The Cable Guy - February 2005
IPsec Filter Ordering
.gif "TechNet's The Cable Guy")
Introduction
Internet Protocol security (IPsec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. For an overview of IPsec and its support in Microsoft® Windows Server 2003, see the Internet Protocol Security for Microsoft Windows Server 2003 white paper.
For Windows® IPsec, you must configure and assign an IPsec policy to specify how IP traffic must be handled. An IPsec policy is a set of configured rules. Each rule specifies the following:
An IP filter list, which defines a set of IP traffic. For example, an IP filter list can consist of a single filter that specifies all types of traffic or it can consist of a set of filters, for example, for traffic to from a specific set of servers.
A filter action, which defines how traffic is to be handled. With Windows IPsec, you can specify that traffic is permitted (allowed without requiring cryptographic services), blocked (silently discarded, similar to a firewall), or secured (the traffic must be protected with IPsec cryptographic services).
If the traffic is secured, you must also specify how the traffic is to be protected, an authentication method, whether or not you are using IPsec tunneling, and the type of connection to which the secured traffic applies.
Each rule links an IP filter list (a set of interesting traffic) to a filter action (what to do with the interesting traffic). For example, you can configure an IPsec policy with three rules that specify:
Rule A: For traffic to and from any IP address, block the traffic.
Rule B: For all traffic that matches the address prefix being used within my intranet, permit the traffic.
Rule C: For all traffic that matches the IP addresses of my three resource servers, secure the traffic.
This simplified policy allows a computer on an intranet to:
Protect communications with the resource servers
Allow communications with other computers on the intranet
Block all other traffic
The rules of an IPsec policy have no defined order. In our example policy, the Rule A, Rule B, and Rule C designations are just convenient names by which they are referred to in this article. However, there must be a method to determine how to handle traffic that matches multiple rules. In our example policy, an incoming packet from a computer on an IPsec peer's subnet matches both Rule A (from any IP address) and Rule B (from an address that matches the intranet's address prefix). IPsec cannot both block (Rule A) and permit (Rule B) the incoming packet.
To determine the best rule to apply to incoming and outgoing traffic, and thereby determine the appropriate action to perform, the IPsec Policy Agent component derives an IPsec filter list from the rules of the assigned IPsec policy. The IPsec filter list, which is derived from but different than the IP filter lists configured in the IPsec policy, is the end result of the policy configuration, specifying the exact set of interesting traffic and how it is to be handled.
For example, for Rule C in our simplified IPsec policy, the IPsec Policy Agent component for a computer with a single IP address derives six different entries in the IPsec filter list:
Traffic from my IP address to the IP address of resource server 1, action: secure
Traffic from the IP address of resource server 1 to my IP address, action: secure
Traffic from my IP address to the IP address of resource server 2, action: secure
Traffic from the IP address of resource server 2 to my IP address, action: secure
Traffic from my IP address to the IP address of resource server 3, action: secure
Traffic from the IP address of resource server 3 to my IP address, action: secure
After the IPsec Policy Agent creates the complete IPsec filter list, it sends the list to the IPsec Driver, the IPsec component that processes incoming and outgoing traffic.
You can view the IPsec filter list with the IP Security Monitor snap-in provided with Windows XP and Windows Server 2003. To add the IP Security Monitor snap-in, do the following:
Click Start, click Run, type MMC, and then click OK.
Click File, click Add/Remove Snap-in, and then click Add.
Click IP Security Monitor, and then click Add.
Click Close, and then click OK.
To view the IPsec filter list, you need to open the Main Mode and Quick Mode folders in the console tree. In the Main Mode folder, click Specific Filters to view the filters in the IPsec filter list that require security, In the Quick Mode folder, click Specific Filters to view all of the filters in the IPsec filter list. The following figure shows an example.
.gif "cg010501.gif")
There is also a Generic Filters folder under the Main Mode and Quick Mode folders. Generic filters are derived from IP filters that are configured to use the My IP Address option as either a source or destination address. Generic filters are expanded to specific filters based on the IP addresses assigned to the computer.
Calculating IPsec Filter Weights
The IPsec filter list is ordered based on a weight value calculated by the IPsec Policy Agent component, with the highest weight value first. When processing an incoming or outgoing packet, the IPsec Driver component searches the IPsec filter list to find a filter that matches the values of the addresses, ports, and IP Protocol field in the packet. The first IPsec filter that matches the packet has the action (permit, block, secure) of the matching IPsec filter applied.
The main parameters for determining the weight of an IPsec filter are the following:
The source IP address
The subnet mask of the source IP address
The destination IP address
The subnet mask of the destination IP address
The IP Protocol field value
For UDP and TCP traffic, the Source Port number
For UDP and TCP traffic, the Destination Port number
All of these parameters can be specified when creating an IP filter as part of an IP filter list during the configuration of an IPsec policy.
The weight value is based on how specific the originally defined IP filter is; more specific IP filters will produce IPsec filters with a higher weight value. The highest weight IPsec filter has all seven IP traffic parameters specified. The lowest weight IPsec filter has none of the seven IP traffic parameters specified.
To return to our example policy, an incoming packet from a computer connected to the subnet of an IPsec peer matches Rule A (from any IP address) and Rule B (from an address that matches the intranet address prefix). However, because the IPsec filter derived from Rule B is more specific than the IPsec filter derived from Rule A, the incoming packet matches the IPsec filter derived from Rule B first and the IPsec Driver component applies the action for Rule B (the packet is permitted).
The following table lists the weighting order of IPsec filters for the seven IP traffic parameters, as calculated by the IPsec Policy Agent component.
| Source IP address | Source subnet mask | Destination IP address | Destination subnet mask | Protocol | Source port | Destination port |
|---|---|---|---|---|---|---|
| Specific IP address | 255.255.255.255 (32-bit subnet mask) | Specific IP address | 255.255.255.255 | Specific IP protocol | Specific source port | Specific destination port |
| Specific IP address | 255.255.255.255 | Specific IP address | 255.255.255.255 | Specific IP protocol | Any | Specific destination port |
| Specific IP address | 255.255.255.255 | Specific IP address | 255.255.255.255 | Specific IP protocol | Specific source port | Any |
| Specific IP address | 255.255.255.255 | Specific IP address | 255.255.255.255 | Specific IP protocol | Any | Any |
| Specific IP address | 255.255.255.255 | Specific IP address | 255.255.255.255 | Any | Any | Any |
| IP address range | Less than a 32-bit subnet mask (such as 255.255.255.254) | Specific IP address | 255.255.255.255 | Specific IP protocol | Specific source port | Specific destination port |
| IP address range | Less than a 32-bit subnet mask | Specific IP address | 255.255.255.255 | Specific IP protocol | Any | Specific destination port |
| IP address range | Less than a 32-bit subnet mask | Specific IP address | 255.255.255.255 | Specific IP protocol | Specific source port | Any |
| IP address range | Less than a 32-bit subnet mask | Specific IP address | 255.255.255.255 | Specific IP protocol | Any | Any |
| IP address range | Less than a 32-bit subnet mask | Specific IP address | 255.255.255.255 | Any | Any | Any |
| Specific IP address | 255.255.255.255 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Specific source port | Specific destination port |
| Specific IP address | 255.255.255.255 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Any | Specific destination port |
| Specific IP address | 255.255.255.255 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Specific source port | Any |
| Specific IP address | 255.255.255.255 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Any | Any |
| Specific IP address | 255.255.255.255 | IP address range | Less than a 32-bit subnet mask | Any | Any | Any |
| IP address range | Less than a 32-bit subnet mask | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Specific source port | Specific destination port |
| IP address range | Less than a 32-bit subnet mask | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Any | Specific destination port |
| IP address range | Less than a 32-bit subnet mask | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Specific source port | Any |
| IP address range | Less than a 32-bit subnet mask | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Any | Any |
| IP address range | Less than a 32-bit subnet mask | IP address range | Less than a 32-bit subnet mask | Any | Any | Any |
| Any | 0.0.0.0 | Specific IP address | 255.255.255.255 | Specific IP protocol | Specific source port | Specific destination port |
| Any | 0.0.0.0 | Specific IP address | 255.255.255.255 | Specific IP protocol | Any | Specific destination port |
| Any | 0.0.0.0 | Specific IP address | 255.255.255.255 | Specific IP protocol | Specific source port | Any |
| Any | 0.0.0.0 | Specific IP address | 255.255.255.255 | Specific IP protocol | Any | Any |
| Any | 0.0.0.0 | Specific IP address | 255.255.255.255 | Any | Any | Any |
| Specific IP address | 255.255.255.255 | Any | 0.0.0.0 | Specific IP protocol | Specific source port | Specific destination port |
| Specific IP address | 255.255.255.255 | Any | 0.0.0.0 | Specific IP protocol | Any | Specific destination port |
| Specific IP address | 255.255.255.255 | Any | 0.0.0.0 | Specific IP protocol | Specific source port | Any |
| Specific IP address | 255.255.255.255 | Any | 0.0.0.0 | Specific IP protocol | Any | Any |
| Specific IP address | 255.255.255.255 | Any | 0.0.0.0 | Any | Any | Any |
| Any | 0.0.0.0 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Specific source port | Specific destination port |
| Any | 0.0.0.0 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Any | Specific destination port |
| Any | 0.0.0.0 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Specific source port | Any |
| Any | 0.0.0.0 | IP address range | Less than a 32-bit subnet mask | Specific IP protocol | Any | Any |
| Any | 0.0.0.0 | IP address range | Less than a 32-bit subnet mask | Any | Any | Any |
| IP address range | Less than a 32-bit subnet mask | Any | 0.0.0.0 | Specific IP protocol | Specific source port | Specific destination port |
| IP address range | Less than a 32-bit subnet mask | Any | 0.0.0.0 | Specific IP protocol | Any | Specific destination port |
| IP address range | Less than a 32-bit subnet mask | Any | 0.0.0.0 | Specific IP protocol | Specific source port | Any |
| IP address range | Less than a 32-bit subnet mask | Any | 0.0.0.0 | Specific IP protocol | Any | Any |
| IP address range | Less than a 32-bit subnet mask | Any | 0.0.0.0 | Any | Any | Any |
| Any | 0.0.0.0 | Any | 0.0.0.0 | Specific IP protocol | Specific source port | Specific destination port |
| Any | 0.0.0.0 | Any | 0.0.0.0 | Specific IP protocol | Any | Specific destination port |
| Any | 0.0.0.0 | Any | 0.0.0.0 | Specific IP protocol | Specific source port | Any |
| Any | 0.0.0.0 | Any | 0.0.0.0 | Specific IP protocol | Any | Any |
| Any | 0.0.0.0 | Any | 0.0.0.0 | Any | Any | Any |
Weight values are also affected by the following:
Address ranges with a higher number of bits set in the subnet mask are more specific and have a higher weight value than address ranges with a lower number of bits set in the subnet mask.
IPsec filters derived from rules in which IPsec tunneling is used have a higher weight than IPsec filters derived from rules in which IPsec tunneling is not used.
The behavior of Windows IPsec matching traffic to the most specific IPsec filter is similar to the behavior of IP forwarding and the IP routing table. The IP routing table contains a series of entries for destinations. Some destinations are more specific than others. A host route is a route to a specific IP address. A default route is a route to any IP address. When sending or forwarding a packet, the IP component of TCP/IP searches the IP routing table for the route that most closely matches the destination IP address in the packet.
Duplicate Filter Weights
In some cases, different IPsec filters have the same calculated weight values. This typically occurs when two or more IPsec filters have the same level of specificity but define different traffic. In most cases, even though there are multiple filters with the same weight, a packet will only match a single IPsec filter.
Conflicting IPsec Filters
Conflicting IPsec filters contain the same value for addressing, ports, and the IP Protocol field value, but have different filter actions. For example, one filter may permit and the other filter may block. When there are conflicting filters, the filter with the most restrictive filter action is added to the filter list. The block filter action is more restrictive than the secure filter action, which is more restrictive than the permit filter action.
Example of IPsec Filters
To show an example of how the IPsec filter list is determined, we extend our example policy described previously in this article with the following information:
The IP address configuration of the computer on which the policy is being applied is 131.107.21.17/24
The intranet address prefix is 131.107.0.0/16
The IP addresses of the three resource servers are 131.107.1.1, 131.107.2.2, and 131.107.3.3
All of the IP filters are mirrored
Based on this configuration, the IPsec Policy Agent calculates the IPsec filter list as shown in the following table. The column names are the same as those displayed in the details pane of the IP Security Monitor snap-in when selecting the Quick Mode\Specific Filters folder in the console tree.
| Source | Destination | Flag | Direction | Negotiation Policy | Weight |
|---|---|---|---|---|---|
| 131.107.3.3 | 131.107.21.17 | Negotiate Security | Inbound | Secure | 69206017 |
| 131.107.2.2 | 131.107.21.17 | Negotiate Security | Inbound | Secure | 69206017 |
| 131.107.1.1 | 131.107.21.17 | Negotiate Security | Inbound | Secure | 69206017 |
| 131.107.21.17 | 131.107.2.2 | Negotiate Security | Outbound | Secure | 69206017 |
| 131.107.21.17 | 131.107.3.3 | Negotiate Security | Outbound | Secure | 69206017 |
| 131.107.21.17 | 131.107.1.1 | Negotiate Security | Outbound | Secure | 69206017 |
| 131.107.0.0 (255.255.0.0) | 131.107.21.17 | Permit | Inbound | � | 69203121 |
| 131.107.21.17 | 131.107.0.0 (255.255.0.0) | Permit | Outbound | � | 69203120 |
| Any | 131.107.21.17 | Block | Inbound | � | 34603009 |
| 131.107.21.17 | Any | Block | Outbound | � | 34603008 |
From this simplified example policy, you can see the following behaviors:
IPsec filters that are more specific have a higher weight value
The first six filters that have a specific source and destination have the same weight value
For mirrored IPsec filters that use an address range, an IPsec filter with a more specific destination is assigned a slightly higher weight value than an IPsec filter with a more specific source.
For More Information
For more information about the details of IPsec in Windows, consult the following resources:
Internet Protocol Security for Microsoft Windows Server 2003 white paper
IPsec Technical Reference section of the Windows Server 2003 Technical Reference
Deploying IPsec section of the Windows Server 2003 Deployment Guide
For a list of all The Cable Guy articles, click here.