A security architect is documenting where TLS termination, IPsec encapsulation, and IEEE 802.1X authentication operate so that engineering teams can map controls to the OSI reference model consistently. Which statement correctly attributes these controls to OSI layers?
- ATLS operates at the application layer, IPsec at the transport layer, and 802.1X at the network layer.
- BTLS operates at the transport layer, IPsec at the data link layer, and 802.1X at the physical layer.
- CTLS operates at the presentation layer, IPsec at the session layer, and 802.1X at the network layer.
- DTLS operates between the transport and application layers, IPsec at the network layer, and 802.1X at the data link layer. Correct
Why A is wrong: This is the most common confusion: candidates remember that TLS protects HTTPS and treat it as application, place IPsec near TCP because of port-style policies, and lift 802.1X from layer 2. Each attribution is wrong because TLS is not an application protocol, IPsec wraps IP packets at layer 3, and 802.1X is a data-link port control.
Why B is wrong: TLS riding directly on TCP makes the transport label tempting, but TLS is not the transport protocol itself. IPsec does not run at layer 2 because it operates on IP packets, and 802.1X authenticates at the port (data link), not at the physical layer where only signalling occurs.
Why C is wrong: Some texts loosely place TLS at presentation, which makes the option look authoritative, but IPsec is never a session-layer protocol because it encapsulates network packets, and 802.1X is a layer 2 control, not a layer 3 one, so the overall mapping is incorrect.
Why D is correct: TLS sits above transport (commonly framed as session or presentation in OSI terms) and shields application payload, IPsec encapsulates at layer 3 and protects IP packets, and 802.1X is a port-based access control at layer 2, which matches how the controls are designed and deployed in practice.