Capabilities and Functionality

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Overview

Windows Server 2003 TCP/IP was designed to make it easy to integrate Microsoft systems into large-scale corporate, government, and public networks, and to provide the ability to operate over those networks in a secure manner. The Windows Server 2003 TCP/IP protocol is installed by default and, unlike previous versions of Windows, cannot be uninstalled. However, you can reset the TCP/IP configuration to a default state with the netsh interface ip reset command.

Support for Standard Features

Windows Server 2003 TCP/IP supports the following standard features:

  • Ability to bind to multiple network adapters with different media types

  • Logical and physical multihoming

  • Internal IP routing capability

  • Internet Group Management Protocol (IGMP) version 3 (IP multicasting)

  • Duplicate IP address detection

  • Multiple default gateways

  • Dead gateway detection

  • Automatic Path Maximum Transmission Unit (PMTU) discovery

  • Internet Protocol security (IPsec)

  • Quality of Service (QoS)

  • ATM Services

  • Virtual Private Networks (VPNs) with the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol with IPsec (L2TP/IPsec)

Performance Enhancements

In addition, Windows Server 2003 TCP/IP has the following performance enhancements:

  • Protocol stack tuning, including increased default window sizes and new algorithms for high-delay and high-loss links, which increases throughput

  • TCP-scalable window sizes (described in RFC 1323)

  • Selective acknowledgments (SACK) (described in RFC 2018)

  • TCP fast retransmit and fast recovery (described in RFC 2581)

  • Round Trip Time (RTT) and Retransmission Timeout (RTO) calculation improvements

  • Improved performance for management of large numbers of connections

  • Hardware task offload mechanisms including checksum offload and large send offload (LSO)

Services Available

The Windows Server 2003 operating system provides the following TCP/IP-related services:

  • Dynamic Host Configuration Protocol (DHCP) client and server and DHCP Relay Agent (with the Routing and Remote Access service)

  • In the absence of a DHCP server, Automatic Private IP Addressing (APIPA) is used

  • Windows Internet Name Service (WINS), a NetBIOS name client and server

  • Domain Name System (DNS) client and server, including support for DNS dynamic updates

  • Dial-up support using the Point-to-Point Protocol (client and server) and Serial Line Internet Protocol (client only)

  • PPTP and L2TP/IPsec, used for remote access and site-to-site VPN connections

  • TCP/IP network printing (client only with the Lpr.exe and Lpq.exe tools)

  • SNMP agent

  • NetBIOS interface

  • Network Location Service

  • Windows Sockets version 2 (Winsock2) interface

  • Remote Procedure Call (RPC) support

  • Network Dynamic Data Exchange (NetDDE)

  • Computer browsing (My Network Places) across IP routers

  • Reliable multicast with the Pragmatic General Multicast (PGM) protocol

  • Basic TCP/IP connectivity utilities, including: finger, ftp, rcp, rexec, rsh, telnet, and tftp

  • Server and client software for simple network protocols, including: Character Generator, Daytime, Discard, Echo, and Quote of the Day

  • Routing Information Protocol (RIP) listener (for Windows XP Professional) and RIP and Open Shortest Path First (OSPF) (with the Routing and Remote Access service)

  • Network Address Translator (NAT) capabilities using either the Internet Connection Sharing (ICS) or the NAT/Basic Firewall routing protocol component of the Routing and Remote Access service

  • Stateful firewalling capabilities using either the Internet Connection Firewall (for Windows Server 2003 with no service packs installed), Windows Firewall (for Windows Server 2003 Service Pack 1), or the NAT/Basic Firewall routing protocol component of the Routing and Remote Access service

  • Multicast forwarding and IGMP router and proxy capabilities with the Routing and Remote Access service

  • TCP/IP management and diagnostic tools, including: arp, ipconfig, nbtstat, netsh, netstat, ping, pathping, route, nslookup, and tracert

New Features for Windows Server 2003 TCP/IP

The features and improvements of TCP/IP that are new for Windows Server 2003 include the following:

  • Windows Server 2003, Windows XP with Service Pack 1, and Windows XP with Service Pack 2 now include a production-quality IPv6 protocol stack. For more information about IPv6, see Windows Server 2003 Help and Support Center or the Microsoft Windows IPv6 Web site (https://go.microsoft.com/fwlink/?LinkID=17074).

  • Auto-negotiation of RFC 1323 options (window scaling and TCP timestamps).

  • Default support of network interface cards providing large send offload (LSO) and checksum offload.

  • IGMP version 3.

  • Reliable multicast with PGM.

  • Alternate configuration.

  • Automatic determination of the interface-related and default route metrics.

The table below lists features and the operating system versions that they are present in as a reference. Features are described in more detail throughout this article.

Table 1. Feature Comparison Table for Windows TCP/IP Versions

Product Windows 98 Windows 98 SE Windows NT 4.0 SP5 Windows 2000 Windows Server 2003

Dead gateway detection

Y

Y

Y

Y

Y

Fast retransmit/recovery

Y

Y

Y

Y

Y

APIPA

Y

Y

N

Y

Y

Selective ACK (SACK)

Y

Y

N

Y

Y

Jumbo frame support

Y

Y

Y

Y

Y

Large windows

D

D

N

D

D

DNS dynamic update

N

N

N

Y

Y

Media sense

N

N

N

Y

Y

Wake on LAN

N

N

N

Y

Y

IP forwarding

N

D

D

D

D

NAT

N

D

N

D

D

Kerberos v5

N

N

N

Y

Y

IPsec

N

N

N

Y

Y

PPTP

Y

Y

Y

Y

Y

L2TP/IPsec

N

N

N

Y

Y

IP Helper API

Y

Y

Y

Y

Y

Winsock2 API

Y

Y

Y

Y

Y

GQoS API

Y

Y

N

Y

Y

IP Filtering API

N

N

N

Y

Y

Firewall hook

N

N

N

Y

Y

Packet scheduler

N

N

N

D

D

Network location

N

N

N

N

Y

ISSLOW

Y

Y

N

Y

Y

Personal firewall

N

N

N

N

D

Block source routing

N

Y

Y

Y

Y

ICMP Router Discovery

Y

Y

D

D

D

IPsec offload

N

N

N

Y

Y

IGMP v3

N

N

N

N

Y

Reliable multicast (PGM)

N

N

N

N

Y

Alternate configuration

N

N

N

N

Y

Auto-determination of routing metrics

N

N

N

N


Y

Checksum offload

N

N

N

N

Y

Large send offload

N

N

N

N

Y

N=No, Y=Yes, and D=Disabled by Default

Internet RFCs Supported by Windows Server 2003 TCP/IP

Requests for Comments (RFCs) are a constantly evolving series of reports, proposals for protocols, and protocol standards used by the Internet community. You can obtain RFCs from the Engineering Task Force Web site (https://go.microsoft.com/fwlink/?LinkID=29138).

Table 2. RFCs supported by Windows Server 2003 TCP/IP

RFC Title

768

User Datagram Protocol (UDP)

783

Trivial File Transfer Protocol (TFTP)

791

Internet Protocol (IP)

792

Internet Control Message Protocol (ICMP)

793

Transmission Control Protocol (TCP)

816

Fault Isolation and Recovery

826

Address Resolution Protocol (ARP)

854

Telnet Protocol (TELNET)

862

Echo Protocol (ECHO)

863

Discard Protocol (DISCARD)

864

Character Generator Protocol (CHARGEN)

865

Quote of the Day Protocol (QUOTE)

867

Daytime Protocol (DAYTIME)

894

IP over Ethernet

919, 922

IP Broadcast Datagrams (broadcasting with subnets)

950

Internet Standard Subnetting Procedure

959

File Transfer Protocol (FTP)

1001, 1002

NetBIOS Service Protocols

1065, 1035, 1123, 1886

Domain Name System (DNS)

1042

A Standard for the Transmission of IP Datagrams over IEEE 802 Networks

1055

Transmission of IP over Serial Lines (IP-SLIP)

1112

Internet Group Management Protocol (IGMP)

1122, 1123

Host Requirements (communications and applications)

1144

Compressing TCP/IP Headers for Low-Speed Serial Links

1157

Simple Network Management Protocol (SNMP)

1179

Line Printer Daemon Protocol

1188

IP over FDDI

1191

Path MTU Discovery

1201

IP over ARCNET

1256

ICMP Router Discovery Messages

1323

TCP Extensions for High Performance

1332

PPP Internet Protocol Control Protocol (IPCP)

1518

Architecture for IP Address Allocation with CIDR

1519

Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy

1534

Interoperation Between DHCP and BOOTP

1542

Clarifications and Extensions for the Bootstrap Protocol

1552

PPP Internetwork Packet Exchange Control Protocol (IPXCP)

1661

The Point-to-Point Protocol (PPP)

1662

PPP in HDLC-like Framing

1748

IEEE 802.5 MIB using SMIv2

1749

IEEE 802.5 Station Source Routing MIB using SMIv2

1812

Requirements for IP Version 4 Routers

1828

IP Authentication using Keyed MD5

1829

ESP DES-CBC Transform

1851

ESP Triple DES-CBC Transform

1852

IP Authentication using Keyed SHA

1994

PPP Challenge Handshake Authentication Protocol (CHAP)

1995

Incremental Zone Transfer in DNS

1996

A Mechanism for Prompt DNS Notification of Zone Changes

2018

TCP Selective Acknowledgment Options

2085

HMAC-MD5 IP Authentication with Replay Prevention

2104

HMAC: Keyed Hashing for Message Authentication

2131

Dynamic Host Configuration Protocol

2136

Dynamic Updates in the Domain Name System (DNS UPDATE)

2181

Clarifications to the DNS Specification

2236

Internet Group Management Protocol, Version 2

2308

Negative Caching of DNS Queries (DNS NCACHE)

2401

Security Architecture for the Internet Protocol

2402

IP Authentication Header

2406

IP Encapsulating Security Payload (ESP)

2581

TCP Congestion Control

3208

PGM Reliable Transport Protocol Specification

3376

Internet Group Management Protocol, Version 3

New Features for TCP/IP in Windows Server 2003 Service Pack 1

The features and improvements of TCP/IP that are new for Windows Server 2003 Service Pack 1 include the following:

  • Windows Firewall

  • The Netstat –b option

  • Netsh commands for Windows Sockets

  • SYN attack protection is enabled by default

  • SYN attack notification IP Helper APIs

  • Registry parameter for ICMP host routes

  • Smart TCP port allocation

  • Registry value for multiple ARP replies

Windows Firewall

Windows Firewall replaces the Internet Connection Firewall provided with Windows Server 2003 with no service packs installed. Windows Firewall is a stateful firewall that drops unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.

For more information about Windows Firewall in Windows Server 2003 Service Pack 1, see the Microsoft Windows Server 2003 Windows Firewall TechCenter (https://go.microsoft.com/fwlink/?linkid=67902).

The Netstat –b option

The Netstat tool displays a variety of information about active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP route table, and IPv4 and IPv6 statistics. In Windows Server 2003 Service Pack 1, the Netstat tool supports a new –b option that displays the set of components that are listening on each open TCP and UDP port.

With Windows Server 2003 with no service packs installed, you can use the –o option to display the set of ports being listened on and the corresponding process ID (PID). You can then lookup the PID in the display of the tasklist /svc command to discover the name of the process that owns the port. However, in some cases, there are multiple services within a single process and it is not possible to determine which service within the process owned the port.

With the –b option, Netstat displays the TCP or UDP port, the file names corresponding to the components of the service that owns the port, and the PID. From the file names and PID, you can determine which of the services in the display of the tasklist /svc command owns the port.

Netsh Commands for Windows Sockets

There are now Windows Sockets (Winsock) Netsh commands to view the set of installed Winsock Layered Service Providers (LSPs) (the netsh winsock show catalog command) and to reset the Winsock LSP catalog to a default configuration (the netsh winsock reset catalog command). The netsh winsock reset catalog command is useful for restoring the Winsock LSP catalog when it has been corrupted by programs or services that install LSPs. However, you must reinstall the programs or services that use LSPs.

SYN Attack Protection is Enabled by Default

A TCP Synchronize (SYN) attack is a denial-of-service attack that exploits the retransmission and time-out behavior of the Synchronize-Acknowledgement (SYN-ACK) segment during the TCP three-way handshake to create a large number of half-open TCP connections. Depending on the TCP/IP protocol implementation, a large number of half-open TCP connections could do any of the following:

  • Use all available memory.

  • Use all possible entries in the TCP Transmission Control Block (TCB), an internal table used to track TCP connections. Once the half-open connections use all the entries, further connection attempts are responded to with a TCP connection reset.

  • Use all available half-open connections. Once all the half-open connections are used, further connection attempts are responded to with a TCP connection reset.

To create a large number of TCP half-open connections, attackers send a large number of SYN segments, each from a spoofed IP address and TCP port number. Each spoofed IP address and TCP port number are for a process that does not respond to the SYN-ACKs being sent by the attacked host. SYN attacks are typically used to render Internet servers inoperative.

To mitigate the impact on a host experiencing a SYN attack, TCP/IP minimizes the amount of resources devoted to incomplete TCP connections and reduces the amount of time before abandoning the half-open connection. When a SYN attack is detected, TCP/IP in Windows Server 2003 and Windows XP lowers the number of retransmissions of the SYN-ACK segment and does not allocate memory or table entry resources for the connection until the TCP three-way handshake has been completed.

You can control SYN attack protection through the SynAttackProtect registry entry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (type REG_DWORD). You set SynAttackProtect to 0 to disable SYN attack protection and to 1 to enable it.

For TCP/IP in Windows XP (all versions) and Windows Server 2003 with no service packs installed, SynAttackProtect is set to 0 by default. For TCP/IP in Windows Server 2003 Service Pack 1, SynAttackProtect is set to 1 by default.

SYN Attack Notification IP Helper APIs

To allow an application to notify network administrators that a SYN attack is taking place, the IP Helper API supports new SYN attack notification APIs named NotifySecurityHealthChange and CancelSecurityHealthChangeNotify. For information about these new APIs, see the Microsoft Developer Network (MSDN) (https://go.microsoft.com/fwlink/?linkid=67904).

Registry Parameter for ICMP Host Routes

TCP/IP for Windows Server 2003 SP1 supports a new registry parameter that restricts the number of host routes that can be added to the local IP route table by receiving ICMP Redirect messages. The new registry parameter is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ MaxICMPHostRoutes (REG_DWORD type). MaxICMPHostRoutes has a default value of 1000. You should not change this value unless the computer needs to be able to add a large number of host routes by receiving ICMP Redirect messages. The update to Windows Server 2003 SP1 available from article 898060 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?linkid=69231) changes the default value of MaxICMPHostRoutes to 10000.

Smart TCP Port Allocation

When a TCP peer initiates a TCP connection termination and the connection termination completes, the TCP connection enters the TIME WAIT state. Once the TIME WAIT state is reached, TCP must wait twice the maximum segment lifetime (MSL) before a connection with the same set of socket addresses can be created. The set of socket addresses consist of the combination of the source and destination IP addresses and source and destination TCP ports. The MSL is the maximum amount of time a TCP segment can exist in an internetwork, and its recommended value is 120 seconds. This delay prevents a new connection’s TCP segments that are using the same set of socket addresses from being confused with duplicated TCP segments of the old connection.

The TCP port for a connection in the TIME WAIT state is considered an available port and can be assigned for use by an application. This can lead to the following situation:

  • An application requests any available TCP port.

  • TCP/IP assigns a TCP port to use for the application socket.

  • The application attempts to open a socket with a specific destination IP address.

  • The application establishes a TCP connection and sends data.

  • The application terminates the TCP connection.

  • TCP/IP places the application's TCP connection in the TIME WAIT state until twice the MSL has passed.

  • The same application requests another available TCP port.

  • TCP/IP assigns a TCP port to use for the application socket. Because the port for the connection in the TIME WAIT state is considered open, it can be chosen as the next port to assign to the requesting application.

  • Assuming that TCP/IP assigns the same TCP port number, the application attempts to open a socket with the same destination IP address.

  • Because the connection is using the same set of socket addresses as the connection in the TIME WAIT state, TCP/IP indicates an error to the application.

You can mitigate this situation by setting the TcpTimedWaitDelay registry entry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters (REG_DWORD type) to a lower value. The value of TcpTimedWaitDelay determines the length of time that a connection stays in the TIME-WAIT state. However, lowering the value of TcpTimedWaitDelay is contrary to the original design of TCP and the MSL.

To prevent an application from creating a connection with the same set of socket addresses of a connection that is in a TIME WAIT state, TCP/IP in Windows Server 2003 Service Pack 1 has implemented a smart TCP port allocation algorithm. When an application requests any available TCP port, TCP/IP first attempts to find an available port that does not correspond to a connection in the TIME WAIT state. If a port cannot be found, then it picks any available port.

This new behavior makes it much more unlikely that an application will be assigned a TCP port that is in the TIME-WAIT state when connecting to the same destination. You no longer need to modify the TcpTimedWaitDelay registry entry.

Registry Value for Multiple ARP Replies

TCP/IP for Windows Server 2003 SP1 supports a new registry value that determines which MAC address is stored in the ARP cache when multiple ARP Reply messages are received. If there are multiple computers that are using the same IP address on a subnet, when a node sends an ARP Request frame for the IP address, it will receive multiple ARP replies. The new registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\StrictARPUpdate (REG_DWORD type) allows you to specify whether TCP/IP in Windows Server 2003 SP1 will store the MAC address of the last ARP reply received (StrictARPUpdate=0 [default]) or the MAC address of the first ARP reply received (StrictARPUpdate=1).