Home Library Learn Samples Downloads Support Community Forums
This topic has not yet been rated - Rate this topic

Guaranteed Encryption

The Guaranteed Encryption IPsec policy scenario requires IPsec encryption for all matching traffic. This policy must be specified in conjunction with one of the transport mode policy options.

Guaranteed Encryption is typically used to encrypt sensitive traffic on a per application basis.

An example of a possible Guaranteed Encryption scenario is "Secure all unicast data traffic, except ICMP, using IPsec transport mode, enable negotiation discovery, and require guaranteed encryption for all unicast traffic corresponding to TCP local port 5555."

To implement this example programmatically, use the following WFP configuration.

Bb736259.wedge(en-us,VS.85).gifAt FWPM_LAYER_IKEEXT_V{4|6} setup MM negotiation policy

  1. Add one or both of the following MM policy provider contexts.

    • For IKE, a policy provider context of type FWPM_IPSEC_IKE_MM_CONTEXT.
    • For AuthIP, a policy provider context of type FWPM_IPSEC_AUTHIP_MM_CONTEXT.

    Note  A common keying module will be negotiated and the corresponding MM policy will be applied. AuthIP is the preferred keying module if both IKE and AuthIP are supported.

  2. For each of the contexts added in step 1, add a filter with the following properties.
    Filter propertyValue
    Filtering conditionsEmpty. All traffic will match the filter.
    providerContextKeyGUID of the MM provider context added in step 1.

     

Bb736259.wedge(en-us,VS.85).gifAt FWPM_LAYER_IPSEC_V{4|6} setup QM and EM negotiation policy

  1. Add one or both of the following QM transport mode policy provider contexts and set the IPSEC_POLICY_FLAG_ND_SECURE flag.

    • For IKE, a policy provider context of type FWPM_IPSEC_IKE_QM_TRANSPORT_CONTEXT.
    • For AuthIP, a policy provider context of type FWPM_IPSEC_AUTHIP_QM_TRANSPORT_CONTEXT. This context can optionally contain the AuthIP Extended Mode (EM) negotiation policy.

    Note  A common keying module will be negotiated and the corresponding QM policy will be applied. AuthIP is the preferred keying module if both IKE and AuthIP are supported.

  2. For each of the contexts added in step 1, add a filter with the following properties.
    Filter propertyValue
    Filtering conditionsEmpty. All traffic will match the filter.
    providerContextKeyGUID of the QM provider context added in step 1.

     

Bb736259.wedge(en-us,VS.85).gifAt FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} setup inbound per-packet filtering rules

  1. Add a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering conditionNlatUnicast
    action.typeFWP_ACTION_CALLOUT_TERMINATING
    action.calloutKeyFWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V{4|6}
    rawContext FWPM_CONTEXT_IPSEC_INBOUND_PERSIST_CONNECTION_SECURITY

     

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering conditionIPPROTO_ICMP{V6}

    These constants are defined in winsock2.h.

    action.typeFWP_ACTION_PERMIT
    weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

     

Bb736259.wedge(en-us,VS.85).gifAt FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} setup outbound per-packet filtering rules

  1. Add a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    action.typeFWP_ACTION_CALLOUT_TERMINATING
    action.calloutKeyFWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V{4|6}
    rawContext FWPM_CONTEXT_IPSEC_OUTBOUND_NEGOTIATE_DISCOVER

     

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering conditionIPPROTO_ICMP{V6}

    These constants are defined in winsock2.h.

    action.typeFWP_ACTION_PERMIT
    weightFWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

     

Bb736259.wedge(en-us,VS.85).gifAt FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} setup inbound per-connection filtering rules

  1. Add a filter with the following properties. This filter will only allow inbound connection attempts if they are secured by IPsec.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    action.typeFWP_ACTION_CALLOUT_TERMINATING
    action.calloutKeyFWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V{4|6}

     

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering conditionIPPROTO_ICMP{V6}

    These constants are defined in winsock2.h.

    action.typeFWP_ACTION_PERMIT
    weightFWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

     

  3. Add a filter with the following properties. This filter will only permit inbound connections to TCP port 5555 if they are encrypted.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering condition IPPROTO_TCP

    This constant is defined in winsock2.h.

    FWPM_CONDITION_IP_LOCAL_PORT filtering condition 5555
    action.typeFWP_ACTION_CALLOUT_TERMINATING
    action.calloutKeyFWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V{4|6}
    rawContext FWPM_CONTEXT_ALE_SET_CONNECTION_REQUIRE_IPSEC_ENCRYPTION

     

Bb736259.wedge(en-us,VS.85).gifAt FWPM_LAYER_ALE_AUTH_CONNECT_V{4|6} setup outbound per-connection filtering rules

  • Add a filter with the following properties. This filter will only permit outbound connections from TCP port 5555 if they are encrypted.
    Filter propertyValue
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering condition IPPROTO_TCP

    This constant is defined in winsock2.h.

    FWPM_CONDITION_IP_LOCAL_PORT filtering condition 5555
    action.typeFWP_ACTION_CALLOUT_TERMINATING
    action.calloutKeyFWPM_CALLOUT_IPSEC_ALE_CONNECT_V{4|6}
    rawContext FWPM_CONTEXT_ALE_SET_CONNECTION_REQUIRE_IPSEC_ENCRYPTION

     

Related topics

Sample code: Using Transport Mode
ALE Layers
Built-in Callout Identifiers
Filtering Conditions
Filtering Layer Identifiers
FWPM_ACTION0
FWPM_PROVIDER_CONTEXT_TYPE

 

 

Send comments about this topic to Microsoft

Build date: 11/14/2012

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft. All rights reserved.
|
Site Feedback
© 2013 Microsoft. All rights reserved.