BE Computer Engineering (IOE, TU) Computer Networks and Security (IOE, CT 703 / ENCT 304) Question Paper 2078 Nepal

(a) OSI vs. TCP/IP Model [7]

Layer mapping (OSI -> TCP/IP):

OSI layers with no direct counterpart in TCP/IP: The Presentation layer (encoding, encryption, compression) and the Session layer (dialog control, synchronization) have no dedicated layer in TCP/IP; their functions are handled inside the application layer (or by the application itself).

(b) Encapsulation and De-encapsulation [5]

Encapsulation is the process where each layer, as data travels down the stack on the sender, adds its own header (and sometimes a trailer) to the data unit received from the layer above. De-encapsulation is the reverse: as data travels up the stack on the receiver, each layer removes and processes its own header before passing the payload upward.

PDU names and headers added:

Diagram (described): The application Data is wrapped by the Transport header to form a Segment; the Segment is wrapped by the IP header to form a Packet; the Packet is wrapped by the frame header + trailer to form a Frame, which is then sent as bits on the physical medium. Each successive box encloses the previous one, like nested envelopes.

(a) VLSM Design for 192.168.10.0/24 [9]

Allocate largest requirement first. Required hosts -> next power of two (usable = $2^h - 2$):

• A: 60 hosts -> 62 usable -> $/26$ (6 host bits)
• B: 28 hosts -> 30 usable -> $/27$ (5 host bits)
• C: 12 hosts -> 14 usable -> $/28$ (4 host bits)
• D: 10 hosts -> 14 usable -> $/28$ (4 host bits)

(b) Unallocated Address Space [3]

The four subnets consume addresses 192.168.10.0 – 192.168.10.127 (the first half of the /24).

Remaining: 192.168.10.128 – 192.168.10.255 = 128 addresses unallocated (a contiguous block equal to a 192.168.10.128/25). These can be used for future departments or further subnetting.

(a) Distance Vector vs. Link State Routing [5]

(b) Dijkstra from node A [7]

Edges: A-B=1, A-D=4, B-C=3, B-E=2, C-F=1, D-E=5, E-F=1.

Let $D(v)$ = current least-cost estimate; N' = finalized set.

(At each step the unfinalized node with smallest D is added; ties broken arbitrarily.)

Shortest-path tree / least-cost paths from A:

The shortest-path tree uses edges: A–B, A–D, B–C, B–E, E–F.

(a) Symmetric vs. Asymmetric Cryptography [5]

(b) RSA with p = 7, q = 11, e = 13 [7]

Step 1 – Modulus: $n = p \times q = 7 \times 11 = 77$.

Step 2 – Totient: $\varphi(n) = (p-1)(q-1) = 6 \times 10 = 60$.

Step 3 – Private key d: find $d$ with $d \cdot e \equiv 1 \pmod{60}$, i.e. $13d \equiv 1 \pmod{60}$. $13 \times 37 = 481 = 8 \times 60 + 1 \Rightarrow 481 \bmod 60 = 1$. So $d = 37$.

• Public key = $(e, n) = (13, 77)$
• Private key = $(d, n) = (37, 77)$

Step 4 – Encryption of $M = 5$: $C = M^e \bmod n = 5^{13} \bmod 77$. $5^2 = 25,\; 5^4 = 625 \bmod 77 = 9,\; 5^8 = 9^2 = 81 \bmod 77 = 4$. $5^{13} = 5^8 \cdot 5^4 \cdot 5^1 = 4 \cdot 9 \cdot 5 = 180 \bmod 77 = 26$.

Step 5 – Decryption: $M = C^d \bmod n = 26^{37} \bmod 77 = 5$, recovering the original plaintext $M = 5$. ✓

TCP Three-Way Handshake [6]

Before data transfer, TCP establishes a connection and synchronizes sequence numbers using three segments:

   Client                          Server
     |  -------- SYN (seq=x) ------->  |   (1)
     |  <--- SYN-ACK (seq=y, ack=x+1) -|   (2)
     |  -------- ACK (ack=y+1) ------->|   (3)
   ESTABLISHED                    ESTABLISHED

1. SYN: The client sends a segment with the SYN flag set and an Initial Sequence Number (ISN) $x$, requesting a connection.
2. SYN-ACK: The server replies with both SYN and ACK flags set, its own ISN $y$, and acknowledgement number $x+1$ (acknowledging the client's SYN).
3. ACK: The client sends an ACK with acknowledgement number $y+1$, confirming the server's SYN. The connection is now ESTABLISHED.

Purpose of initial sequence numbers (ISNs): Each side chooses a (random) ISN so both ends agree on the starting byte numbers used to order data, detect lost/duplicate segments, and reassemble the byte stream correctly. Randomizing the ISN also prevents old or spoofed segments from a previous connection being mistakenly accepted.

TCP vs. UDP [6]

Example where UDP is preferred: Real-time applications such as live video/voice (VoIP), online gaming, or DNS queries.

Justification: In live VoIP, low latency matters far more than perfect reliability. TCP's retransmission and ordering would introduce delay; a few lost packets cause only a tiny glitch, but waiting to retransmit them would stall the conversation. UDP's lightweight, connectionless delivery keeps latency low, making it the better fit.

Domain Name System (DNS) [6]

Working: DNS is a hierarchical, distributed database that translates human-readable domain names (e.g. www.example.com) into IP addresses. It uses a tree of servers: root servers → Top-Level Domain (TLD) servers (e.g. .com) → authoritative servers for each domain. Clients query through a local/recursive resolver which caches results to speed up future lookups. DNS normally runs over UDP port 53.

Recursive vs. iterative queries:

• Recursive query: The client asks the resolver for the final answer and the resolver does all the work, contacting other servers on the client's behalf and returning only the final IP (or an error).
• Iterative query: The queried server returns the best answer it has — typically a referral to the next server to ask — and the requester must follow up itself.

Resolving www.example.com:

1. The client sends a recursive query to its local DNS resolver.
2. The resolver sends an iterative query to a root server, which refers it to the .com TLD server.
3. The resolver queries the .com TLD server, which refers it to the authoritative server for example.com.
4. The resolver queries the authoritative server, which returns the IP address of www.example.com.
5. The resolver caches the result and returns the IP to the client.

(a) HTTP Persistent vs. Non-Persistent Connections [3]

• Non-persistent (HTTP/1.0 default): A separate TCP connection is opened for each object (HTML page, each image, etc.) and closed after one request–response. Fetching a page with $n$ objects needs $n+1$ connections, incurring repeated handshake (and slow-start) overhead and extra RTTs.
• Persistent (HTTP/1.1 default): A single TCP connection is kept open to send multiple requests/responses, reducing connection-setup overhead and latency. It also supports pipelining. The connection is closed after an idle timeout.

(b) Roles of SMTP, POP3 and IMAP [3]

• SMTP (Simple Mail Transfer Protocol): A push protocol used to send mail — from the sender's client to the mail server and between mail servers (port 25/587).
• POP3 (Post Office Protocol v3): A pull/retrieval protocol that downloads mail from the server to the client, typically deleting it from the server afterwards; suited to single-device access (port 110).
• IMAP (Internet Message Access Protocol): A retrieval protocol that lets the client read and manage mail while it stays on the server, with folder sync across multiple devices (port 143).

CIA Triad [6]

The CIA triad defines the three fundamental security goals of an information system:

• Confidentiality: Ensuring information is accessible only to authorized parties — preventing unauthorized disclosure.
• Integrity: Ensuring information is accurate and unaltered — preventing unauthorized or accidental modification.
• Availability: Ensuring information and services are accessible when needed by authorized users.

Digital Signature [6]

A digital signature is a cryptographic value attached to a message that lets the receiver verify the message's origin (authenticity) and that it has not been altered (integrity), using a hash function and public-key cryptography.

Generation (by sender, using the sender's private key):

1. Compute a fixed-length hash (digest) of the message: $h = H(M)$.
2. Encrypt the hash with the sender's private key to form the signature: $S = E_{priv}(h)$.
3. Send the message $M$ together with the signature $S$.

Verification (by receiver, using the sender's public key):

1. Compute the hash of the received message: $h_1 = H(M)$.
2. Decrypt the signature with the sender's public key: $h_2 = D_{pub}(S)$.
3. If $h_1 = h_2$, the signature is valid — the message is authentic and unmodified; otherwise it is rejected.

Authentication & non-repudiation: Because only the sender holds the private key, a valid signature proves the message came from that sender (authentication). Since no one else could have produced that signature, the sender cannot later deny having sent the message (non-repudiation). The hash comparison additionally guarantees integrity.

Firewall, Filtering Types and DMZ [6]

Function of a firewall: A firewall is a hardware/software security barrier placed between a trusted internal network and an untrusted external network (e.g. the Internet). It inspects incoming and outgoing traffic and permits or blocks it according to a configured security policy (rule set), protecting the network from unauthorized access and attacks.

Packet-filtering vs. stateful inspection firewall:

Demilitarized Zone (DMZ): A DMZ is a separate perimeter subnetwork that sits between the internal LAN and the external network and hosts public-facing servers (web, mail, DNS). Servers that must be reachable from the Internet are placed in the DMZ so that, even if one is compromised, the attacker is isolated from the internal trusted network. It is typically created between two firewalls (or two interfaces of one firewall), adding a layer of defense in depth.

VPN, Tunneling and IPSec Modes [6]

Virtual Private Network (VPN): A VPN creates a secure, encrypted connection (a "private tunnel") over a shared public network such as the Internet, allowing remote users or sites to communicate as if they were on the same private network. It provides confidentiality, integrity and authentication for the traffic.

Tunneling: Tunneling is the technique of encapsulating an entire packet inside the payload of another packet. The original (inner) packet — often encrypted — is wrapped with a new outer header for transport across the public network, then de-encapsulated at the far end. This hides the inner addressing/contents and lets private traffic traverse untrusted networks securely.

IPSec transport mode vs. tunnel mode:

IPv4 vs. IPv6 [4]