Traffic That Can--and Cannot--Be Secured by IPSec (253169)

MORE INFORMATION

IPSec is applied to IP packets as they are sent and received. Packets are matched against filters when they are being sent (outbound) to see if they should be secured, blocked, or passed in clear text. Packets are also matched when they are received (inbound) to see if they should have been secured, should be blocked, or should be passed (permitted) into the system in clear text.

By design, the following types of IP traffic are exempted and cannot be secured by IPSec in Windows 2000:

• Broadcast
  Traffic going from one sender to many receivers that are unknown to the sender. This type of packet cannot be classified by IPSec filters. For example, a standard class C subnet using 192.168.0.x would have a broadcast address of 192.168.0.255. Your broadcast address depends on your subnet mask.
• Multicast
  As with Broadcast traffic, one sender sends an IP packet to many receivers that are unknown to the sender. These are addresses in the range from 224.0.0.0 through 239.255.255.255.
• Resource Reservation Protocol (RSVP)
  This traffic uses IP protocol 46 and is used to provide Quality Of Service (QoS) in Windows 2000. Exemption of RSVP traffic is a requirement to allow QOS markings for traffic that may be secured by IPSec.
• Internet Key Exchange (IKE)
  IKE is a protocol used by IPSec to securely negotiate security parameters (if the filter action indicates that security needs to be negotiated) and establish shared encryption keys after a packet is matched to a filter. Windows 2000 always uses a User Datagram Protocol (UDP) source and destination port 500 for IKE traffic.
• Kerberos
  Kerberos is the core Windows 2000 security protocol typically used by IKE for IPSec authentication. This traffic uses a UDP/TCP protocol source and destination port 88. Kerberos is itself a security protocol that does not need to be secured by IPSec. The Kerberos exemption is basically this: If a packet is TCP or UDP and has a source or destination port = 88, permit.

NOTE: These exemptions apply to IPSec transport mode filters for packets that have a source address of the computer that is sending the packet. IPSec tunnels can secure only unicast IP traffic. IPSec tunnel-mode filters also cannot process multicast or broadcast packets. If Kerberos, IKE, or RSVP packets are received on one adapter and routed out of another adapter (by using packet forwarding or Routing and Remote Access Services), they are not exempt from IPSec tunnel-mode filters and could be carried inside the tunnel.

For more information about the IKE protocol see RFC 2409: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional information about RSVP, click the article number below to view the article in the Microsoft Knowledge Base: For more information about Kerberos, see the "Kerberos V5 Authentication" topic in Windows 2000 Help, and also the technical documents about Kerberos located at the following Microsoft Web site: For more information about configuring IPSec, see the Step-by-Step Guide to Internet Protocol Security at the following Microsoft Web site: For additional information about the IPSec feature in Microsoft Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: