Six Standards That Built the Net: The Quiet Engineering Behind Every Click, Tap, and Stream
Stanford to ARPA, 1974–1983 • The Protocols That Made Internets Possible
In 1973, Vint Cerf and Bob Kahn faced a problem: ARPANET was one network, packet radio was another, and SATNET was a third — and they couldn't talk to each other. Their solution, sketched in a Hyatt Regency lobby, was a "protocol of protocols" that hid hardware differences behind a uniform packet abstraction. By 1978 they had split the design into TCP (reliable streams) and IP (best-effort packets) — the layered architecture that would carry the next 50 years of internet traffic.
b. 1943 & b. 1938 • Stanford / DARPA
Cerf, then a Stanford professor with deafness corrected by hearing aids, and Kahn, the DARPA program manager who had built ARPANET's IMP, sketched TCP at the 1973 INWG meeting. Their May 1974 paper invented the word "internet." They received the Turing Award (2004) and the Presidential Medal of Freedom (2005). Cerf is still active at Google as Chief Internet Evangelist.
The "god of the internet." RFC editor 1969–1998. Authored the IP and TCP RFCs. Single-handedly ran IANA from his desk at ISI/USC.
Berkeley Unix author. Wrote BSD Sockets (1983) and helped graft TCP/IP into the BSD kernel. Co-founded Sun Microsystems.
LBNL networking guru. His 1988 SIGCOMM paper "Congestion Avoidance and Control" prevented further internet collapses. Also created tcpdump and traceroute.
Wrote RFC 1 in 1969 (Host Software). Established the RFC ("Request for Comments") culture of open, collaborative protocol design that has run for 55+ years.
The ITU's "Open Systems Interconnection" (OSI) suite, with its seven layers and committee-driven design, was the official standard for international networking through the 1980s. TCP/IP, built and shipped by working engineers, won by being free, available, and good enough. The lesson: rough consensus and running code beat elegant standards documents every time. By 1992 even AT&T had given up on OSI.
USC/ISI, 1983 • From HOSTS.TXT to a 13-Root Hierarchy
Until 1983, every ARPANET host had a copy of HOSTS.TXT — a single flat file mapping names to addresses, maintained by Elizabeth Feinler at SRI's Network Information Center. As the network grew past a few hundred hosts, this didn't scale. Paul Mockapetris's 1983 RFC 882/883 designed the Domain Name System: a hierarchical, distributed database where any zone could be delegated to its operator. DNS is the substrate that made human-readable names possible at internet scale.
b. 1948 • USC Information Sciences Institute
UC Irvine PhD. At ISI he was tasked by Postel with replacing HOSTS.TXT. He drafted RFC 882 in November 1983 over a few months, single-handedly designing the recursive-resolution model, the hierarchical namespace, and the 13-root architecture. He was inducted into the Internet Hall of Fame in 2012. He also implemented the first DNS server, JEEVES, on a TOPS-20 system.
Maintained HOSTS.TXT and the WHOIS directory at SRI from 1972–1989. Created the .com, .edu, .gov, .mil, .org, .net top-level domains.
Maintained BIND from 1989–2000. Founded ISC (Internet Systems Consortium). Co-developer of DNSSEC. Led the response to the 2008 Kaminsky vulnerability.
Discovered the 2008 DNS cache-poisoning vulnerability that affected ~80% of name servers. Coordinated a secret multi-vendor patch before public disclosure. Died of diabetic ketoacidosis at 42.
Verisign (A & J), USC/ISI (B), Cogent (C), U Maryland (D), NASA (E), ISC (F), DoD (G), ARL (H), Netnod (I), RIPE (K), ICANN (L), WIDE (M).
If TCP/IP gave the internet its physical addressing, DNS gave it its naming — the difference between knowing 142.250.190.46 and knowing google.com. Both are hierarchical, distributed, and "best-effort" by design (DNS responses are cached and not guaranteed fresh). Both have spawned trillion-dollar businesses (CDNs and registries). Both have survived four decades of growth without fundamental redesign — an extraordinary engineering achievement.
CERN to W3C, 1989–1996 • The Verbs of the Web
Berners-Lee's 1989 proposal needed a protocol to fetch hypertext documents. He invented one almost in passing, calling it "HyperText Transfer Protocol" with two methods (GET and POST) and a simple text-based request-response cycle. Roy Fielding's 1996 RFC 1945 codified HTTP/1.0; his 1999 RFC 2616 specified HTTP/1.1, which would carry the Web for 15 years. HTTP's stateless, text-readable design is one of the most successful examples of "worse is better" in computing history.
b. 1965 • UC Irvine PhD
Co-author of RFC 1945 (HTTP/1.0, 1996) and lead author of RFC 2616 (HTTP/1.1, 1999). His 2000 PhD dissertation defined REST (Representational State Transfer) — the architectural style that became the API standard for the next two decades. Co-founder of the Apache HTTP Server project (1995); served as ASF chairman 1999–2002.
Invented HTTP/0.9 in 1989. Founded the W3C in 1994 to keep the Web's standards open and royalty-free.
Co-author of RFC 1945, then RFC 2616. Worked at CERN with Berners-Lee, then W3C, then Microsoft Research. Helped design SOAP and WSDL.
Co-founder of the Apache HTTP Server (1995), the dominant web server through the 2000s. Apache shipped HTTP/1.1 to the masses and ran ~70% of all websites at peak.
Australian engineer who chaired the IETF HTTP Working Group through HTTP/2 and HTTP/3. Author of dozens of HTTP-related RFCs and the de facto modern editor of the HTTP standards.
In 1993 Gopher was the dominant info protocol — until the University of Minnesota started charging license fees. HTTP was free. FTP was the dominant transfer protocol — but it required two ports and complex stateful handshakes. HTTP was stateless and ran on one port. The Web's openness, simplicity, and zero royalties (CERN, April 1993) demolished every alternative within five years. The lesson: the cheapest, simplest protocol with adequate features always wins.
Netscape to IETF, 1995–2018 • How the Web Got Encrypted
In 1994, Netscape engineers led by Taher Elgamal designed Secure Sockets Layer (SSL) so credit cards could traverse the Web safely. SSL 2.0 (1995) was broken almost immediately; SSL 3.0 (1996) was better; TLS 1.0 (1999) was a renamed standardization. After two decades of cryptographic refinement, TLS 1.3 (RFC 8446, August 2018) finally produced a clean, modern protocol — while Let's Encrypt (2016) made certificates free, ending the era of paid CAs as gatekeepers.
b. 1955 • Egyptian-American Cryptographer
Stanford PhD under Martin Hellman. Joined Netscape as chief scientist in 1994; led the team that designed SSL 2.0 and SSL 3.0. His 1985 PhD dissertation introduced the ElGamal cryptosystem and signature scheme. Inducted into the Marconi Society (2009) and the Internet Hall of Fame (2019). Now CTO of security at Salesforce.
Co-author of SSL 3.0 (1996). Discovered timing-side-channel attacks (1996), differential power analysis (1999), and was a Spectre/Meltdown co-discoverer (2018).
Lead editor of RFC 8446 (TLS 1.3). Mozilla CTO 2018–2023. Author of "SSL and TLS: Designing and Building Secure Systems" (2000), the standard reference.
Cryptographer at UIC. Designed Curve25519 (2005), ChaCha20 stream cipher, and Poly1305 MAC — all now mandatory in TLS 1.3. Litigated Bernstein v. United States (1995) winning the right to publish crypto.
Co-founder and ED of ISRG (Let's Encrypt). Took the project from 2013 idea to dominant CA in 4 years. The most consequential figure in democratizing HTTPS.
SSL/TLS won because it shipped. IPsec, the IETF's "official" encryption standard, was elegant but baroque — and lived in the kernel where applications couldn't easily use it. SSL/TLS lived above TCP and could be added to any application with a handshake. The pattern: deployed adequacy beats unshipped perfection. The same pattern explains why JSON beat XML, HTTP beat OSI, and Git beat Mercurial.
"Three Napkins Protocol", 1989– • The Routing Glue Between 70,000 Networks
The Border Gateway Protocol was famously sketched on three napkins at an IETF meeting in January 1989 by Yakov Rekhter and Kirk Lougheed. Designed as a quick fix for the Exterior Gateway Protocol's limitations, it has run the inter-domain routing of the entire internet for 35 years. Every YouTube stream, AWS region, and Tor circuit relies on BGP advertisements between ~70,000 Autonomous Systems — and a single misconfiguration can take continents offline.
1953–2024 & b. 1958 • IBM & Cisco Engineers
At a January 1989 IETF meeting in Austin, Rekhter (IBM) and Lougheed (Cisco) sat at lunch and on three Hyatt napkins designed a path-vector replacement for EGP. The result was BGP-1 (RFC 1105, June 1989). Rekhter went on to author 100+ RFCs at IBM, Cisco, and Juniper. He died in 2024; the internet ran a moment of silence on the NANOG list.
Cisco engineer who co-authored RFC 1771 (BGP-4) and CIDR (RFC 1518/1519). One of the most prolific RFC authors in IETF history.
APNIC chief scientist. Maintains potaroo.net — the de facto monitoring source for global IPv4 exhaustion, BGP table growth, and routing health.
The internet's preeminent BGP analyst. Documented the AS 7007 incident, the 2008 Pakistan-YouTube hijack, and dozens of state-actor route leaks since.
Dutch engineer who has driven RPKI deployment via NTT, Fastly, and the OpenBSD project (rpki-client). Among the most influential operational figures in modern routing security.
BGP is the internet's most striking example of "good enough" engineering. Its core algorithm hasn't changed since 1995 despite hosting 30 years of growth. The community has bolted on RPKI, route filters, MANRS, BGPsec — but the underlying path-vector protocol Rekhter and Lougheed sketched at lunch still does the job. It's a triumph of pragmatic design over theoretical perfection — and a permanent reminder of how much of the internet runs on baling wire.
Google to IETF, 2012–2022 • Reinventing Transport for the Mobile Era
Jim Roskind at Google noticed in 2012 that TCP's head-of-line blocking was crippling mobile web performance. His "Quick UDP Internet Connections" (QUIC) experiment shipped in Chrome 2013 and was running ~7% of internet traffic before the IETF had even started standardization. QUIC moves congestion control, encryption, and stream multiplexing into user-space over UDP — bypassing the calcified TCP stack in every router on Earth. RFC 9000 (May 2021) and HTTP/3 (RFC 9114, June 2022) finally standardized what was already deployed.
b. 1953 • Carnegie Mellon PhD, Google Engineer
Veteran of Netscape and Mozilla (where he ran the JavaScript debugger team) before joining Google in 2009. Designed QUIC at Google in 2012 as a private experiment; by 2013 it was deployed in Chrome and Google's servers. By 2017, ~7% of all internet traffic was QUIC. Handed off to the IETF QUIC Working Group when standardization began. He stayed at Google through 2022.
Co-chair of the IETF QUIC working group 2016–2021. Editor of RFC 9114 (HTTP/3). Australian engineer at Akamai, then Cloudflare, then Fastly.
NetApp/MTS veteran. Co-chair of the QUIC WG. Past IETF chair (2014–2017). One of the few engineers to have co-led standardization of an entire transport protocol.
Editor of RFC 9000 (QUIC) and RFC 9001 (QUIC-TLS). Mozilla principal engineer. Author of dozens of HTTP and TLS RFCs.
Maintainer of curl since 1998. Implemented HTTP/3 and QUIC in curl, making the protocols accessible to every command-line user and Linux distribution.
QUIC is the first major internet transport designed in the encryption-first era — you cannot meaningfully run QUIC without TLS 1.3. It also follows the now-classic deploy-first-standardize-later pattern of TCP/IP, BGP, and HTTP itself. Its existence is partly a comment on how ossified the legacy stack had become: middlebox vendors had so calcified TCP that Google found it easier to invent a new protocol on UDP than to fix TCP. The lesson: when you can't change the substrate, change the layer above it.
| Protocol | RFC | Year | Author(s) | Layer | Status |
|---|---|---|---|---|---|
| TCP/IP | 791, 793 | 1981 | Cerf, Kahn, Postel | Network/Transport | Universal |
| DNS | 1034, 1035 | 1987 | Mockapetris | Application (naming) | Universal |
| HTTP | 1945, 2616, 9110 | 1996/1999 | Berners-Lee, Fielding | Application | Universal |
| TLS | 2246 → 8446 | 1999/2018 | Elgamal, Rescorla | Session/Transport | ~95% web |
| BGP | 1105 → 4271 | 1989/2006 | Rekhter, Lougheed | Inter-domain routing | Internet spine |
| HTTP/3 + QUIC | 9000, 9114 | 2021/2022 | Roskind, Thomson | Transport / App | ~30% & rising |
Dave Clark's 1992 IETF motto. TCP/IP, BGP, HTTP, SSL/TLS, and QUIC were all deployed before they were fully standardized. The IETF's job is documenting what works, not designing what should. This is the opposite of the ITU's OSI process — and the reason the IETF won.
"Be liberal in what you accept" enabled decades of evolution — and decades of security holes. Modern protocols (HTTP/2, TLS 1.3, QUIC) explicitly reject the principle: parsers strict, malformed input rejected. The lesson: liberal parsing trades robustness for attack surface.
SSL was bolted onto HTTP. TLS 1.3 made encryption a core requirement, not an option. QUIC went further: you cannot run QUIC without TLS. The trajectory: encryption is moving from optional layer to integrated transport requirement.
TCP/IP's 4-layer stack let each layer evolve independently — until middleboxes calcified TCP. QUIC's solution: move transport into user-space over UDP. The pattern: when one layer ossifies, the next layer up reinvents the lost flexibility.
HTTPS spread once Let's Encrypt made certificates free. SSL was free; Verisign's pay-walled X.509 hierarchy was not. CERN released the Web royalty-free. Linux replaced Solaris. The pattern repeats: when the protocol is free, deployment is exponential.
BGP was deployed in 1989; RPKI for routing security shipped in 2012; full BGPsec is still incomplete. SSL was deployed in 1995; TLS 1.3 took until 2018. DNS was deployed in 1983; DNSSEC root signing happened in 2010. Security follows feature-completion by ~15–20 years.
Drag to pan • Scroll to zoom • Hover for details