Share via


7.5.3 Security Policy Database Structure

In Windows, the IPsec SPD for every host can be remotely managed via GPOs [MS-GPIPSEC] [MS-GPFAS]. The structure of the Windows IPsec SPD is derived from the structure defined in [RFC4301] section 4.4.1). The SPD controls the packet processing rules for IPsec and provides the parameters for IKE when it establishes security associations.

The Windows IPsec SPD, like the SPD defined in [RFC4301], consists of a list of rules, similar in structure to firewall rules. Each rule specifies an action, ALLOW, BYPASS, or BLOCK ([MS-GPFAS] section 2.2.2.5), to be applied to a class of IP packets defined by a set of filters that are called selectors.

  • ALLOW corresponds to the PROTECT action in [RFC4301].

  • BLOCK corresponds to the DISCARD action in [RFC4301]. In Windows, BLOCK is considered a firewall policy, rather than an IPsec policy. The ways in which firewall and connection security interact in Windows is specified in [MS-FASP].

  • BYPASS corresponds to the same action in [RFC4301].

The PROTECT rules specify, for a particular class of packets defined by a set of filters, the cryptography policies for main mode security association (MM SA) and quick mode security association (QM SA) negotiation, the authentication policy MM SA negotiation, and in the case of AuthIP, extended mode (EM) negotiation. Authentication policies specify such parameters as permitted authentication methods such as packet signing, certificate formats, and certificate authorities. The cryptography policies specify such parameters as permitted cryptography algorithms, modes, and key lengths. The cryptography policies for QM SAs also include policies for per-packet cryptographic protection, such as whether to use Encapsulating Security Payload (ESP) mode ([RFC4303] section 2) or authentication header (AH) ([RFC4302] section 2), and which algorithms, modes, and key lengths to use.