Traffic That Can--and Cannot--Be Secured by IPSec
This article was previously published under Q253169
This article has been archived. It is offered "as is" and will no longer be updated.
IP Security Protocol (IPSec) in Windows 2000 is designed to secure IP traffic between two computers that communicate by using their IP addresses. It uses filters defined in an IPSec policy to classify IP packets. After a packet is classified (matched to a filter), the configured filter action takes place.
IPSec is applied to IP packets as they are sent and received. Packets are matched against filters when they are being sent (outbound) to see if they should be secured, blocked, or passed in clear text. Packets are also matched when they are received (inbound) to see if they should have been secured, should be blocked, or should be passed (permitted) into the system in clear text.
By design, the following types of IP traffic are exempted and cannot be secured by IPSec in Windows 2000:
Traffic going from one sender to many receivers that are unknown to the sender. This type of packet cannot be classified by IPSec filters. For example, a standard class C subnet using 192.168.0.x would have a broadcast address of 192.168.0.255. Your broadcast address depends on your subnet mask.
As with Broadcast traffic, one sender sends an IP packet to many receivers that are unknown to the sender. These are addresses in the range from 22.214.171.124 through 126.96.36.199.
- Resource Reservation Protocol (RSVP)
This traffic uses IP protocol 46 and is used to provide Quality Of Service (QoS) in Windows 2000. Exemption of RSVP traffic is a requirement to allow QOS markings for traffic that may be secured by IPSec.
- Internet Key Exchange (IKE)
IKE is a protocol used by IPSec to securely negotiate security parameters (if the filter action indicates that security needs to be negotiated) and establish shared encryption keys after a packet is matched to a filter. Windows 2000 always uses a User Datagram Protocol (UDP) source and destination port 500 for IKE traffic.
Kerberos is the core Windows 2000 security protocol typically used by IKE for IPSec authentication. This traffic uses a UDP/TCP protocol source and destination port 88. Kerberos is itself a security protocol that does not need to be secured by IPSec. The Kerberos exemption is basically this: If a packet is TCP or UDP and has a source or destination port = 88, permit.
For more information about the IKE protocol see RFC 2409:
For additional information about RSVP, click the article number below to view the article in the Microsoft Knowledge Base:
227261 Description of the Resource Reservation Protocol (RSVP)For more information about Kerberos, see the "Kerberos V5 Authentication" topic in Windows 2000 Help, and also the technical documents about Kerberos located at the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/security/kerberos/default.mspxFor additional information about the IPSec feature in Microsoft Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
810207 IPSec Default Exemptions Are Removed in Windows Server 2003
Article ID: 253169 - Last Review: 12/05/2015 18:29:48 - Revision: 6.4
Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Professional Edition
- kbnosurvey kbarchive kbinfo kbipsec kbnetwork KB253169