共用方式為


The Cable Guy - February 2005

IPsec Filter Ordering

TechNet's The Cable Guy

By The Cable Guy

Introduction

Internet Protocol security (IPsec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. For an overview of IPsec and its support in Microsoft® Windows Server 2003, see the Internet Protocol Security for Microsoft Windows Server 2003 white paper.

For Windows® IPsec, you must configure and assign an IPsec policy to specify how IP traffic must be handled. An IPsec policy is a set of configured rules. Each rule specifies the following:

  • An IP filter list, which defines a set of IP traffic. For example, an IP filter list can consist of a single filter that specifies all types of traffic or it can consist of a set of filters, for example, for traffic to from a specific set of servers.

  • A filter action, which defines how traffic is to be handled. With Windows IPsec, you can specify that traffic is permitted (allowed without requiring cryptographic services), blocked (silently discarded, similar to a firewall), or secured (the traffic must be protected with IPsec cryptographic services).

    If the traffic is secured, you must also specify how the traffic is to be protected, an authentication method, whether or not you are using IPsec tunneling, and the type of connection to which the secured traffic applies.

Each rule links an IP filter list (a set of interesting traffic) to a filter action (what to do with the interesting traffic). For example, you can configure an IPsec policy with three rules that specify:

  • Rule A: For traffic to and from any IP address, block the traffic.

  • Rule B: For all traffic that matches the address prefix being used within my intranet, permit the traffic.

  • Rule C: For all traffic that matches the IP addresses of my three resource servers, secure the traffic.

This simplified policy allows a computer on an intranet to:

  • Protect communications with the resource servers

  • Allow communications with other computers on the intranet

  • Block all other traffic

The rules of an IPsec policy have no defined order. In our example policy, the Rule A, Rule B, and Rule C designations are just convenient names by which they are referred to in this article. However, there must be a method to determine how to handle traffic that matches multiple rules. In our example policy, an incoming packet from a computer on an IPsec peer's subnet matches both Rule A (from any IP address) and Rule B (from an address that matches the intranet's address prefix). IPsec cannot both block (Rule A) and permit (Rule B) the incoming packet.

To determine the best rule to apply to incoming and outgoing traffic, and thereby determine the appropriate action to perform, the IPsec Policy Agent component derives an IPsec filter list from the rules of the assigned IPsec policy. The IPsec filter list, which is derived from but different than the IP filter lists configured in the IPsec policy, is the end result of the policy configuration, specifying the exact set of interesting traffic and how it is to be handled.

For example, for Rule C in our simplified IPsec policy, the IPsec Policy Agent component for a computer with a single IP address derives six different entries in the IPsec filter list:

  • Traffic from my IP address to the IP address of resource server 1, action: secure

  • Traffic from the IP address of resource server 1 to my IP address, action: secure

  • Traffic from my IP address to the IP address of resource server 2, action: secure

  • Traffic from the IP address of resource server 2 to my IP address, action: secure

  • Traffic from my IP address to the IP address of resource server 3, action: secure

  • Traffic from the IP address of resource server 3 to my IP address, action: secure

After the IPsec Policy Agent creates the complete IPsec filter list, it sends the list to the IPsec Driver, the IPsec component that processes incoming and outgoing traffic.

You can view the IPsec filter list with the IP Security Monitor snap-in provided with Windows XP and Windows Server 2003. To add the IP Security Monitor snap-in, do the following:

  1. Click Start, click Run, type MMC, and then click OK.

  2. Click File, click Add/Remove Snap-in, and then click Add.

  3. Click IP Security Monitor, and then click Add.

  4. Click Close, and then click OK.

To view the IPsec filter list, you need to open the Main Mode and Quick Mode folders in the console tree. In the Main Mode folder, click Specific Filters to view the filters in the IPsec filter list that require security, In the Quick Mode folder, click Specific Filters to view all of the filters in the IPsec filter list. The following figure shows an example.

cg010501.gif

There is also a Generic Filters folder under the Main Mode and Quick Mode folders. Generic filters are derived from IP filters that are configured to use the My IP Address option as either a source or destination address. Generic filters are expanded to specific filters based on the IP addresses assigned to the computer.

Calculating IPsec Filter Weights

The IPsec filter list is ordered based on a weight value calculated by the IPsec Policy Agent component, with the highest weight value first. When processing an incoming or outgoing packet, the IPsec Driver component searches the IPsec filter list to find a filter that matches the values of the addresses, ports, and IP Protocol field in the packet. The first IPsec filter that matches the packet has the action (permit, block, secure) of the matching IPsec filter applied.

The main parameters for determining the weight of an IPsec filter are the following:

  • The source IP address

  • The subnet mask of the source IP address

  • The destination IP address

  • The subnet mask of the destination IP address

  • The IP Protocol field value

  • For UDP and TCP traffic, the Source Port number

  • For UDP and TCP traffic, the Destination Port number

All of these parameters can be specified when creating an IP filter as part of an IP filter list during the configuration of an IPsec policy.

The weight value is based on how specific the originally defined IP filter is; more specific IP filters will produce IPsec filters with a higher weight value. The highest weight IPsec filter has all seven IP traffic parameters specified. The lowest weight IPsec filter has none of the seven IP traffic parameters specified.

To return to our example policy, an incoming packet from a computer connected to the subnet of an IPsec peer matches Rule A (from any IP address) and Rule B (from an address that matches the intranet address prefix). However, because the IPsec filter derived from Rule B is more specific than the IPsec filter derived from Rule A, the incoming packet matches the IPsec filter derived from Rule B first and the IPsec Driver component applies the action for Rule B (the packet is permitted).

The following table lists the weighting order of IPsec filters for the seven IP traffic parameters, as calculated by the IPsec Policy Agent component.

Source IP address Source subnet mask Destination IP address Destination subnet mask Protocol Source port Destination port
Specific IP address 255.255.255.255 (32-bit subnet mask) Specific IP address 255.255.255.255 Specific IP protocol Specific source port Specific destination port
Specific IP address 255.255.255.255 Specific IP address 255.255.255.255 Specific IP protocol Any Specific destination port
Specific IP address 255.255.255.255 Specific IP address 255.255.255.255 Specific IP protocol Specific source port Any
Specific IP address 255.255.255.255 Specific IP address 255.255.255.255 Specific IP protocol Any Any
Specific IP address 255.255.255.255 Specific IP address 255.255.255.255 Any Any Any
IP address range Less than a 32-bit subnet mask (such as 255.255.255.254) Specific IP address 255.255.255.255 Specific IP protocol Specific source port Specific destination port
IP address range Less than a 32-bit subnet mask Specific IP address 255.255.255.255 Specific IP protocol Any Specific destination port
IP address range Less than a 32-bit subnet mask Specific IP address 255.255.255.255 Specific IP protocol Specific source port Any
IP address range Less than a 32-bit subnet mask Specific IP address 255.255.255.255 Specific IP protocol Any Any
IP address range Less than a 32-bit subnet mask Specific IP address 255.255.255.255 Any Any Any
Specific IP address 255.255.255.255 IP address range Less than a 32-bit subnet mask Specific IP protocol Specific source port Specific destination port
Specific IP address 255.255.255.255 IP address range Less than a 32-bit subnet mask Specific IP protocol Any Specific destination port
Specific IP address 255.255.255.255 IP address range Less than a 32-bit subnet mask Specific IP protocol Specific source port Any
Specific IP address 255.255.255.255 IP address range Less than a 32-bit subnet mask Specific IP protocol Any Any
Specific IP address 255.255.255.255 IP address range Less than a 32-bit subnet mask Any Any Any
IP address range Less than a 32-bit subnet mask IP address range Less than a 32-bit subnet mask Specific IP protocol Specific source port Specific destination port
IP address range Less than a 32-bit subnet mask IP address range Less than a 32-bit subnet mask Specific IP protocol Any Specific destination port
IP address range Less than a 32-bit subnet mask IP address range Less than a 32-bit subnet mask Specific IP protocol Specific source port Any
IP address range Less than a 32-bit subnet mask IP address range Less than a 32-bit subnet mask Specific IP protocol Any Any
IP address range Less than a 32-bit subnet mask IP address range Less than a 32-bit subnet mask Any Any Any
Any 0.0.0.0 Specific IP address 255.255.255.255 Specific IP protocol Specific source port Specific destination port
Any 0.0.0.0 Specific IP address 255.255.255.255 Specific IP protocol Any Specific destination port
Any 0.0.0.0 Specific IP address 255.255.255.255 Specific IP protocol Specific source port Any
Any 0.0.0.0 Specific IP address 255.255.255.255 Specific IP protocol Any Any
Any 0.0.0.0 Specific IP address 255.255.255.255 Any Any Any
Specific IP address 255.255.255.255 Any 0.0.0.0 Specific IP protocol Specific source port Specific destination port
Specific IP address 255.255.255.255 Any 0.0.0.0 Specific IP protocol Any Specific destination port
Specific IP address 255.255.255.255 Any 0.0.0.0 Specific IP protocol Specific source port Any
Specific IP address 255.255.255.255 Any 0.0.0.0 Specific IP protocol Any Any
Specific IP address 255.255.255.255 Any 0.0.0.0 Any Any Any
Any 0.0.0.0 IP address range Less than a 32-bit subnet mask Specific IP protocol Specific source port Specific destination port
Any 0.0.0.0 IP address range Less than a 32-bit subnet mask Specific IP protocol Any Specific destination port
Any 0.0.0.0 IP address range Less than a 32-bit subnet mask Specific IP protocol Specific source port Any
Any 0.0.0.0 IP address range Less than a 32-bit subnet mask Specific IP protocol Any Any
Any 0.0.0.0 IP address range Less than a 32-bit subnet mask Any Any Any
IP address range Less than a 32-bit subnet mask Any 0.0.0.0 Specific IP protocol Specific source port Specific destination port
IP address range Less than a 32-bit subnet mask Any 0.0.0.0 Specific IP protocol Any Specific destination port
IP address range Less than a 32-bit subnet mask Any 0.0.0.0 Specific IP protocol Specific source port Any
IP address range Less than a 32-bit subnet mask Any 0.0.0.0 Specific IP protocol Any Any
IP address range Less than a 32-bit subnet mask Any 0.0.0.0 Any Any Any
Any 0.0.0.0 Any 0.0.0.0 Specific IP protocol Specific source port Specific destination port
Any 0.0.0.0 Any 0.0.0.0 Specific IP protocol Any Specific destination port
Any 0.0.0.0 Any 0.0.0.0 Specific IP protocol Specific source port Any
Any 0.0.0.0 Any 0.0.0.0 Specific IP protocol Any Any
Any 0.0.0.0 Any 0.0.0.0 Any Any Any

Weight values are also affected by the following:

  • Address ranges with a higher number of bits set in the subnet mask are more specific and have a higher weight value than address ranges with a lower number of bits set in the subnet mask.

  • IPsec filters derived from rules in which IPsec tunneling is used have a higher weight than IPsec filters derived from rules in which IPsec tunneling is not used.

The behavior of Windows IPsec matching traffic to the most specific IPsec filter is similar to the behavior of IP forwarding and the IP routing table. The IP routing table contains a series of entries for destinations. Some destinations are more specific than others. A host route is a route to a specific IP address. A default route is a route to any IP address. When sending or forwarding a packet, the IP component of TCP/IP searches the IP routing table for the route that most closely matches the destination IP address in the packet.

Duplicate Filter Weights

In some cases, different IPsec filters have the same calculated weight values. This typically occurs when two or more IPsec filters have the same level of specificity but define different traffic. In most cases, even though there are multiple filters with the same weight, a packet will only match a single IPsec filter.

Conflicting IPsec Filters

Conflicting IPsec filters contain the same value for addressing, ports, and the IP Protocol field value, but have different filter actions. For example, one filter may permit and the other filter may block. When there are conflicting filters, the filter with the most restrictive filter action is added to the filter list. The block filter action is more restrictive than the secure filter action, which is more restrictive than the permit filter action.

Example of IPsec Filters

To show an example of how the IPsec filter list is determined, we extend our example policy described previously in this article with the following information:

  • The IP address configuration of the computer on which the policy is being applied is 131.107.21.17/24

  • The intranet address prefix is 131.107.0.0/16

  • The IP addresses of the three resource servers are 131.107.1.1, 131.107.2.2, and 131.107.3.3

  • All of the IP filters are mirrored

Based on this configuration, the IPsec Policy Agent calculates the IPsec filter list as shown in the following table. The column names are the same as those displayed in the details pane of the IP Security Monitor snap-in when selecting the Quick Mode\Specific Filters folder in the console tree.

Source Destination Flag Direction Negotiation Policy Weight
131.107.3.3 131.107.21.17 Negotiate Security Inbound Secure 69206017
131.107.2.2 131.107.21.17 Negotiate Security Inbound Secure 69206017
131.107.1.1 131.107.21.17 Negotiate Security Inbound Secure 69206017
131.107.21.17 131.107.2.2 Negotiate Security Outbound Secure 69206017
131.107.21.17 131.107.3.3 Negotiate Security Outbound Secure 69206017
131.107.21.17 131.107.1.1 Negotiate Security Outbound Secure 69206017
131.107.0.0 (255.255.0.0) 131.107.21.17 Permit Inbound 69203121
131.107.21.17 131.107.0.0 (255.255.0.0) Permit Outbound 69203120
Any 131.107.21.17 Block Inbound 34603009
131.107.21.17 Any Block Outbound 34603008

From this simplified example policy, you can see the following behaviors:

  • IPsec filters that are more specific have a higher weight value

  • The first six filters that have a specific source and destination have the same weight value

  • For mirrored IPsec filters that use an address range, an IPsec filter with a more specific destination is assigned a slightly higher weight value than an IPsec filter with a more specific source.

For More Information

For more information about the details of IPsec in Windows, consult the following resources:

For a list of all The Cable Guy articles, click here.