Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The IPSec driver receives the active IP filter list from the IPSec Policy Agent, as shown in the following illustration, and then attempts to match every inbound and outbound packet against the filters in the list.
When a packet matches a filter, it applies the filter action. When a packet does not match any filters, the packet is passed back without modification to the TCP/IP driver to be received or transmitted.
If the filter action permits transmission, the packet is received or sent with no modifications. If the action blocks transmission, the packet is discarded. If the action requires the negotiation of security, main mode and quick mode SAs are negotiated.
The negotiated quick mode security association (SA) and keys are used with both outbound and inbound processing. The IPSec driver stores all current quick mode SAs in a database. The IPSec driver uses the Security Parameters Index (SPI) field to match the correct SA with the correct packet.
When an outbound IP packet matches the IP filter list with an action to negotiate security, the IPSec driver queues the packet and then notifies Internet Key Exchange (IKE), which begins security negotiations with the destination IP address of that packet. If several outbound packets are going to the same destination and match the same filter before IKE has finished the negotiation, then only the last packet sent is saved.
After a successful negotiation is completed, the IPSec driver on the sending computer:
Receives the SA containing the session key from IKE.
Locates the outbound SA in its database, and inserts the SPI from the SA into the AH or ESP header.
Signs the packets (and encrypts them if confidentiality is required).
Sends the packets to the IP layer to be forwarded to the destination computer.
If the negotiation failed, the IPSec driver discards the packet.
When an IPSec-secured inbound packet matches a filter in the IP filter list, the IPSec driver:
Receives the session key, SA, and SPI from IKE.
Locates the inbound SA in its database by destination address and SPI.
Checks the signature and, if required, decrypts the packets.
Matches the IP packet searches for a matching filter in the filter list to ensure that no traffic, other than what was agreed upon during the negotiation, is received.
Sends packets to the TCP/IP driver to pass to the receiving application.
When an unsecured IP packet is received, the IPSec driver searches for a matching filter in the filter list. If a match occurs and the filter action for that filter either requires IP security or blocks the packet, then the packet is discarded.
The IPSec driver matches all inbound unsecured packets with the list of filters that specify IPSec tunnels first, and then matches the packet with all filters that specify end-to-end (transport) filters. The IPSec driver does not filter certain types of IP packets. For more information, see Add, edit, or remove IPSec filters.