What layer is TLS?

The OSI model, that categorizes communication protocols into successive layers, is just that: a model. It is an attempt at pushing a physical reality into neatly defined labelled boxes. Nobody ever guaranteed that it works...

Historically, that model was built and published when the ISO was pushing for adoption of its own network protocols. They lost. The World, as a whole, preferred to use the much more simple TCP/IP. The "model" survived the death of its initial ecosystem, and many people have tried to apply it to TCP/IP. It is even commonly taught that way. However, the model does not match well TCP/IP. Some things don't fit in the layers, and SSL/TLS is one of them.

If you look at the protocol details:

• SSL/TLS uses an underlying transport medium that provides a bidirectional stream of bytes. That would put it somewhere above layer 4.
• SSL/TLS organizes data as records, that may contain, in particular, handshake messages. Handshake messages look like layer 5. This would put SSL/TLS at layer 6 or 7.
• However, what SSL/TLS conveys is "application data", which is, in fact, a bidirectional stream of bytes. Applications that use SSL/TLS really use it as a transport protocol. They then use their own data representation and messages and semantics within that "application data". Therefore, SSL/TLS cannot be, in the OSI model, beyond layer 4.

Thus, in the OSI model, SSL/TLS must be in layer 6 or 7, and, at the same time, in layer 4 or below. The conclusion is unescapable: the OSI model does not work with SSL/TLS. TLS is not in any layer.

(This does not prevent some people from arbitrarily pushing TLS in a layer. Since it has no practical impact -- this is just a model -- you can conceptually declare that TLS is layer 2, 5, or 17; it won't be proven false.)

TCP/IP Model

1. Link Layer
2. Internet (IP) Layer
3. Transport Layer
4. Application

TLS operates between the Transport layer and the Application Layer (kind of). Really it just wraps Application Layer traffic in encryption during transport.

The TLS Key Exchange happens in the in between layers. Here it's not really Transport Layer because things like port numbers, and sequences numbers are already in place at the Transport Layer. It's only sending data to establish encryption protocols so that it can wrap the Application layer.

IPSec sort of does the same thing, only in an earlier layer. IP Security protects everything above the IP layer. Transport Security protects everything above the Transport Layer. The key exchanges for both are in a weird place because they just need to send data to establish the secure layer. A lot like how ICMP is considered an IP protocol, but it still contains data after the IP layer. Does this make it Transport Layer? No.

OSI Model

The OSI model has a bit more granularity.

1. Physical Layer
2. Data Link Layer
3. Network Layer (IP)
4. Transport Layer (TCP)
5. Session Layer (TLS)
6. Presentation Layer
7. Application Layer (HTTP)

TLS establishes an encrypted session. In the OSI model this is where TLS operates. It sets up its session, and adds a layer of encryption for the Application Layer (HTTP).

A related answer.

Parsing out TLS

In the Transmission Control Protocol Header there is a Data Offset field. This field represents the size of the TCP header in 32-bit words. The minimum size for this value is 5 (20 bytes). This is at a fixed offset from the beginning of the TCP header. Using this value you'll know the size of the TCP, and can use that to calculate the beginning of the TLS portion.

A TLS Record will always start with a content type, and then the SSL version. There are only 5 different content types, and 4 different versions to worry about. So using the first 3 bytes of the data following the TCP header you should be able to determine if SSL/TLS is being used.

I would run Wireshark on your machine (non-work), and filter on "ssl". Then just browse to https://www.google.com. You'll be able to see the entire handshake. All the layers are broken out for you. It'll give a good representation of how the layers are constructed with TLS, and you'll be able to see each of the TLS Records.

This answer only addresses the "TLSP" sub aspect of the question.

---

the list of IP protocol numbers includes "TLSP" as "Transport Layer Security Protocol".

I had never heard of that protocol. It's not the protocol you use to display HTTPS pages.

TLSP seems to be a very obscure protocol. And it was registered in 1994-10. This was before the protocol that we now commonly refer to as "TLS". Back in that day, the protocol was still called "SSL". The first public draft for "TLS" is dated two years later, on 1996-11-26.

See this question for details on the timeline:

• When did development on various TLS versions begin?

The IANA names "[email protected]" as the registrant. That name does not ring a bell for me. The bull.se website is also no longer active.

There is in fact a LinkedIn page for one Swedish Christer Öberg who worked for a "Bull" company as "CTO security solutions" in 1994. I'm guessing that's the guy that once submitted the "TLSP" registration. (And also that he's the only one who can tell you what "TLSP" really was.)