Networking

Protocol fundamentals every backend engineer should be able to reason about. Anchored on invariants — no version pins.

OSI model (the mental map)

Real traffic skips the session layer and often fuses presentation into the application — but the 7-layer model is how engineers agree on "where the bug lives".

Layer	Name	Unit	Examples
1	Physical	Bits	Cables, wireless radio, fiber
2	Data Link	Frames	Ethernet, MAC addresses, switches
3	Network	Packets	IP, routing, routers
4	Transport	Segments	TCP, UDP — ports live here
5	Session	Data	Session mgmt (often merged into app layer)
6	Presentation	Data	TLS, compression, encoding
7	Application	Data	HTTP, gRPC, SMTP, DNS

TCP vs UDP

TCP

Three-way handshake: SYN → SYN/ACK → ACK. Exchanges initial sequence numbers (used to detect lost/reordered packets) and negotiates options (MSS, window scale, SACK).

Four-way teardown: each side sends FIN + receives ACK independently (allows half-close). Shortcut with RST for abnormal termination.

Reliable, ordered, byte-stream — the OS re-assembles out-of-order packets for you
Congestion + flow control are built in — rate adapts to network conditions
Connection setup latency: 1 RTT (2 RTTs including TLS setup)
Head-of-line blocking at the transport layer: one lost packet stalls all data behind it

UDP

Connectionless — no handshake, no ordering, no retransmission
One datagram = one packet (no splitting across packets by the transport)
Good for: DNS queries, video/voice (packet loss < retransmission-delay), gaming, QUIC / HTTP-3 underpinning
If you need reliability, you either build it on top (QUIC does) or use TCP

When to reach for UDP

UDP is the right choice when a retransmitted packet would arrive too late to be useful (voice, video, real-time gaming) or when the protocol wants its own congestion control (QUIC). For almost everything else, use TCP or something built on top of it.

TLS handshake (the shape)

Client says hello with supported ciphers + its ephemeral key share
Server picks a cipher, sends its certificate + its key share
Both sides derive the same symmetric session key (never transmitted — Diffie-Hellman style)
All subsequent application data is encrypted with that symmetric key

Modern TLS completes in 1 RTT (or 0 RTT with session resumption — at the cost of replay risk)
The certificate authenticates the server; mTLS adds client-side authentication
TLS protects confidentiality + integrity + server identity — it does NOT authenticate the application-level user

DNS record types

Type	Purpose	Example
A	IPv4 address for a name	example.com → 93.184.216.34
AAAA	IPv6 address for a name	example.com → 2606:2800:220:1:…
CNAME	Alias one name to another name	www.example.com → example.com
MX	Mail server for a domain	example.com → 10 mail.example.com
TXT	Arbitrary text (SPF, DKIM, verification)	v=spf1 include:_spf.example.com ~all
SRV	Service location — host + port	_sip._tcp.example.com → 10 60 5060 sipserver.example.com
NS	Which name servers are authoritative for a zone	example.com → ns1.example.com
PTR	Reverse lookup — IP to name	34.216.184.93.in-addr.arpa → example.com
CAA	Which CAs may issue certs for this domain	example.com CAA 0 issue "letsencrypt.org"

HTTP status codes

1xx Informational — rarely seen in practice

101 Switching Protocols (WebSocket upgrade)

2xx Success

200 OK
201 Created
202 Accepted
204 No Content

3xx Redirection / cache

301 Moved Permanently
302 Found
304 Not Modified (conditional GET)
307 Temporary Redirect (preserve method)

4xx Client error — the request is wrong

400 Bad Request
401 Unauthorized (missing / bad auth)
403 Forbidden (authed but not allowed)
404 Not Found
409 Conflict
422 Unprocessable Entity
429 Too Many Requests

5xx Server error — the server could not fulfill a valid request

500 Internal Server Error
502 Bad Gateway (upstream returned garbage)
503 Service Unavailable (overloaded / maintenance)
504 Gateway Timeout (upstream did not answer in time)

HTTP caching headers

Header	Purpose
Cache-Control	Master control. `max-age`, `s-maxage`, `no-store`, `private`, `public`, `must-revalidate`
ETag	Opaque version identifier for a resource. Client sends back `If-None-Match`; server returns 304 if unchanged
Last-Modified	Timestamp alternative to ETag. Client sends `If-Modified-Since`
Vary	Tells caches which request headers make a response unique (e.g., `Vary: Accept-Encoding`)
Age	How long (seconds) a cached response has been held

CIDR math

10.0.0.0/24 = "first 24 bits are the network, remaining 8 bits are hosts". Count backwards from 32 to get host bits, then 2^{host bits} is the address count.

Mask	Addresses	Usable hosts	Typical use
/32	1	1	Single host (`10.0.0.1/32`)
/30	4	2	Point-to-point link
/29	8	6	Tiny subnet
/24	256	254	Classic "LAN" size
/22	1,024	1,022	Small team / rack
/16	65,536	65,534	VPC or large private network
/8	16,777,216	16,777,214	10.0.0.0/8 (RFC1918 private space)

Rules of thumb

Each drop of 1 in the prefix doubles the address count.
/32 is one address; every decrement adds a bit to the host portion.
Usable hosts = 2^(32-prefix) − 2 (drop network and broadcast addresses).
Exceptions: /31 (2 addresses, 2 usable — RFC 3021) and /32 (1 address, 1 usable).
To split a /24 into four /26s: each /26 has 2^(32-26) = 64 addresses. The original 0–255 splits into 0–63, 64–127, 128–191, 192–255.