTT | ~1–3 ms |
| Cross-continent RTT (US east ↔ west) | ~60–80 ms |
| Trans-Atlantic RTT (NYC ↔ London) | ~70–80 ms |
| Trans-Pacific RTT (US ↔ Tokyo) | ~110–130 ms |
| TCP three-way handshake | 1 × RTT |
| TLS 1.3 handshake (full) | 1 × RTT |
| TLS 1.3 with 0-RTT data | 0 × RTT (with replay risk) |
| DNS lookup (cached) | ~1–10 ms |
| DNS lookup (uncached, 4 hops) | ~50–200 ms |
| Slow-start to fill a 100 Mbps × 80 ms pipe | ~5–7 RTTs |
These are order-of-magnitude figures. The exact numbers depend on the path, the hardware on either end, and the time of day. Treat them as a sanity check — "is the latency I'm measuring in roughly the right neighbourhood" — rather than as targets to optimise against.
Three ordered paths through this material — pick the one that matches where you are now.
Start at the physical layer and climb to the application. Each deep dive builds directly on the one before it.
How the application-layer protocols you use every day are built on top of that transport stack.
The systems that make the internet work at scale: autonomous systems, anycast, service meshes.
The deep dives below are protocol-by-protocol companions to this curriculum. The recommended pace is one or two a week alongside the textbook reading. That gives the spec time to make sense and lets the operational details settle in. The two adjacent study paths — distributed systems and API design — are useful next steps once the networking layer is comfortable.