IP Packet Filtering

An IP address identifies a computer system's location on the network. Each IP address is separated internally into two parts, a network ID and a computer ID:

• The network ID identifies a single network within a larger TCP/IP network (that is, a network of networks). This ID is also used to identify each network uniquely within the larger network.
• The computer ID for each device (such as a workstation or router) identifies a system within its own network.

Multihomed computers have multiple IP addresses: one for each network adapter.

Filters

A rule provides the ability to trigger security negotiations for a communication based on the source, destination, and type of IP traffic, a process called IP packet filtering. This provides a way for the network administrator to define precisely what IP traffic triggers are secured, blocked, or passed through (unsecured).

Each IP Filter List contains a list of filters. Each filter within an IP Filter List describes a particular subset of network traffic to be secured, both for inbound and outbound traffic:

• Inbound filters. Apply to traffic received, allow the receiving computer to match the traffic with the IP Filter List. Inbound filters respond to requests for secure communication or match the traffic with an existing SA and process the secured packets.
• Outbound filters. Apply to traffic leaving a computer toward a destination, trigger a security negotiation that must take place before traffic is sent.

You must have a filter to cover any traffic for which the associated rule applies. For example, if Computer A always wants to exchange data securely with Computer B:

• In order to send secured data to Computer B, Computer A's IPSec policy must have a filter for any outbound packets going to Computer B.
• In order to receive secured data from Computer A, Computer B's IPSec policy must have a filter for any inbound packets from Computer A.

A filter contains the following parameters:

• The source and destination address of the IP packet. These can be configured from a very granular level, such as a single IP address, to a global level that encompasses an entire subnet, or network.
• The protocol over which the packet is being transferred. This defaults to cover all protocols in the TCP/IP protocol suite. However, it can be configured to an individual protocol level to meet special requirements, including custom protocol numbers.
• The source and destination port of the protocol for TCP and UDP. This also defaults to cover all ports, but can be configured to apply to only packets sent or received on a specific protocol port.

© 1985-2000 Microsoft Corporation. All rights reserved.