IPSec Driver

The IPSec driver, using the IP Filter List from the active IPSec policy, watches for outbound IP packets that must be secured and inbound IP packets that need to be verified and decrypted.

As shown in Figure 8.7, the IPSec driver receives the IP filter list from the IPSec policy agent. The IPSec driver watches all outgoing IP packets on the computer for a match with the stored IP filter list. Outbound packets initiate the negotiation for security when a match occurs. The IPSec driver notifies IKE to begin security negotiations.

Enlarge figure

Figure 8.7 IPSec Driver Services

After a successful negotiation is complete, the IPSec driver on the sending computer:

1. Receives the SA containing the session key from IKE.
2. Looks up the outbound SA in its database, and inserts the SPI from the SA into the IPSec header.
3. Signs, and if confidentiality is required, encrypts the packets.
4. Sends packets with SPI to the IP layer to be forwarded to the destination computer.

The IPSec driver on the receiving computer:

1. Receives the session key, SA and SPI from IKE.
2. Looks up the inbound SA in its database by destination address and SPI.
3. Checks the signature and decrypts the packets (if required).
4. Sends packets to the TCP/IP driver for passage to the receiving application.

The IPSec driver stores all current SAs in a database. If multiple SAs are present, the driver uses the SPI as needed to determine which SA goes with which packet.

© 1985-2000 Microsoft Corporation. All rights reserved.