Welcome to this comprehensive guide on Internet Protocols Interview Questions and Answers — covering everything from foundational TCP/IP concepts to modern protocol trends like HTTP/3, QUIC, MQTT 5.0, gRPC, WebSockets, and beyond. Whether you are a fresher entering network engineering or an experienced embedded or software engineer preparing for a senior role, these 100+ questions reflect the topics most commonly asked in 2025 interviews at networking, IoT, cloud, and embedded systems companies.
Section 1: TCP/IP Fundamentals
Q1. What is the TCP/IP model and how does it differ from the OSI model?
The TCP/IP model has four layers: Network Access, Internet, Transport, and Application. The OSI model has seven layers. TCP/IP collapses OSI Physical and Data Link into Network Access, and OSI Session, Presentation, Application into a single Application layer. TCP/IP is what the internet uses; OSI is a reference model.
Q2. What is the difference between TCP and UDP?
TCP is connection-oriented, provides reliable ordered delivery via three-way handshake, flow control, and retransmissions. UDP is connectionless with no delivery guarantees, lower overhead, and is used for DNS, VoIP, video streaming, and IoT telemetry where speed matters more than reliability.
Q3. Explain the TCP three-way handshake.
Step 1: Client sends SYN with its Initial Sequence Number (ISN). Step 2: Server responds with SYN-ACK acknowledging the client ISN and sending its own ISN. Step 3: Client sends ACK. Both sides now have synchronized sequence numbers and data transfer begins.
Q4. What is the TCP four-way handshake for connection termination?
One side sends FIN (I am done sending). Other side sends ACK. Then other side sends its own FIN. Initiator sends final ACK and enters TIME_WAIT for 2xMSL to handle delayed packets before closing.
Q5. What is TCP flow control and congestion control?
Flow control uses the receiver window size to prevent overwhelming the receiver. Congestion control prevents overwhelming the network using Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery algorithms. Modern variants include CUBIC and BBR (used in Google infrastructure).
Q6. What is the difference between IPv4 and IPv6?
IPv4: 32-bit addresses, ~4.3 billion total, dotted decimal notation. IPv6: 128-bit addresses, 3.4×10^38 total, colon-hexadecimal notation. IPv6 brings built-in IPSec, simplified headers, SLAAC for stateless address configuration, and eliminates the need for NAT.
Q7. What is NAT and why is it used?
Network Address Translation maps multiple private IPs to one public IP. Used to conserve IPv4 address space. PAT (Port Address Translation) is the most common form, tracking connections by port numbers. NAT also provides a security benefit by hiding internal topology from the public internet.
Q8. What is ARP and how does it work?
Address Resolution Protocol resolves an IP address to a MAC address on a local subnet. A host broadcasts “Who has IP x.x.x.x?” and the owner replies with its MAC. Gratuitous ARP announces a MAC without a request, used for IP conflict detection and failover. IPv6 replaces ARP with Neighbor Discovery Protocol (NDP).
Q9. What is ICMP and what is it used for?
Internet Control Message Protocol is a network-layer protocol for error reporting and diagnostics. Used by ping (Echo Request/Reply), traceroute (TTL Exceeded), and error messages like Destination Unreachable. ICMPv6 also handles Neighbor Discovery and Router Advertisement in IPv6 networks.
Q10. What is the difference between a router, switch, and hub?
Hub: Layer 1, broadcasts all traffic to all ports. Switch: Layer 2, forwards frames using MAC address table to the correct port only. Router: Layer 3, routes packets between networks using IP addresses and routing tables. Modern routers include NAT, firewall, and QoS functions.
Section 2: HTTP and HTTPS
Q11. What are the main HTTP methods?
GET (retrieve, safe, idempotent), POST (create, neither safe nor idempotent), PUT (replace entirely, idempotent), PATCH (partial update), DELETE (remove, idempotent), HEAD (headers only), OPTIONS (list allowed methods), CONNECT (establish proxy tunnel for HTTPS).
Q12. What is the difference between HTTP/1.1, HTTP/2, and HTTP/3?
HTTP/1.1: text headers, one request per TCP connection at a time (head-of-line blocking). HTTP/2: binary framing, multiplexed streams, HPACK header compression, server push. HTTP/3 (RFC 9114): built on QUIC (UDP-based), eliminates TCP head-of-line blocking, 0-RTT/1-RTT handshakes, better mobile performance.
Q13. How does HTTPS/TLS work?
TLS handshake: ClientHello with cipher suites, ServerHello with certificate, client verifies certificate against trusted CAs, key exchange, both sides derive session keys, encrypted session begins. TLS 1.3 (RFC 8446) reduced the handshake to one round-trip and removed weak cipher suites.
Q14. What are common HTTP status codes?
200 OK, 201 Created, 204 No Content, 301 Moved Permanently, 302 Found, 304 Not Modified, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 422 Unprocessable Entity, 429 Too Many Requests, 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout.
Q15. How does HTTP caching work?
Cache-Control header controls caching: max-age (freshness duration), no-cache (must revalidate), no-store (never cache), public/private. ETag is a resource fingerprint used with If-None-Match for conditional GET. Last-Modified with If-Modified-Since provides time-based validation. 304 Not Modified means use cached copy.
Q16. What is CORS?
Cross-Origin Resource Sharing is a browser security mechanism restricting cross-origin requests. Servers opt in with Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers. Non-simple requests trigger a preflight OPTIONS request first. Without CORS headers, the browser blocks the response even if the server processed it.
Q17. What is REST and what are its six constraints?
REST architectural constraints: (1) Client-Server separation, (2) Statelessness, (3) Cacheability, (4) Uniform Interface (URI resource identification, representations, self-descriptive messages, HATEOAS), (5) Layered System, (6) Code on Demand (optional, e.g., JavaScript). An API following all constraints is called RESTful.
Q18. What is the difference between REST and GraphQL?
REST uses multiple endpoints with server-defined response shapes. GraphQL uses a single endpoint where clients request exactly the data needed, eliminating over-fetching and under-fetching. GraphQL supports queries, mutations, and subscriptions. REST is simpler and more cache-friendly at HTTP level; GraphQL excels for complex, nested, or rapidly changing data requirements.
Q19. What are cookies, sessions, and JWTs?
Cookies: small key-value stores sent in HTTP headers; attributes: HttpOnly, Secure, SameSite, Expires, Domain, Path. Sessions: server-side state with session ID in cookie. JWT (JSON Web Token): self-contained signed token carrying claims, stateless (no server lookup needed), but harder to revoke without a blocklist. Common choice: cookies with sessions for web apps, JWTs for stateless APIs.
Q20. What is QUIC and how does it improve on TCP?
QUIC (RFC 9000) is a UDP-based transport protocol developed by Google, standardized in 2021. Improvements over TCP: (1) 0-RTT reconnection for returning clients, (2) per-stream flow control eliminating head-of-line blocking, (3) connection migration (IP change without disconnect), (4) built-in TLS 1.3, (5) faster handshake. HTTP/3 is built entirely on QUIC.
Section 3: DNS
Q21. How does DNS resolution work?
Browser cache → OS hosts file → Recursive Resolver → Root Nameserver (returns TLD nameserver) → TLD Nameserver (e.g., .com, returns authoritative NS) → Authoritative Nameserver (returns A/AAAA record). Result cached per TTL. Root zone has 13 logical root server clusters worldwide.
Q22. What are the main DNS record types?
A: IPv4 address. AAAA: IPv6 address. CNAME: canonical name alias. MX: mail server with priority. NS: authoritative nameserver. TXT: arbitrary text (SPF, DKIM, domain verification). PTR: reverse DNS. SRV: service location with port/priority. SOA: zone authority info. CAA: allowed Certificate Authorities. TLSA: DANE certificate association.
Q23. What is DNS TTL and why does it matter?
TTL specifies how long resolvers cache a record. Low TTL (60s): fast change propagation, high query load. High TTL (86400s): low query load, slow propagation. Best practice: lower TTL days before a planned DNS change, make the change, then raise TTL again after confirming everything is working.
Q24. What is DNS over HTTPS (DoH) and DNS over TLS (DoT)?
Traditional DNS is plaintext on UDP port 53, exposing queries. DoH (RFC 8484) sends DNS as HTTPS on port 443, indistinguishable from web traffic and bypasses content filters. DoT (RFC 7858) encrypts on port 853, easier for enterprise to monitor. Both prevent eavesdropping and DNS tampering by ISPs or attackers.
Q25. What is DNSSEC?
DNS Security Extensions add digital signatures to DNS records. Resolvers verify authenticity using a chain of trust from the root zone. Protects against DNS cache poisoning (Kaminsky attack). Does NOT encrypt queries (DoH/DoT does). DNSSEC adds RRSIG, DS, DNSKEY, and NSEC records. Adoption is growing but still under 30% of domains globally.
Q26. What is split-horizon DNS?
Split-horizon (split-brain) DNS serves different answers for the same DNS name depending on who is asking. Internal clients receive internal/private IP addresses; external clients receive public IPs. Used to route internal traffic through internal paths while external traffic goes through public infrastructure. Common in enterprise environments with private cloud services.
Section 4: WebSockets, SSE, and Real-Time Protocols
Q27. What is WebSocket and how does it differ from HTTP?
WebSocket (RFC 6455) provides full-duplex, persistent communication over a single TCP connection. It starts with an HTTP Upgrade handshake (101 Switching Protocols) and then transitions to WebSocket frames. Unlike HTTP request-response, the server can push data at any time. Used for chat, live dashboards, gaming, and financial data feeds.
Q28. What is Server-Sent Events (SSE)?
SSE is one-way server-to-client streaming over HTTP using the EventSource API. The server sends text/event-stream with data fields. SSE auto-reconnects on disconnection. Ideal for notifications, live feeds, and log streaming where only server-to-client push is needed. Works over HTTP/2 multiplexing, unlike WebSocket which needs a separate connection.
Q29. What is gRPC and when would you use it over REST?
gRPC uses HTTP/2 and Protocol Buffers (binary serialization). Supports unary, server streaming, client streaming, and bidirectional streaming. Faster than REST+JSON, strongly typed via .proto schemas, auto-generates client/server code. Use gRPC for microservice-to-microservice communication, high-throughput APIs, and streaming use cases. REST remains better for public APIs and browser clients.
Q30. What is the difference between polling, long polling, SSE, and WebSockets?
Polling: client requests at intervals — simple, high waste. Long polling: client waits until server has data — lower latency, HTTP overhead. SSE: server pushes over persistent HTTP — one-way, HTTP/2-friendly. WebSocket: full-duplex TCP connection — bidirectional, lowest latency. Choose based on directionality, latency, and infrastructure constraints.
Section 5: MQTT and IoT Protocols
Q31. What is MQTT?
MQTT (Message Queuing Telemetry Transport) is a lightweight publish-subscribe protocol for constrained devices. It uses a broker for message routing, topic-based addressing, three QoS levels, retained messages, Last Will and Testament, and persistent sessions. Runs over TCP/IP. MQTT-SN variant runs over UDP for truly resource-constrained devices and sensor networks.
Q32. Explain MQTT QoS levels.
QoS 0 (At most once): fire and forget, no acknowledgement, messages may be lost. QoS 1 (At least once): message acknowledged; sender retransmits until ACK, duplicates possible. QoS 2 (Exactly once): four-part handshake (PUBLISH→PUBREC→PUBREL→PUBCOMP), guaranteed delivery without duplicates. Higher QoS means higher latency and overhead.
Q33. What is MQTT 5.0 and what does it add over 3.1.1?
MQTT 5.0 adds: reason codes on all ACK packets, user properties (key-value metadata), message expiry interval, topic aliases (reduce repeated topic overhead), shared subscriptions for load balancing, request-response pattern with correlation data, flow control with receive maximum, and improved session expiry. Recommended for all new designs.
Q34. What is CoAP and how does it differ from MQTT?
CoAP (RFC 7252) is a RESTful protocol over UDP with 4-byte minimum headers. It mirrors HTTP with GET/POST/PUT/DELETE, supports confirmable and non-confirmable messages, observe for server push, and multicast. MQTT is broker-based, event-driven. CoAP is request-response for direct resource access on constrained devices. CoAP is better for low-power mesh networks; MQTT for many-to-many telemetry.
Q35. What is MQTT Last Will and Testament (LWT)?
LWT allows a client to specify a message the broker publishes if the client disconnects unexpectedly (without a DISCONNECT packet). Configured at connect time: will topic, message, QoS, and retain flag. Used for device presence detection — subscribers are notified immediately when a device drops offline. LWT is not published on a clean disconnect.
Q36. What is AMQP and when would you use it instead of MQTT?
AMQP (Advanced Message Queuing Protocol) offers enterprise messaging features: exchanges, queues, bindings, routing keys, dead letter queues, transactions, and guaranteed delivery. Use AMQP (RabbitMQ, Azure Service Bus) for complex back-end routing, enterprise integration, and guaranteed ordering. MQTT is lighter and better for IoT device telemetry with millions of connections.
Q37. What is DDS (Data Distribution Service)?
DDS is a peer-to-peer, broker-less pub-sub middleware with rich QoS policies (deadline, liveliness, reliability, history, durability). Used in ROS 2 for robotics, autonomous vehicles, military C2 systems, air traffic control, and medical devices. DDS targets deterministic, low-latency communication in safety-critical real-time systems without a central point of failure.
Q38. What is OPC-UA?
OPC Unified Architecture is the standard industrial communication protocol for Industry 4.0 and IIoT. It provides a rich information model, built-in security (authentication, encryption, signing), and multiple transports (TCP binary, HTTPS, WebSocket). OPC-UA PubSub adds MQTT and AMQP transport. It enables interoperability between PLCs, SCADA, MES, and cloud platforms from any vendor.
Q39. What is the Sparkplug B specification?
Sparkplug B is an MQTT topic namespace and payload encoding specification (uses Protocol Buffers) designed for industrial IoT. It defines a structured topic structure (spBv1.0/group/message_type/device_id) and mandates birth/death/data messages for device lifecycle management. It builds interoperability on top of MQTT brokers without requiring OPC-UA, widely used in SCADA and IIoT applications.
Q40. What is Matter (formerly Project CHIP) protocol?
Matter is a unified IoT smart home protocol launched in 2022, backed by Apple, Google, Amazon, and Samsung. It runs over IPv6 on Wi-Fi, Ethernet, and Thread (mesh). Matter uses a device-local approach with end-to-end encryption, cryptographic device attestation, and works offline without cloud dependency. It aims to replace fragmented smart home protocols like Zigbee, Z-Wave, and proprietary ones.
Section 6: TLS, Security, and Authentication Protocols
Q41. What is the difference between TLS 1.2 and TLS 1.3?
TLS 1.3 (RFC 8446, 2018): reduced handshake to 1-RTT (vs 2-RTT in 1.2), 0-RTT resumption for returning clients, removed weak cipher suites (RC4, 3DES, MD5, SHA-1, RSA key exchange), mandatory forward secrecy via ephemeral Diffie-Hellman, and simplified cipher suite negotiation. TLS 1.2 still widely deployed but TLS 1.3 should be preferred for all new deployments.
Q42. What is certificate pinning?
Certificate pinning hardcodes an expected certificate or public key hash in the client application. This prevents MITM attacks even from CA-signed certificates. A client rejects any certificate not matching the pin, even if signed by a trusted CA. Used in mobile apps and IoT firmware. Risks: pin rotation complexity and blocking legitimate certificate renewal. HPKP (HTTP Public Key Pinning) was deprecated in favor of Certificate Transparency logs.
Q43. What is OAuth 2.0 and how does it work?
OAuth 2.0 is an authorization framework allowing a third-party application to access a user’s resources on a server without exposing credentials. Key flows: Authorization Code (web apps, with PKCE for SPAs), Client Credentials (machine-to-machine), Device Code (IoT/CLI devices without a browser). Tokens: Access Token (short-lived), Refresh Token (long-lived, for getting new access tokens). OAuth 2.0 is authorization, not authentication — OpenID Connect (OIDC) adds identity on top.
Q44. What is mTLS (Mutual TLS)?
In standard TLS, only the server presents a certificate. In mTLS (Mutual TLS), both the client and server authenticate with certificates. Used in zero-trust architectures, service meshes (Istio, Linkerd), IoT device authentication, and internal microservices. mTLS ensures both parties are who they claim to be and prevents unauthorized clients from even establishing a connection.
Q45. What is a VPN and what protocols does it use?
A VPN (Virtual Private Network) encrypts traffic over a public network to create a private tunnel. Protocols: OpenVPN (TLS-based, TCP/UDP), IPSec (IKEv2, transport/tunnel modes, used in site-to-site VPNs), WireGuard (modern, ChaCha20+Poly1305, low overhead, built into Linux kernel since 5.6), L2TP/IPSec (older, common in enterprise). WireGuard is now preferred for its simplicity, performance, and smaller attack surface.
Q46. What is IPSec and how does it work?
IPSec secures IP communications at the network layer. Two modes: Transport Mode encrypts only the payload (used between end hosts). Tunnel Mode encrypts the entire IP packet (used for VPN gateways). Two protocols: AH (Authentication Header, integrity only) and ESP (Encapsulating Security Payload, encryption + integrity). IKEv2 handles key exchange. IPSec is used for site-to-site VPNs and L3 security in enterprise and carrier networks.
Q47. What is DTLS and when is it used?
DTLS (Datagram Transport Layer Security) is TLS adapted for UDP. It handles packet reordering, loss, and fragmentation that TLS assumes TCP handles. Used wherever UDP is required with security: CoAP over DTLS for IoT, WebRTC (media encryption), VoIP, game servers, and DNS over DTLS. DTLS 1.3 mirrors TLS 1.3 improvements for datagram use cases.
Q48. What is a firewall and what types exist?
Packet filtering firewalls inspect headers (IP, port, protocol) and apply ACL rules. Stateful inspection tracks connection state, allowing return traffic automatically. Application-layer firewalls (WAF, proxy firewalls) inspect Layer 7 content, blocking SQL injection, XSS, etc. Next-Generation Firewalls (NGFW) combine stateful inspection with IPS, DPI, application identification, and user identity awareness. eBPF-based firewalls are the modern trend for cloud-native environments.
Q49. What is a DDoS attack and how is it mitigated?
Distributed Denial of Service floods a target with traffic from many sources to exhaust resources. Types: volumetric (UDP floods, amplification), protocol (SYN floods), application-layer (HTTP floods). Mitigation: anycast scrubbing centers, rate limiting, SYN cookies, BGP blackhole routing, CDN/WAF (Cloudflare, AWS Shield), CAPTCHAs, and connection limits. Modern DDoS defenses combine traffic analysis with ML-based anomaly detection.
Q50. What is zero trust networking?
Zero Trust is a security model: “never trust, always verify.” Every request is authenticated, authorized, and encrypted regardless of origin — there is no trusted internal network. Key pillars: strong identity (mTLS, MFA), least-privilege access, micro-segmentation, continuous verification, and comprehensive logging. Implemented via service meshes, identity-aware proxies (BeyondCorp), and ZTNA (Zero Trust Network Access) replacing traditional VPNs.
Section 7: Routing Protocols and Network Architecture
Q51. What is the difference between static and dynamic routing?
Static routing: manually configured routes, no overhead, no adaptability. Dynamic routing: routers exchange topology information and compute optimal paths automatically. Interior Gateway Protocols (IGP) operate within an AS: OSPF (link-state, fast convergence), EIGRP (Cisco proprietary hybrid), RIP (distance-vector, slow convergence, max 15 hops). BGP (Border Gateway Protocol) is the Exterior Gateway Protocol connecting different Autonomous Systems on the internet.
Q52. What is BGP and why is it important?
BGP (RFC 4271) is the routing protocol of the internet, exchanging reachability information between Autonomous Systems (AS). It is a path-vector protocol using policy-based routing with attributes like AS-PATH, NEXT-HOP, MED, LOCAL-PREF, and community strings. BGP hijacking (malicious route announcement) is a major internet security risk. RPKI (Resource Public Key Infrastructure) cryptographically validates BGP route origins to mitigate hijacking.
Q53. What is OSPF and how does it work?
OSPF (Open Shortest Path First) is a link-state IGP protocol. Each router builds a complete topology map (LSDB — Link State Database) by flooding Link State Advertisements (LSAs). Dijkstra’s algorithm computes shortest paths. OSPF uses areas (Area 0 = backbone) to scale large networks by reducing LSA flooding. Fast convergence and loop-free topology make it the most widely deployed IGP in enterprise and service provider networks.
Q54. What is VLAN and why is it used?
VLAN (Virtual LAN) logically segments a physical network into separate broadcast domains at Layer 2. Provides traffic isolation (security), broadcast containment, simplified network management, and flexible grouping independent of physical location. 802.1Q is the standard trunk protocol that tags frames with a VLAN ID. Inter-VLAN routing requires a router or Layer 3 switch. VXLANs extend VLANs over Layer 3 networks in data centers and cloud environments.
Q55. What is Software-Defined Networking (SDN)?
SDN separates the control plane (routing decisions) from the data plane (packet forwarding) via a centralized controller (OpenFlow, ONOS, OpenDaylight). The controller programs forwarding rules into network devices via southbound APIs. Benefits: programmability, centralized visibility, automated provisioning. Used in data centers, WANs (SD-WAN), and cloud networks. Kubernetes CNI plugins (Cilium, Calico) use SDN principles with eBPF for container networking.
Q56. What is a CDN (Content Delivery Network)?
A CDN is a distributed network of edge servers caching and serving content close to end users, reducing latency and origin server load. DNS-based routing directs users to the nearest PoP (Point of Presence). Modern CDNs (Cloudflare, AWS CloudFront, Fastly) also provide DDoS protection, WAF, TLS termination, edge computing (Cloudflare Workers, Lambda@Edge), and protocol optimization including HTTP/3.
Q57. What is QoS (Quality of Service) in networking?
QoS mechanisms prioritize certain traffic types to guarantee performance for latency-sensitive applications. Techniques: traffic classification (DSCP markings), queuing (WFQ, CBWFQ, LLQ for voice), policing (drop excess), and shaping (buffer excess for smooth rate). In wireless networks, 802.11e/WMM defines four access categories for QoS. In IoT, CoAP and MQTT support message priority mechanisms but rely on network-level QoS for real-time guarantees.
Q58. What is anycast routing and where is it used?
Anycast assigns the same IP address to multiple servers in different geographic locations. Packets are routed to the topologically nearest instance. Used by DNS root servers (all 13 root server addresses are anycast, with hundreds of physical servers), CDNs, DoH/DoT resolvers (e.g., 1.1.1.1, 8.8.8.8), and DDoS scrubbing services. It provides automatic failover and load distribution without client configuration changes.
Q59. What is MPLS and why is it used?
MPLS (Multiprotocol Label Switching) forwards packets based on labels rather than IP destination lookups, enabling faster switching and traffic engineering. ISPs use MPLS for: traffic engineering (explicit path control), QoS-aware routing, L3 VPN services, and high-speed backbone forwarding. Labels are pushed/popped/swapped at each hop. MPLS is being replaced in some deployments by SD-WAN and segment routing (SRv6) which achieves similar goals over standard IP infrastructure.
Q60. What is a proxy server and what types exist?
A proxy acts as an intermediary between client and server. Forward proxy: clients configure it explicitly, used for filtering, caching, anonymity. Transparent proxy: intercepts traffic without client configuration (ISP, corporate networks). Reverse proxy: sits in front of servers, handles load balancing, TLS termination, caching (Nginx, HAProxy, Envoy). API gateway: specialized reverse proxy for microservices, handling auth, rate limiting, routing, and observability.
Section 8: Application Layer Protocols
Q61. What is FTP and what are its limitations?
FTP (File Transfer Protocol, RFC 959) transfers files using two TCP connections: control (port 21) and data (port 20 for active mode, negotiated port for passive mode). Limitations: sends credentials in plaintext, active mode causes firewall issues, no encryption. SFTP (SSH File Transfer Protocol, not FTP over SSH) and FTPS (FTP over TLS) are secure alternatives. SCP is another SSH-based file transfer tool but lacks interactive browsing.
Q62. What is SMTP and how does email delivery work?
SMTP (RFC 5321) sends email between mail servers on port 25 (server-to-server), 587 (submission with STARTTLS), or 465 (SMTPS). Mail client submits to MTA, MTA looks up recipient domain’s MX record, connects to recipient MTA, delivers message. IMAP (port 143/993) and POP3 (port 110/995) are used for client retrieval. SPF, DKIM, and DMARC records prevent email spoofing and phishing.
Q63. What is SSH and how does it work?
SSH (Secure Shell, RFC 4251) provides encrypted remote login and command execution on port 22. Authentication methods: password and public key (preferred — private key never leaves client). SSH uses asymmetric cryptography for key exchange and server authentication, symmetric for session encryption. SSH tunnels (port forwarding) can securely tunnel other protocols. OpenSSH is the standard implementation; ed25519 keys are now recommended over RSA.
Q64. What is DHCP and how does it work?
DHCP (Dynamic Host Configuration Protocol, RFC 2131) automatically assigns IP addresses, subnet mask, default gateway, DNS servers, and other parameters to clients. Process (DORA): Discover (client broadcasts), Offer (server proposes IP/config), Request (client accepts), Acknowledge (server confirms lease). DHCPv6 and SLAAC handle IPv6 address assignment. DHCP snooping on switches prevents rogue DHCP servers.
Q65. What is NTP and how does time synchronization work?
NTP (Network Time Protocol, RFC 5905) synchronizes clocks across networks. It uses a stratum hierarchy: Stratum 0 (atomic clocks/GPS), Stratum 1 (servers synchronized to Stratum 0), Stratum 2 (synchronized to Stratum 1), and so on. NTP uses UDP port 123. Precision Time Protocol (PTP / IEEE 1588) achieves sub-microsecond accuracy for industrial, financial, and telecom applications. Accurate time is critical for TLS certificates, logs, distributed systems, and TDMA wireless protocols.
Q66. What is SNMP and what are its versions?
SNMP (Simple Network Management Protocol) monitors and manages network devices. Versions: SNMPv1/v2c use community strings (plain text passwords — insecure). SNMPv3 adds authentication (MD5/SHA) and encryption (DES/AES) — required for production use. Devices expose MIBs (Management Information Bases) with OIDs for variables. SNMP is being supplemented or replaced by NETCONF/YANG (structured, transactional) and gNMI (gRPC-based, streaming telemetry) in modern network management.
Q67. What is LDAP and where is it used?
LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and maintaining directory information services. It uses a hierarchical tree structure (Distinguished Names). Common use: authenticating users in enterprise networks (Active Directory, OpenLDAP), centralized user account management, SSO integrations. LDAPS is LDAP over TLS. LDAP is being complemented by SCIM (System for Cross-domain Identity Management) for cloud-native user provisioning.
Q68. What is RADIUS vs TACACS+?
RADIUS (Remote Authentication Dial-In User Service): combines authentication and authorization, encrypts only the password, uses UDP, widely supported. TACACS+ (Terminal Access Controller Access-Control System Plus, Cisco): separates authentication, authorization, and accounting (AAA), encrypts the entire payload, uses TCP, more granular command authorization. TACACS+ is preferred for network device administration; RADIUS is more common for user network access (802.1X, Wi-Fi).
Q69. What is 802.1X and how does it work?
IEEE 802.1X is a port-based network access control standard. A supplicant (device) connects to an authenticator (switch/AP), which forwards authentication requests to an authentication server (RADIUS) using EAP (Extensible Authentication Protocol). The switch only forwards traffic after successful authentication. Used in enterprise Wi-Fi (WPA2/WPA3-Enterprise) and wired networks for device identity verification, preventing unauthorized network access.
Q70. What is TFTP and when is it used?
TFTP (Trivial FTP) is a minimal file transfer protocol over UDP port 69 with no authentication, directory listing, or error recovery. Used for: booting diskless workstations (PXE), firmware updates on network devices (routers, switches, IP phones), and embedded system provisioning in isolated networks. Its simplicity makes it easy to implement in bootloaders with very limited code space. Never use TFTP over untrusted networks.
Section 9: Wireless and Embedded Network Protocols
Q71. What is the difference between Wi-Fi, Bluetooth, Zigbee, and Z-Wave?
Wi-Fi (802.11): high bandwidth, 2.4/5/6 GHz, TCP/IP, high power. Bluetooth LE (BLE): low power, short range, 2.4 GHz, point-to-point or mesh. Zigbee (802.15.4): low power mesh, 2.4 GHz, designed for IoT sensors, uses 6LoWPAN for IPv6. Z-Wave: 868/908 MHz, sub-GHz (avoids Wi-Fi interference), proprietary, max 232 nodes, good for smart home. Thread: IPv6 mesh based on 802.15.4, used in Matter protocol alongside Wi-Fi and Ethernet.
Q72. What is 6LoWPAN?
6LoWPAN (IPv6 over Low-Power Wireless Personal Area Networks, RFC 4944) adapts IPv6 for constrained 802.15.4 networks by providing header compression (reducing 40-byte IPv6 header to as few as 2 bytes), fragmentation/reassembly for large packets, and mesh addressing. It enables end-to-end IPv6 connectivity from cloud to tiny sensor devices. Used in smart metering, industrial sensors, and Thread networks.
Q73. What is LoRaWAN and what makes it unique?
LoRaWAN is a wide-area network protocol using LoRa (Long Range) modulation over sub-GHz unlicensed spectrum. Key characteristics: range of 2–15 km, extremely low power (years on battery), very low data rates (0.3–50 kbps), star-of-stars topology with gateways and network server. Used for asset tracking, smart agriculture, smart city sensors, and meter reading. The Chirp Spread Spectrum (CSS) modulation gives excellent noise immunity at the cost of bandwidth.
Q74. What is NB-IoT and how does it compare to LTE-M?
NB-IoT (Narrowband IoT) uses 200 kHz bandwidth within LTE spectrum, excellent deep indoor penetration, very low power, designed for static, infrequent low-data-rate applications (smart meters). LTE-M (Cat-M1) uses 1.4 MHz bandwidth, supports voice and higher data rates, enables device mobility and roaming. Both are licensed-spectrum cellular LPWAN technologies standardized by 3GPP. NB-IoT is cheaper for static sensors; LTE-M is better for moving assets.
Q75. What is 5G and what network architecture changes does it bring?
5G introduces three service categories: eMBB (enhanced Mobile Broadband, >1 Gbps), URLLC (Ultra-Reliable Low Latency Communications, <1 ms, for industrial control), and mMTC (massive Machine Type Communications, 1 million devices/km²). Architecture changes: standalone core (5G NR + 5GC with service-based architecture), network slicing (virtual dedicated networks per use case), edge computing (MEC), and network function virtualization replacing physical network elements.
Q76. What is Time-Sensitive Networking (TSN)?
TSN is a set of IEEE 802.1 standards extending Ethernet for deterministic, time-synchronized communication. Key standards: 802.1AS (timing, PTP grandmaster), 802.1Qbv (time-aware shaper, scheduled traffic), 802.1Qbu/802.3br (frame preemption), 802.1Qcc (stream reservation). Used in automotive (100BASE-T1, 1000BASE-T1), industrial automation, professional audio/video, and avionics to replace proprietary fieldbuses (CAN, PROFIBUS) with standard Ethernet that meets hard real-time requirements.
Q77. What is CAN bus and how does it compare to Ethernet for automotive?
CAN (Controller Area Network) is a serial bus for automotive and industrial control, operating at up to 1 Mbps (CAN FD up to 8 Mbps). It uses differential signaling, multi-master with CSMA/CR arbitration, 11/29-bit identifiers for message priority, and built-in error detection (CRC, bit stuffing, ACK). CAN is deterministic but limited bandwidth. Automotive Ethernet (100BASE-T1, 1000BASE-T1) is replacing CAN for high-bandwidth domains (ADAS, infotainment) while CAN FD and LIN continue for lower-speed body/powertrain functions.
Q78. What is Modbus and where is it used?
Modbus is one of the oldest industrial communication protocols (1979), still widely used. Variants: Modbus RTU (serial, binary, RS-232/RS-485), Modbus ASCII (serial, human-readable), Modbus TCP (over Ethernet/IP). It uses a master-slave model with function codes for reading/writing coils and registers. Despite its age and lack of built-in security, Modbus remains dominant in PLCs, sensors, and SCADA because of its simplicity and universal support.
Q79. What is PROFINET and what does it offer over Modbus?
PROFINET is an Industrial Ethernet standard for automation developed by Siemens/PI. It supports real-time (RT) and isochronous real-time (IRT, <1 ms cycle time) communication, device diagnostics, hot-plugging, and GSDML device descriptions for auto-configuration. PROFINET TCP/IP for non-critical data and PROFINET IO for hard real-time control can coexist on the same cable. Far more capable than Modbus with standardized device models, security, and TSN alignment for Industry 4.0.
Q80. What is SOME/IP (Scalable service-Oriented Middleware over IP)?
SOME/IP is an automotive middleware protocol for service-oriented communication over Ethernet. It provides service discovery (SOME/IP-SD), remote procedure calls, events (publish-subscribe), and fields (read/write properties). Used in AUTOSAR architectures to replace static CAN-based communication with dynamic, scalable, IP-based services in vehicles. Paired with DDS in some next-gen vehicle OS designs (Android Automotive, SOAFEE).
Section 10: Cloud Networking and Modern Trends
Q81. What is a load balancer and what types exist?
Load balancers distribute traffic across multiple servers for availability and scalability. Layer 4 (transport): routes based on IP/port, fast, no content inspection (AWS NLB, HAProxy TCP mode). Layer 7 (application): routes based on HTTP content — URL, headers, cookies (Nginx, AWS ALB, Envoy). Global Server Load Balancing (GSLB) uses DNS to distribute across geographic regions. Modern cloud load balancers also perform TLS termination, health checks, session persistence, and integrate with service meshes.
Q82. What is a service mesh and why is it used?
A service mesh is a dedicated infrastructure layer for service-to-service communication in microservices. Sidecar proxies (Envoy) are injected alongside each service container, handling mTLS, load balancing, retries, circuit breaking, observability (metrics, traces, logs), and traffic management without changing application code. Istio and Linkerd are popular service meshes. Control planes (Istiod) configure sidecar proxies centrally. eBPF-based approaches (Cilium) achieve similar goals without sidecars.
Q83. What is a circuit breaker pattern in microservices?
The circuit breaker (Hystrix/Resilience4j) prevents a service from repeatedly trying to call a failing downstream service. States: Closed (normal operation), Open (failure threshold reached, fast-fail without calling), Half-Open (allow test requests to check recovery). It prevents cascading failures in distributed systems. Similar to an electrical circuit breaker. Implemented via service mesh (Envoy) or application libraries. Related: bulkhead, retry with exponential backoff, and timeout patterns.
Q84. What is Kubernetes networking and how do pods communicate?
Kubernetes assigns each pod a unique IP. Pods within a node communicate via a Linux bridge/veth pairs. Cross-node pod communication is handled by CNI plugins (Calico, Flannel, Cilium) using overlay networks (VXLAN/IPIP tunnels) or native routing (BGP with Calico). Services (ClusterIP, NodePort, LoadBalancer) provide stable endpoints via kube-proxy rules (iptables/ipvs). Ingress controllers (Nginx, Traefik, Envoy Gateway) handle external HTTP routing with TLS termination.
Q85. What is eBPF and how is it transforming networking?
eBPF (extended Berkeley Packet Filter) allows sandboxed programs to run in the Linux kernel without modifying kernel source or loading modules. In networking: Cilium uses eBPF for high-performance load balancing, network policy enforcement, and observability with lower overhead than iptables. XDP (eXpress Data Path) enables kernel-bypass packet processing at NIC driver level for DDoS mitigation and load balancing. eBPF is replacing iptables, service mesh sidecars, and network monitoring agents in modern cloud infrastructure.
Q86. What is DTLS 1.3 and what improvements does it bring?
DTLS 1.3 (RFC 9147, 2022) mirrors TLS 1.3 for UDP: 1-RTT handshake, 0-RTT resumption, modern cipher suites (AES-GCM, ChaCha20-Poly1305), mandatory forward secrecy, record layer redesign with a unified header format, and improved ACK mechanism for reliability. Significant performance improvement over DTLS 1.2 for CoAP/IoT applications, WebRTC, and VPN solutions that rely on UDP transport.
Q87. What is HTTP/3 and QUIC in practice?
HTTP/3 (RFC 9114) over QUIC (RFC 9000) was finalized in 2022 and is now supported by Chrome, Firefox, Safari, and major CDNs. Real-world benefits: 10–15% faster page loads on mobile, resilience to packet loss (per-stream recovery vs TCP head-of-line blocking), and connection migration for mobile users changing networks. Deployment requires UDP port 443 to be open. The Alt-Svc header advertises HTTP/3 support. Google, Meta, and Cloudflare serve significant traffic over HTTP/3.
Q88. What is WebTransport?
WebTransport is a browser API providing low-latency bidirectional communication over HTTP/3 and QUIC, offering unreliable datagrams (like UDP) and reliable streams within a browser context. It replaces use cases that pushed WebSocket to its limits: game networking, real-time collaboration, media streaming. Unlike WebSocket (single ordered stream), WebTransport multiplexes independent streams and provides raw datagrams without TCP head-of-line blocking.
Q89. What is a message broker and what are common examples?
A message broker decouples producers and consumers, storing and routing messages. Key types: RabbitMQ (AMQP, flexible routing, queues, exchanges), Apache Kafka (distributed log, high throughput, replay, consumer groups — not traditional broker), Apache Pulsar (Kafka alternative with geo-replication, tiered storage), AWS SQS/SNS (managed cloud queuing/fan-out). Kafka is dominant for event streaming and data pipelines; RabbitMQ for task queues; MQTT brokers (Mosquitto, HiveMQ, EMQ X) for IoT.
Q90. What is network observability and what protocols are used?
Observability covers metrics, logs, and distributed traces. NetFlow/IPFIX export flow records from routers for traffic analysis. sFlow samples packets for high-speed monitoring. OpenTelemetry (OTLP protocol) is the emerging standard for metrics, traces, and logs from applications. gNMI (gRPC Network Management Interface) provides streaming telemetry from network devices. SNMP traps push alerts. Prometheus scrapes metrics via HTTP. The combination of these gives full-stack visibility from physical network to application layer.
Section 11: Scenario-Based and Advanced Interview Questions
Q91. What happens when you type a URL into a browser and press Enter?
1) Browser checks cache. 2) DNS resolution (recursive resolver → root → TLD → authoritative). 3) TCP three-way handshake. 4) TLS handshake. 5) HTTP request sent. 6) Server processes request, sends response. 7) Browser parses HTML, fetches sub-resources (CSS, JS, images) in parallel. 8) DOM constructed, render tree built, page painted. With HTTP/3: QUIC replaces TCP steps. With a CDN: DNS resolves to edge server closest to user.
Q92. How would you design the network architecture for a system with 10 million IoT devices sending telemetry?
Use MQTT with a clustered broker (HiveMQ, EMQX, AWS IoT Core). TLS for transport security with device certificates. Message queue (Kafka) behind the broker for buffering and replay. Stream processing (Apache Flink/Spark) for real-time analytics. Time-series database (InfluxDB, TimescaleDB) for storage. API Gateway + REST/gRPC for query interface. CDN/edge computing for regional processing to reduce WAN latency. MQTT 5.0 shared subscriptions for horizontal scaling of consumer workers.
Q93. How does a TCP SYN flood attack work and how is it mitigated?
Attacker sends many SYN packets with spoofed source IPs. Server allocates resources for each half-open connection, filling the SYN backlog queue. Legitimate connections are refused. Mitigation: SYN cookies (server encodes connection state in ISN, allocates no resources until ACK), increase backlog queue size, firewall rate limiting, TCP SYN proxy on load balancers, and ingress filtering (BCP 38) to drop spoofed-source packets at ISP edge.
Q94. Explain the CAP theorem in the context of distributed systems and protocols.
CAP theorem: a distributed system can only guarantee two of three: Consistency (all nodes see same data), Availability (every request gets a response), Partition tolerance (system works despite network splits). Since network partitions are inevitable, the real choice is CP (sacrifice availability during partition — ZooKeeper, etcd) vs AP (sacrifice consistency — Cassandra, CouchDB). This directly influences protocol design: some IoT protocols choose AP (device continues operating offline) while others choose CP (financial transactions require consistency).
Q95. How would you troubleshoot a high-latency issue in a TCP connection?
Check: 1) ping/traceroute to identify high-RTT hops. 2) tcpdump/Wireshark to see TCP retransmissions, duplicate ACKs, zero window. 3) ss/netstat for socket states (TIME_WAIT overload). 4) Check CPU/memory on server (busy server delays ACK). 5) Nagles algorithm vs delayed ACK interaction (TCP_NODELAY). 6) MTU issues causing fragmentation. 7) Congestion: check packet loss with mtr. 8) Buffer bloat: large buffers at intermediate hops inflate RTT. 9) Application-level: check if delays are in processing, not network.
Q96. What is the difference between throughput, bandwidth, and latency?
Bandwidth: the maximum data rate a link can carry (physical limit, e.g., 1 Gbps). Throughput: actual data transferred per unit time, always less than or equal to bandwidth due to protocol overhead, errors, and congestion. Latency (RTT): time for a packet to travel from source to destination and back. High latency degrades throughput severely for TCP because of the bandwidth-delay product: the amount of data in flight = bandwidth x RTT. Long fat networks (LFN) need large TCP window sizes and window scaling (RFC 1323) to fully utilize bandwidth.
Q97. What is head-of-line blocking and how do HTTP/2 and HTTP/3 address it?
TCP HOL blocking: if a packet is lost, all subsequent packets in the stream must wait for retransmission even if they belong to different HTTP requests. HTTP/2 multiplexes over one TCP connection, so a single lost packet still blocks all streams. HTTP/3 over QUIC uses per-stream flow control and per-stream retransmission at the QUIC layer, so a lost packet in one stream does not block other streams. This is HTTP/3’s most significant improvement for unreliable networks like mobile.
Q98. What is a replay attack and how are protocols protected against it?
A replay attack captures a valid request and retransmits it later to repeat an action (e.g., re-execute a payment). Protections: TLS sequence numbers prevent replaying encrypted records. TLS 1.3 limits 0-RTT data to idempotent requests. MQTT 5.0 QoS 2 uses packet IDs to prevent duplicate delivery. TOTP/HMAC-based one-time tokens add time-based uniqueness. Nonces (random values used once) in HTTP Digest Auth and API request signing (AWS Signature V4, HMAC timestamps) prevent replay within a time window.
Q99. What is network slicing in 5G and why is it important for IoT?
Network slicing uses NFV and SDN to create multiple isolated virtual networks on shared physical infrastructure, each with guaranteed resources, QoS, and security policies. For IoT: a URLLC slice for industrial control with <1 ms latency guarantees, an mMTC slice for millions of low-power sensors, and an eMBB slice for high-bandwidth video are all provisioned on the same 5G infrastructure. Each IoT application gets a dedicated virtual network without interference, enabling monetization and SLA guarantees impossible with shared networks.
Q100. What is the future of internet protocols and what trends should engineers follow?
Key trends: (1) HTTP/3 and QUIC becoming standard for web performance. (2) WebTransport replacing WebSocket for low-latency browser applications. (3) MQTT 5.0 and Sparkplug B for IIoT standardization. (4) Matter and Thread unifying smart home protocols. (5) 5G standalone networks and network slicing for industrial IoT. (6) Post-quantum cryptography (NIST PQC standards finalized 2024) in TLS and IoT security. (7) eBPF transforming cloud networking. (8) AI/ML-driven network management and anomaly detection. (9) IPv6-only networks as ISPs phase out IPv4 support.
Bonus Questions: Current Trends (2025)
Q101. What is Post-Quantum Cryptography (PQC) and why does it matter for protocols?
Current public-key cryptography (RSA, ECC) would be broken by a sufficiently powerful quantum computer using Shor’s algorithm. NIST finalized the first PQC standards in 2024: ML-KEM (CRYSTALS-Kyber) for key encapsulation, ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) for digital signatures. TLS, SSH, and MQTT over TLS will need to adopt PQC to protect against “harvest now, decrypt later” attacks where adversaries collect encrypted data today to decrypt when quantum computers are available.
Q102. What is HSTS (HTTP Strict Transport Security)?
HSTS (RFC 6797) instructs browsers to only connect to a domain over HTTPS, even if the user types http:// or clicks an http:// link. The Strict-Transport-Security header includes max-age (duration) and optionally includeSubDomains and preload. Preload submits the domain to the HSTS preload list built into browsers — the domain is HTTPS-only from first visit. HSTS eliminates SSL stripping attacks (where an attacker downgrades HTTPS to HTTP). Requires careful planning: once set, reverting to HTTP within max-age is impossible.
Q103. What is the Exponential Backoff algorithm used in protocol retransmissions?
Exponential backoff doubles the wait time between retransmissions with each failure: 1s, 2s, 4s, 8s, etc., up to a maximum cap. Used in TCP retransmission, MQTT reconnect logic, HTTP client retries, CoAP retransmissions, and cloud SDK reconnect policies. Prevents a “thundering herd” effect where all clients reconnect simultaneously after a server recovers. Usually combined with jitter (random offset) to spread reconnection load: wait = min(cap, base * 2^attempt) + random(0, jitter).
Q104. What is Protocol Buffers (Protobuf) and how does it compare to JSON?
Protocol Buffers is Google’s binary serialization format using .proto schema files. Advantages over JSON: 3–10x smaller on the wire, 5–10x faster to encode/decode, strongly typed with backward/forward compatibility via field numbers. Disadvantages: not human-readable, requires schema compilation, harder to debug. Used in gRPC, MQTT Sparkplug B, and internal Google/meta systems. JSON remains preferred for public REST APIs, configuration files, and contexts where human readability matters more than performance.
Q105. What is CBOR (Concise Binary Object Representation)?
CBOR (RFC 7049/8949) is a binary data format derived from JSON but designed for constrained IoT environments. It encodes the same JSON-like data structures (maps, arrays, strings, numbers, booleans) in a compact binary form with self-describing type tags. Significantly smaller than JSON, easier to parse than Protobuf on constrained devices (no schema needed), and used in CoAP payloads, COSE (CBOR Object Signing and Encryption), FIDO2/WebAuthn attestations, and IETF standards for IoT security.
This guide covered 105 Internet Protocols interview questions spanning TCP/IP fundamentals, HTTP/HTTPS and modern web protocols, DNS, WebSockets, MQTT and IoT protocols, TLS and security, routing architecture, application-layer protocols, wireless and embedded networking, cloud networking, and current 2025 trends including HTTP/3, QUIC, 5G, and post-quantum cryptography. Mastering these topics will prepare you for senior embedded software, networking, and IoT engineering interviews in 2025 and beyond.
