BE Computer Engineering (IOE, TU) Computer Networks and Security (IOE, CT 703 / ENCT 304) Question Paper 2079 Nepal

OSI Reference Model vs TCP/IP Protocol Suite

(a) Side-by-side layered architecture

The OSI Application, Presentation and Session layers together correspond to the single TCP/IP Application layer; OSI Transport maps to TCP/IP Transport; OSI Network maps to the Internet layer; and OSI Data Link + Physical map to the TCP/IP Network Access layer.

(b) Functions, protocols and PDUs of TCP/IP layers

• Application layer – provides services directly to user processes; handles representation, encoding and dialog control. Protocols: HTTP, FTP, SMTP, DNS, DHCP, SNMP. PDU: message/data.
• Transport layer – end-to-end (process-to-process) delivery, segmentation/reassembly, port addressing, reliability and flow/congestion control. Protocols: TCP (reliable, connection-oriented), UDP (unreliable, connectionless). PDU: segment (TCP) / datagram (UDP).
• Internet layer – logical addressing and routing of packets across networks, fragmentation. Protocols: IP (IPv4/IPv6), ICMP, ARP, routing protocols (OSPF, BGP). PDU: packet/datagram.
• Network Access (Link) layer – framing, physical/MAC addressing, media access and transmission of bits over the medium. Protocols: Ethernet, Wi-Fi (802.11), PPP. PDU: frame (and bits on the medium).

(c) Why TCP/IP overtook OSI

• TCP/IP came first and had working implementations (running on ARPANET/the Internet) while OSI was still only a paper standard.
• OSI is more complex with seven layers and overlapping/under-used Session and Presentation layers, making it heavier to implement.
• TCP/IP was free, open and bundled with Unix/BSD, giving it a large installed base and momentum.
• OSI standardization was slow and committee-driven, so by the time products appeared the Internet's TCP/IP stack already dominated.
• OSI's strict layering is prescriptive, whereas TCP/IP is pragmatic and protocol-driven. Today OSI survives mainly as a teaching/reference model, while TCP/IP is the real operational stack.

VLSM design for 192.168.10.0/24

Allocate subnets from the largest host requirement first (VLSM rule). Required usable hosts: 50, 25, 12, 10. Choose the smallest block of size $2^h$ that gives $2^h - 2 \ge$ requirement.

(a) Addressing plan

(b) Unallocated address space

Addresses 0–127 (128 addresses) are used. Addresses 192.168.10.128 – 192.168.10.255 remain free = 128 addresses (one unused /25, or equivalently 2 × /26). These can be further subnetted for future growth.

(c) Advantages of VLSM over fixed-length subnetting

• Efficient address utilisation – each subnet is sized to its actual need, minimising wasted host addresses.
• Flexible/hierarchical design – supports networks of very different sizes, and freed blocks can be route-summarised.
• Reduces routing-table size through summarisation, unlike FLSM which forces every subnet to the same size and wastes space.

Routing algorithms

(a) Distance-Vector vs Link-State

(b) One Bellman-Ford iteration

Topology: node A has neighbours B (cost 1) and C (cost 4). B advertises its distance to destination D as $D_B(D)=2$; C advertises $D_C(D)=1$.

Bellman-Ford update at A:

$$D_A(D)=\min_{v\in N(A)}\{ c(A,v) + D_v(D) \}$$ $$= \min\{\, c(A,B)+D_B(D),\; c(A,C)+D_C(D)\,\}$$ $$= \min\{\,1+2,\; 4+1\,\} = \min\{3,5\} = 3$$

So A updates its cost to D as 3 via neighbour B (next hop = B).

(c) Count-to-infinity problem and mitigation

Problem: When a link or node fails, distance-vector routers may keep advertising stale routes to each other, each incrementing the metric by one in a slow loop, so the cost slowly "counts up" toward infinity before convergence. Example: if the route to a failed destination is lost, two routers can bounce an out-of-date route back and forth, each adding 1.

Two mitigation techniques:

1. Split horizon – a router never advertises a route back out of the interface from which it learned that route (optionally with poison reverse, where it advertises the route back with metric = infinity).
2. Route poisoning / hold-down timers – a failed route is immediately advertised with an infinite metric (e.g. 16 in RIP), and hold-down timers prevent accepting worse updates for a short period until the network stabilises. (Defining a small "infinity" value such as 16 also bounds the counting.)

Cryptography and PKI

(a) Symmetric vs Asymmetric cryptography

Merits/limits: Symmetric is fast but suffers from the key-distribution problem and cannot natively provide non-repudiation. Asymmetric solves key distribution and enables signatures but is computationally expensive; in practice both are combined (hybrid: asymmetric to exchange a symmetric session key).

(b) RSA algorithm

Key generation:

1. Choose two large primes $p, q$; compute $n = p \cdot q$.
2. Compute Euler's totient $\phi(n) = (p-1)(q-1)$.
3. Choose public exponent $e$ with $1 < e < \phi(n)$ and $\gcd(e, \phi(n)) = 1$.
4. Compute private exponent $d \equiv e^{-1} \pmod{\phi(n)}$.

• Public key = $(e, n)$; Private key = $(d, n)$.

Encryption (confidentiality): sender uses receiver's public key: $C = M^{e} \bmod n$.

Decryption: receiver uses its private key: $M = C^{d} \bmod n$.

Digital signature: signer encrypts (signs) a message hash with its private key, $S = H(M)^{d} \bmod n$; anyone verifies with the signer's public key, $H(M) = S^{e} \bmod n$. This proves authenticity, integrity and non-repudiation.

(c) Digital certificates and CA in PKI

A digital certificate (X.509) binds an identity to a public key and contains the subject name, public key, validity period, issuer, and the CA's digital signature. A Certificate Authority (CA) is a trusted third party that verifies an applicant's identity and signs its certificate with the CA's private key. Anyone holding the CA's public key (pre-installed in browsers/OS as a trusted root) can verify the certificate's signature, thereby trusting that the public key truly belongs to the named entity. This chain of trust (root CA → intermediate CAs → end-entity) prevents man-in-the-middle key substitution and underpins PKI and HTTPS/TLS.

TCP connection and reliability

(a) TCP three-way handshake

Client                                  Server
  |  --- SYN, seq=x ------------------>  |   (1) client opens, ISN = x
  |                                      |
  |  <-- SYN, ACK, seq=y, ack=x+1 -----  |   (2) server replies, ISN = y
  |                                      |
  |  --- ACK, seq=x+1, ack=y+1 -------->  |   (3) connection established

1. SYN: client sends a segment with the SYN flag set and an initial sequence number seq = x.
2. SYN-ACK: server responds with SYN+ACK, its own seq = y and ack = x+1 (acknowledging the client's SYN).
3. ACK: client sends ACK with seq = x+1, ack = y+1. The connection is now established and data transfer can begin. (SYN consumes one sequence number, hence the +1.)

(b) How TCP provides reliable, in-order delivery

• Sequence numbers – every byte is numbered, so the receiver can reorder out-of-order segments and detect duplicates.
• Acknowledgements (cumulative ACKs) – the receiver ACKs the next byte it expects; the sender knows what arrived.
• Retransmission on timeout / fast retransmit – if an ACK is not received before the RTO expires (or 3 duplicate ACKs arrive), the segment is retransmitted, recovering from loss.
• Checksum – detects corrupted segments, which are discarded and retransmitted.
• Flow control (sliding window / receiver advertised window) prevents overrunning the receiver, and congestion control prevents overloading the network.

Together these mechanisms turn the unreliable, unordered IP datagram service into a reliable, ordered byte stream.

TCP vs UDP

TCP applications (and justification):

• HTTP/HTTPS (web) – web pages must arrive complete and in order; reliability matters more than a few ms of delay.
• Email (SMTP) / file transfer (FTP) – data must be delivered without loss or corruption.

UDP applications (and justification):

• VoIP / video conferencing – low latency is critical; an occasional lost packet is preferable to the delay of retransmission.
• DNS lookups – tiny single-request/response queries are faster without connection-setup overhead (retry handled by the application).

In short, choose TCP when correctness/ordering is essential, and UDP when speed/low latency matters and the application can tolerate or handle loss itself.

Domain Name System (DNS)

Working: DNS is a hierarchical, distributed database (application-layer, UDP/TCP port 53) that translates human-readable domain names into IP addresses. The namespace is organised as a tree: root servers → Top-Level Domain (TLD) servers (.np, .com) → authoritative servers for the domain. Local resolvers (recursive servers) cache results to speed up future lookups.

Recursive vs Iterative queries:

• Recursive query: the client asks its local DNS server to do all the work and return the final answer (or an error). The burden of resolution is on the server.
• Iterative query: the queried server returns the best it knows — usually a referral to the next server to ask — and the requester continues querying itself.

Typically the host→local-resolver step is recursive, while the local resolver's queries to root/TLD/authoritative servers are iterative.

Resolving www.ioe.edu.np:

1. Client sends a recursive query for www.ioe.edu.np to its local DNS resolver.
2. If not cached, the resolver (iteratively) asks a root server, which refers it to the .np TLD server.
3. Resolver asks the .np TLD server, which refers it to the edu.np / ioe.edu.np authoritative name server.
4. Resolver asks the authoritative server for ioe.edu.np, which returns the A record (IP address) of www.ioe.edu.np.
5. The resolver caches the answer (per its TTL) and returns the IP to the client, which then connects to the web server.

HTTP connections, cookies and web caching

(a) Persistent vs Non-persistent HTTP

• Non-persistent (HTTP/1.0 default): a separate TCP connection is opened and closed for each object (HTML, each image, etc.). Each object incurs one extra RTT for connection setup, so a page with many objects is slow and connection overhead is high.
• Persistent (HTTP/1.1 default, keep-alive): a single TCP connection is reused to fetch multiple objects back-to-back (and may use pipelining). This avoids repeated connection setup/teardown, reduces latency and load, and is the modern default.

(b) Cookies and web caching

Cookies: HTTP is stateless, so cookies let a server maintain state across requests. On the first response the server sends a Set-Cookie: header with a unique ID; the browser stores it and returns it in the Cookie: header on subsequent requests. The server uses this ID to look up a back-end record, enabling login sessions, shopping carts and personalisation.

Web cache (proxy server): a proxy sits between clients and the origin server and stores copies of recently requested objects. If a requested object is in the cache and still fresh (conditional GET / If-Modified-Since), it is served locally. This reduces latency (object served from nearby), cuts traffic on the access link / origin server, and lowers bandwidth cost — improving overall performance, especially for popular content.

Firewalls and VPN

(a) Packet-filtering vs Stateful inspection firewall

• Packet-filtering (stateless) firewall: examines each packet independently against static rules (ACLs) based on source/destination IP, port and protocol. It keeps no memory of previous packets. It is fast and simple but cannot tell whether a packet belongs to a legitimate established session, so it is easier to spoof.
• Stateful (dynamic) inspection firewall: maintains a state table of active connections and tracks the full context (e.g. the TCP handshake state). It permits return traffic only if it matches an existing, legitimately established connection. It is more secure and intelligent, at the cost of more memory/processing.

(b) VPN, tunnelling and IPSec

A Virtual Private Network (VPN) creates a secure, private logical link over a shared public network (the Internet). It provides confidentiality, integrity and authentication so that data crossing the public network is protected as if on a private line.

• Tunnelling encapsulates an entire original IP packet inside a new outer packet, hiding the internal addresses and carrying the encrypted payload across the public network between two VPN endpoints.
• IPSec is the security framework that secures the tunnel: AH (Authentication Header) provides integrity/authentication, ESP (Encapsulating Security Payload) provides encryption (confidentiality) plus integrity, and IKE negotiates keys/SAs. In tunnel mode, IPSec encrypts the whole inner packet, giving a secure site-to-site or remote-access VPN.

Network security goals and attacks

(a) Definitions of security goals

• Confidentiality: ensuring information is accessible only to authorised parties; protection against disclosure/eavesdropping.
• Integrity: ensuring data is not altered (accidentally or maliciously) in storage or transit; the message received is exactly what was sent.
• Availability: ensuring systems, services and data are accessible to authorised users when needed.
• Authentication: verifying the claimed identity of a user, host or message source.
• Non-repudiation: ensuring a party cannot deny having sent or performed an action (e.g. via digital signatures).

(b) Which goal each attack violates

Hash functions, MAC and digital signatures

(a) Cryptographic hash function

A cryptographic hash function $H$ maps an arbitrary-length input message to a fixed-length output (the hash/digest), e.g. SHA-256. Essential properties:

1. Deterministic & fixed output length – same input always yields the same fixed-size digest.
2. Preimage resistance (one-way) – given a hash $h$, it is computationally infeasible to find any $m$ with $H(m)=h$.
3. Second-preimage resistance – given $m_1$, infeasible to find $m_2 \ne m_1$ with $H(m_2)=H(m_1)$.
4. Collision resistance – infeasible to find any two distinct messages with the same hash.
5. Avalanche effect – a small change in input produces a drastically different digest.
6. Efficient to compute.

(b) MAC vs Digital signature

• Message Authentication Code (MAC): uses a shared symmetric secret key ($\text{MAC}=H(K \Vert M)$, e.g. HMAC). It provides data integrity and authentication between two parties who share the key. Because both parties hold the same key, a MAC cannot provide non-repudiation — either party could have created it.
• Digital signature: uses asymmetric keys — the sender signs with its private key and anyone verifies with the public key. It provides integrity, authentication AND non-repudiation, since only the holder of the private key could have produced the signature, so the sender cannot deny it.

In short: a MAC = integrity + authentication (symmetric, no non-repudiation); a digital signature = integrity + authentication + non-repudiation (asymmetric).

Subnetting: 172.16.45.200 / 255.255.240.0

Mask 255.255.240.0 = /20. The third octet mask is 240 (11110000), so the block size in the third octet = 256 − 240 = 16. Subnets in the third octet start at 0, 16, 32, 48, ...

Host's third octet = 45, which falls in the block 32–47.

(a) Network address

Third octet rounds down to 32 → 172.16.32.0.

(b) Broadcast address

Next subnet starts at 48, so broadcast = last address before it: third octet 47, host bits all 1 → 172.16.47.255.

(c) Usable hosts per subnet

Host bits = $32 - 20 = 12$, so $2^{12} - 2 = 4096 - 2 =$ 4094 usable hosts.

(d) Is 172.16.32.10 in the same subnet?

The subnet range is 172.16.32.0 – 172.16.47.255 (usable 172.16.32.1 – 172.16.47.254). Since 32.10 lies within 32.0–47.255, yes, 172.16.32.10 is in the same subnet as 172.16.45.200.