Lesson 3 of 12

The TCP/IP Model

25 min read

The TCP/IP Model — Four Layers of the Internet

The internet is not magic. It is a system built on agreed-upon rules — rules about how data is formatted, addressed, sent, and received. Those rules are organized into layers, and the model that describes those layers is called the TCP/IP (Transmission Control Protocol / Internet Protocol) model.

If you have heard of the OSI (Open Systems Interconnection) model, the TCP/IP model will feel familiar. But there is an important difference: the OSI model is a reference framework — a teaching tool and a conceptual blueprint. The TCP/IP model is what real networks actually use. It describes the internet as it exists and operates today.

This file covers the TCP/IP model in full: what it is, where it came from, what each layer does, how data moves through those layers, and why the model matters for cybersecurity.

Where the TCP/IP Model Came From

The TCP/IP model is sometimes called the Internet model or the DoD (Department of Defense) model. The DoD name comes from its origins. In the late 1960s and early 1970s, the United States Department of Defense funded a research project called ARPANET (Advanced Research Projects Agency Network). The goal was to build a network that could survive partial failures — including, theoretically, a nuclear strike — by routing data around damaged segments rather than relying on a single fixed path.

The protocols that made ARPANET work eventually became TCP and IP, and the layered structure those protocols used became what we now call the TCP/IP model.

Meanwhile, in the 1970s and 1980s, the ISO (International Organization for Standardization) was developing the OSI model as a universal, vendor-neutral framework. OSI was more theoretically complete — seven carefully defined layers with precise responsibilities. TCP/IP was simpler — four layers designed by engineers solving a real problem with working code.

When the internet opened to commercial use in the early 1990s, TCP/IP was already running everywhere. It won not because it was theoretically superior but because it existed, worked, and was open for anyone to implement.

The OSI model remained valuable as a teaching tool and a common language for describing network behavior. That is why you will still see OSI references in documentation, certifications, and security conversations. But when your computer sends an email, it is using TCP/IP.

The Four Layers

The TCP/IP model organizes network communication into four layers. Each layer has a specific job. Each layer communicates with the layer directly above and below it. No layer needs to know the details of how other layers do their work — only the interface between adjacent layers matters. This separation is called abstraction, and it is what makes the system flexible and scalable.

The four layers, from bottom to top, are:

Network Access Layer (also called the Link Layer)
Internet Layer
Transport Layer
Application Layer

Let us look at each one in detail.

Layer 1 — Network Access Layer (also called the Link Layer)

What it does:

The Network Access Layer is the bottom layer of the TCP/IP model. It is responsible for everything that happens on a single physical network segment — the actual transmission of raw data over a wire, a wireless signal, or a fiber optic cable.

If you think about OSI's seven layers, the Network Access Layer combines what OSI calls Layer 1 (Physical) and Layer 2 (Data Link). Instead of separating "how bits get onto the wire" from "how devices on the same network identify each other," TCP/IP folds both concerns into one layer.

What happens here:

The physical medium is handled: copper Ethernet cable, Wi-Fi radio signals, fiber optic light pulses, coaxial cable.
The hardware standards are defined: Ethernet specifies the physical connector shape, the voltage levels used to represent 0s and 1s, the cable categories (Cat5e, Cat6, and so on), and the speed (10 Mbps, 100 Mbps, 1 Gbps, 10 Gbps).
MAC (Media Access Control) addresses are used. A MAC address is a 48-bit hardware identifier burned into a network interface card (NIC — Network Interface Card) by its manufacturer. It looks like this: 00:1A:2B:3C:4D:5E. MAC addresses identify devices on the same local network (within the same broadcast domain). They are different from IP addresses, which you will learn about in the next file.
Devices share the medium and avoid collisions using protocols like CSMA/CD (Carrier Sense Multiple Access with Collision Detection) for wired Ethernet and CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) for Wi-Fi.

Key protocols at this layer:

Ethernet (IEEE 802.3) — the dominant wired LAN (Local Area Network) standard
Wi-Fi (IEEE 802.11) — the dominant wireless LAN standard, with variants like 802.11a, 802.11b, 802.11g, 802.11n, 802.11ac, and 802.11ax (also called Wi-Fi 6)
ARP (Address Resolution Protocol) — translates IP addresses into MAC addresses. When your computer knows the IP address of another device but needs its MAC address to actually deliver the data, it broadcasts an ARP request: "Who has IP address 192.168.1.1? Tell me your MAC address." The device with that IP responds. The mapping is stored in the ARP cache.
PPP (Point-to-Point Protocol) — used for direct connections between two nodes, historically used for dial-up and DSL (Digital Subscriber Line) connections

Data unit at this layer: frame

A frame is the packet of data as it exists on the local network. It includes a header (with source and destination MAC addresses), the payload (the data being carried), and a trailer containing a CRC (Cyclic Redundancy Check) — a mathematical checksum used to detect errors that occurred during transmission.

Layer 2 — Internet Layer

What it does:

The Internet Layer is responsible for logical addressing and routing — getting data from one network to another. While the Network Access Layer handles delivery within a single network, the Internet Layer handles delivery across many interconnected networks. This is what makes the internet (a network of networks) possible.

This layer is equivalent to OSI Layer 3 (the Network Layer).

What happens here:

IP (Internet Protocol) addresses are assigned to devices and used to identify source and destination across the internet. IP addresses are logical (assigned by software and configuration) rather than physical (burned into hardware like MAC addresses).
Routers operate at this layer. A router reads the destination IP address in each packet and uses its routing table to decide where to send the packet next — hop by hop — until the packet reaches its destination network.
The Internet Layer does not guarantee delivery. It makes a "best effort" to route packets to their destination, but it does not track whether they arrived, whether they arrived in order, or whether they were corrupted. Those responsibilities belong to the Transport Layer.

Key protocols at this layer:

IPv4 (Internet Protocol version 4) — the protocol used to address and route most internet traffic. 32-bit addresses.
IPv6 (Internet Protocol version 6) — the successor to IPv4, using 128-bit addresses to solve the address exhaustion problem. Covered in depth in the IP addressing file.
ICMP (Internet Control Message Protocol) — used to send diagnostic and error messages. The ping command uses ICMP echo requests and replies to test whether a host is reachable. Traceroute uses ICMP (or UDP) to discover the path packets take across networks.
IGMP (Internet Group Management Protocol) — manages multicast group memberships. Multicast allows a single packet to be delivered to multiple destinations simultaneously, used in streaming video and routing protocols.

Data unit at this layer: packet

A packet is the data unit at the Internet Layer. It includes an IP header (containing source and destination IP addresses, time-to-live value, protocol identifier, and other fields) plus the payload handed down from the Transport Layer.

Layer 3 — Transport Layer

What it does:

The Transport Layer provides end-to-end communication between applications running on different devices. "End-to-end" means the Transport Layer at the sending device talks to the Transport Layer at the receiving device, transparently, regardless of how many routers the data passed through in between.

This layer is equivalent to OSI Layer 4 (the Transport Layer).

What happens here:

Ports are used to identify which application on a device should receive the data. An IP address gets data to the right device. A port number gets data to the right application on that device. For example, port 80 is HTTP (Hypertext Transfer Protocol), port 443 is HTTPS (HTTP Secure), port 22 is SSH (Secure Shell), and port 25 is SMTP (Simple Mail Transfer Protocol).
Port numbers range from 0 to 65,535. Well-known ports (0–1,023) are assigned to specific services by IANA (Internet Assigned Numbers Authority). Registered ports (1,024–49,151) are used by specific applications. Dynamic or ephemeral ports (49,152–65,535) are temporarily assigned to client connections.
There are two major Transport Layer protocols, each with different characteristics and trade-offs.

TCP (Transmission Control Protocol):

TCP is a connection-oriented protocol. Before any data is sent, TCP establishes a connection using a three-way handshake:

SYN (Synchronize): the client sends a SYN packet to the server, announcing that it wants to start a connection and providing an initial sequence number.
SYN-ACK (Synchronize-Acknowledge): the server responds with a SYN-ACK, acknowledging the client's sequence number and providing its own.
ACK (Acknowledge): the client sends an ACK, confirming the server's sequence number. The connection is now established.

After the handshake, data flows in both directions. TCP guarantees:

Delivery: if a segment is lost, the sender retransmits it.
Order: segments are numbered so the receiver can reassemble them in the correct sequence even if they arrive out of order.
Error checking: a checksum validates each segment.
Flow control: TCP adjusts the rate of transmission to prevent overwhelming the receiver.
Congestion control: TCP detects network congestion and slows down to avoid making it worse.

TCP is used for applications where accuracy matters more than speed: web browsing, email, file transfer, and database queries.

UDP (User Datagram Protocol):

UDP is a connectionless protocol. There is no handshake, no acknowledgment, no retransmission, no ordering guarantee. UDP simply sends packets and hopes they arrive. This sounds bad, but for many applications it is ideal.

UDP trades reliability for speed. If a gaming server sends your position update and the packet is lost, it does not matter — the next update (milliseconds later) will contain your current position. Retransmitting stale data would waste time and bandwidth. The same logic applies to voice calls and video streaming: a dropped packet is better than a delayed one that causes stuttering.

UDP is used for: DNS lookups, live video streaming, online gaming, VoIP (Voice over Internet Protocol), and NTP (Network Time Protocol) synchronization.

Data unit at this layer:

Segment (when using TCP)
Datagram (when using UDP)

Layer 4 — Application Layer

What it does:

The Application Layer is where user-facing protocols live. It is the layer that your web browser, email client, file transfer program, and terminal session interact with. It combines what OSI breaks into three separate layers: Session (OSI Layer 5), Presentation (OSI Layer 6), and Application (OSI Layer 7).

In OSI terms:

The Session Layer handles maintaining, managing, and terminating sessions between applications.
The Presentation Layer handles data formatting, encoding (such as ASCII or UTF-8), encryption, and compression.
The Application Layer provides the actual application-level protocols.

TCP/IP does not separate these concerns because in practice, applications handle them together. TLS (Transport Layer Security) — the encryption protocol used by HTTPS — technically performs presentation-layer functions, but it is implemented as part of the application stack, not as a discrete layer.

Key protocols at this layer:

HTTP (Hypertext Transfer Protocol) — the protocol for transferring web pages. Unencrypted. Runs on port 80.
HTTPS (HTTP Secure) — HTTP protected by TLS encryption. Runs on port 443.
FTP (File Transfer Protocol) — transfers files between hosts. Unencrypted. Uses ports 20 and 21.
SFTP (SSH File Transfer Protocol) — file transfer over SSH. Not the same as FTP. Encrypted. Runs on port 22.
SSH (Secure Shell) — provides an encrypted terminal session to a remote host. Replaced Telnet (which was unencrypted). Runs on port 22.
SMTP (Simple Mail Transfer Protocol) — sends email between mail servers. Runs on port 25 (unencrypted) or 587 (with STARTTLS encryption).
IMAP (Internet Message Access Protocol) — retrieves email from a server while leaving messages on the server. Port 143 (unencrypted) or 993 (encrypted).
POP3 (Post Office Protocol version 3) — retrieves email and typically removes it from the server. Port 110 (unencrypted) or 995 (encrypted).
DNS (Domain Name System) — translates human-readable domain names (like example.com) into IP addresses. Runs on port 53, using UDP for standard queries and TCP for large responses or zone transfers.
DHCP (Dynamic Host Configuration Protocol) — automatically assigns IP addresses, subnet masks, default gateways, and DNS server addresses to devices when they join a network. Client uses port 68; server uses port 67.
TLS (Transport Layer Security) — not an application itself, but an encryption layer wrapping other protocols (HTTP becomes HTTPS, SMTP becomes SMTPS, and so on). TLS replaced SSL (Secure Sockets Layer).
SNMP (Simple Network Management Protocol) — used to monitor and manage network devices such as routers, switches, and printers. Port 161 (UDP).
NTP (Network Time Protocol) — synchronizes clocks across networked devices. Accurate time is essential for log correlation, certificate validation, and Kerberos authentication. Port 123 (UDP).

Data unit at this layer: message or data

The Application Layer does not use a specific term the way lower layers do. The data at this layer is simply called a message, or sometimes just "data" or "payload."

TCP/IP vs. OSI — A Side-by-Side Comparison

Understanding how the two models relate is important because both are used in documentation, vendor specifications, and conversations. Here is how the layers map:

OSI Layer Number	OSI Layer Name	TCP/IP Layer Number	TCP/IP Layer Name
7	Application	4	Application
6	Presentation	4	Application
5	Session	4	Application
4	Transport	3	Transport
3	Network	2	Internet
2	Data Link	1	Network Access
1	Physical	1	Network Access

A few things to notice:

OSI Layers 5, 6, and 7 all collapse into TCP/IP Layer 4 (Application). This is not because those concerns do not matter — they do — but because in real implementations, applications handle all three.
OSI Layers 1 and 2 collapse into TCP/IP Layer 1 (Network Access). Physical transmission and local network addressing are treated as inseparable in practice.
OSI Layers 3 and 4 correspond exactly to TCP/IP Layers 2 and 3, with just a renaming difference: OSI calls it "Network," TCP/IP calls it "Internet."

When security professionals, vendors, and documentation say "Layer 3" they usually mean the Network/Internet Layer (IP and routing). When they say "Layer 7" they usually mean the Application Layer. This OSI numbering is the standard shorthand even in TCP/IP contexts.

Encapsulation — How a Message Gets Wrapped in Headers

One of the most important things to understand about the layered model is encapsulation. Each layer adds its own header (and sometimes a trailer) to the data before passing it down to the next layer. By the time the data reaches the physical medium, it has been wrapped in multiple layers of headers — like an envelope inside an envelope inside an envelope.

Let us walk through a concrete example: your browser sending an HTTP GET request to a web server.

Step 1 — Application Layer:

Your browser creates an HTTP GET request. The message might look something like this:

GET /index.html HTTP/1.1
Host: www.example.com

This is the data at the Application Layer. No headers from lower layers have been added yet.

Step 2 — Transport Layer:

The TCP protocol takes the HTTP message and wraps it in a TCP segment. The TCP header includes:

Source port: a dynamically assigned ephemeral port on your machine, for example 54321
Destination port: 80 (HTTP) or 443 (HTTPS) at the server
Sequence number: a number that identifies where this segment falls in the stream of data
Acknowledgment number: confirms receipt of the other side's data
Flags: SYN, ACK, FIN, RST, and others used to manage the connection
Checksum: for error detection

The result is: [TCP Header] + [HTTP message]

Step 3 — Internet Layer:

IP takes the TCP segment and wraps it in an IP packet. The IP header includes:

Source IP address: your computer's IP address (for example, 192.168.1.50)
Destination IP address: the web server's IP address (for example, 93.184.216.34)
TTL (Time to Live): a counter decremented by each router; when it reaches zero the packet is discarded to prevent infinite loops
Protocol field: identifies what is inside (value 6 means TCP, value 17 means UDP)
Header checksum

The result is: [IP Header] + [TCP Header] + [HTTP message]

Step 4 — Network Access Layer:

Ethernet takes the IP packet and wraps it in an Ethernet frame. The Ethernet header includes:

Source MAC address: the MAC address of your computer's network interface card
Destination MAC address: the MAC address of your default gateway (your router), because the packet's next hop is the router, not the final destination
EtherType field: identifies what protocol is in the payload (0x0800 for IPv4)

The Ethernet frame also adds a trailer containing a CRC (Cyclic Redundancy Check). This is a four-byte value calculated from the contents of the frame. The receiver performs the same calculation and compares the result. If they match, the frame is intact. If they do not, the frame is discarded.

The result is: [Ethernet Header] + [IP Header] + [TCP Header] + [HTTP message] + [CRC Trailer]

Step 5 — Physical transmission:

The frame is converted to a physical signal appropriate to the medium:

Electrical voltage pulses on a copper Ethernet cable
Radio waves modulated at specific frequencies for Wi-Fi
Light pulses in a fiber optic cable

The bits travel across the physical medium to the next device (usually your router).

What happens at the router:

The router receives the Ethernet frame. It checks the destination MAC address to confirm the frame is for it (routers have MAC addresses too). It strips the Ethernet frame (decapsulates at the Network Access Layer), reads the IP header to find the destination IP address, decides where to forward the packet based on its routing table, and re-encapsulates the packet in a new Ethernet frame with new source and destination MAC addresses for the next hop.

This process — strip the frame, read the IP header, re-encapsulate in a new frame — repeats at every router between you and the destination.

Decapsulation at the receiving end:

When the packet reaches the destination web server:

The Network Access Layer receives the Ethernet frame, checks the CRC for errors, strips the Ethernet header and trailer, and passes the IP packet up.
The Internet Layer reads the IP header, confirms the destination IP address matches, strips the IP header, and passes the TCP segment up.
The Transport Layer reads the TCP header, uses the destination port (80) to identify the target application (the web server software), reassembles segments in order, strips the TCP header, and passes the HTTP message up.
The Application Layer (the web server) reads the HTTP GET request and processes it.

This is decapsulation: each layer strips its own header and passes the payload up to the next layer.

PDUs — Protocol Data Units

Each layer has a name for the chunk of data it handles. These names are called PDUs (Protocol Data Units). Knowing the correct name for each layer's data unit is useful for reading documentation and understanding what security tools are reporting.

Layer	PDU Name
Application	Message (or data)
Transport	Segment (TCP) or Datagram (UDP)
Internet	Packet
Network Access	Frame
Physical (implied)	Bit

When a network security tool says it "captures packets," it usually means it captures frames at the Network Access Layer and above — the word "packet" is often used loosely to mean any captured unit of network data.

Why TCP/IP Won Over OSI

This is worth understanding because you will encounter both models throughout your security education, and understanding why TCP/IP became the standard helps you understand how the internet was built.

The OSI model was designed by committee — specifically by the ISO (International Organization for Standardization) with input from national standards bodies, telecommunications companies, and governments. It was comprehensive, carefully thought-out, and intended to be vendor-neutral. It defined seven layers with precise, formally specified interfaces.

The problem was that by the time OSI specifications were finalized and products were being built to implement them, TCP/IP was already deployed and working. ARPANET had grown into the internet. Universities, government agencies, and research institutions were running TCP/IP. Software libraries implementing TCP/IP were freely available and battle-tested.

OSI implementations (like CLNP — Connectionless Network Protocol — an alternative to IP) were developed but never achieved widespread adoption. They were more complex to implement, required specialized hardware, and offered no compelling advantage over what TCP/IP was already doing.

When the commercial internet exploded in the 1990s, ISPs (Internet Service Providers) built on TCP/IP infrastructure, and every device that connected used TCP/IP. OSI became a reference model: useful for teaching, useful as a common vocabulary, but not the protocol stack anyone was running.

The lesson is relevant beyond networking: a working, open, good-enough solution deployed first will usually win over a theoretically superior solution that arrives late.

Why the Layered Model Matters for Security

The TCP/IP model is not just a conceptual tidbit. It has direct, practical consequences for how you think about attacks and defenses.

Attacks target specific layers

Every network attack operates at one or more specific layers. Understanding which layer an attack targets tells you where the defense should be applied.

SYN flood attack (Transport Layer): An attacker sends a large volume of TCP SYN packets to a server but never completes the three-way handshake. The server allocates memory for each half-open connection, waiting for the final ACK that never comes. Eventually the server's connection table fills up and it cannot accept legitimate connections. This is a DoS (Denial of Service) attack targeting the Transport Layer's connection-management mechanism. Defense: SYN cookies, rate limiting, firewalls that detect and block the pattern.
ARP (Address Resolution Protocol) spoofing (Network Access Layer): An attacker sends forged ARP replies, associating their MAC address with another device's IP address. Other devices on the local network update their ARP caches with the false mapping. The attacker now receives traffic intended for the legitimate device — a MitM (Man-in-the-Middle) attack. This is a Network Access Layer attack because ARP operates at that layer. Defense: dynamic ARP inspection on managed switches, static ARP entries for critical devices.
IP (Internet Protocol) spoofing (Internet Layer): An attacker forges the source IP address in a packet to make it appear to come from a trusted or different source. Used in DDoS (Distributed Denial of Service) amplification attacks and to bypass IP-based access controls. IP itself provides no mechanism to verify that the source address is genuine. Defense: ingress filtering (ISPs block packets from their customers that claim to originate from outside the customer's IP range), BCP38 (Best Current Practice 38 — a standard for preventing IP spoofing at the network edge).
DNS (Domain Name System) hijacking (Application Layer): An attacker corrupts DNS responses so that domain names resolve to wrong IP addresses, redirecting users to malicious servers. This is an Application Layer attack because DNS is an Application Layer protocol. Defense: DNSSEC (DNS Security Extensions — cryptographic signing of DNS records), encrypted DNS (DoH — DNS over HTTPS, or DoT — DNS over TLS).
HTTP injection / XSS (Application Layer): SQL injection, cross-site scripting, and HTTP header injection are all Application Layer attacks targeting web application protocols. Defense: WAF (Web Application Firewall), input validation, secure coding practices.

Defense in depth mirrors the layers

Defense in depth — using multiple overlapping security controls — maps naturally onto the layer model. A proper defense does not rely on any single control at any single layer:

Network Access Layer defenses: 802.1X port authentication (requiring devices to authenticate before joining the network), MAC address filtering, managed switches with VLAN (Virtual Local Area Network) segmentation.
Internet Layer defenses: Packet-filtering firewalls inspect IP headers (source/destination IP, protocol) and drop packets that violate policy. ACLs (Access Control Lists) on routers enforce routing policy.
Transport Layer defenses: Stateful firewalls track TCP connection state, allowing return traffic only for established connections. IDS/IPS (Intrusion Detection System / Intrusion Prevention System) analyze patterns in TCP/UDP flows to detect attacks like port scans and SYN floods.
Application Layer defenses: WAFs (Web Application Firewalls) inspect HTTP content for injection attacks. TLS provides encryption. Application proxies inspect and filter specific protocol behavior. Email security gateways inspect SMTP traffic for malware and phishing.

Encapsulation can be abused — tunneling attacks

Encapsulation exists to carry one protocol's data inside another. That same mechanism can be abused. Tunneling attacks hide malicious traffic inside legitimate-looking protocol headers:

DNS tunneling: an attacker encodes stolen data or command-and-control communications inside DNS queries and responses. Because DNS traffic is almost universally allowed through firewalls (blocking it would break the internet), the malicious traffic passes undetected. Security tools that only inspect IP headers and ports will see port 53 UDP traffic — which looks like normal DNS — and allow it.
ICMP tunneling: data is hidden in the data field of ICMP echo (ping) packets. Since ping is often allowed through firewalls and typically not inspected deeply, this can be used to establish a covert channel.
HTTPS tunneling: malware communicates with its command server over encrypted HTTPS, blending in with normal web traffic. Without SSL/TLS (Secure Sockets Layer / Transport Layer Security) inspection — which decrypts and re-encrypts traffic to inspect its contents — the traffic is indistinguishable from legitimate HTTPS.

Understanding encapsulation makes you aware that what a packet claims to carry is not necessarily what it does carry.

Putting It All Together

Here is a summary of the TCP/IP model in one place:

Layer	Number	What It Does	Key Protocols	Data Unit
Application	4	User-facing protocols; data formatting; sessions	HTTP, HTTPS, DNS, DHCP, SMTP, FTP, SSH, TLS	Message
Transport	3	End-to-end delivery; reliability or speed	TCP, UDP	Segment / Datagram
Internet	2	Logical addressing; routing between networks	IPv4, IPv6, ICMP, IGMP	Packet
Network Access	1	Physical transmission; local addressing	Ethernet, Wi-Fi, ARP	Frame

Every time data travels across a network, it moves down through these layers at the sender (gaining headers), across the physical medium, and back up through the layers at the receiver (losing headers). This happens billions of times per second across the internet.

The Bottom Line

The TCP/IP model is the actual protocol architecture of the internet. It has four layers — Network Access, Internet, Transport, and Application — each with specific responsibilities and protocols. Data moves through these layers via encapsulation (headers added going down) and decapsulation (headers stripped going up). The model won over OSI because it was already deployed and working when the internet went commercial. For cybersecurity, the layered model is essential: attacks target specific layers, defenses are deployed at specific layers, and understanding which layer a threat operates at tells you where to look and what to do.

Check Your Understanding

Your company's web server stops accepting new connections, but ping still works and existing TCP sessions remain active. Which layer is most likely affected, and which specific mechanism would you investigate first?
A security analyst says, "The attack is a Layer 3 attack." They are using OSI numbering. Which TCP/IP layer does this correspond to, and which protocols operate there?

Something to Think About

TCP/IP won over OSI partly because it was "good enough and deployed first" rather than because it was theoretically superior. Can you think of other examples in technology or security where a widely deployed, imperfect standard held on even after better alternatives existed? What does this imply for how security professionals should approach legacy systems?
Encapsulation is both what makes the internet function and what makes tunneling attacks possible. The same property that allows HTTP to ride inside TCP inside IP also allows malicious data to ride inside DNS inside UDP inside IP. Given this, is the solution to eliminate encapsulation, or to develop better ways to inspect it? What are the privacy implications of deep packet inspection (inspecting the contents of packets, not just their headers)?

References

Official Specification. RFC 1122 — "Requirements for Internet Hosts — Communication Layers". Internet Engineering Task Force. — Defines the TCP/IP layered architecture and the responsibilities of each layer for internet hosts.
Official Specification. RFC 1123 — "Requirements for Internet Hosts — Application and Support". Internet Engineering Task Force. — Companion to RFC 1122; covers Application Layer protocols and their correct behavior.
Standards Body. IETF — "Internet Architecture". Internet Engineering Task Force. — Overview of how the TCP/IP protocol stack is organized and the IETF's role in maintaining internet standards.
Official Guidance. CISA — "Understanding Network Protocols". Cybersecurity and Infrastructure Security Agency. — Applying protocol knowledge in a defensive security context, including how attackers exploit protocol behavior.