Export (0) Print
Expand All

6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.3: IKE extensions. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The following Internet Key Exchange Protocol Extensions (defined in [MS-IKEE]) are supported:

IKE fragmentation

Fast failover

Negotiation discovery

Denial of service protection

<2> Section 1.7: Cryptographic parameters. The Authenticated Internet Protocol is implemented only in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. Microsoft implements the following algorithms.

Message authentication algorithm

Operating systems

NULL [RFC2410]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

HMAC-SHA1-96 [RFC2404]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

HMAC-MD5-96 [RFC2403]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

AES-GMAC [RFC4543]

Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

SHA-256 [SHA256]

Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Encryption algorithm

Operating systems

NULL [RFC2410]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

DES-CBC [RFC2405]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Triple DES-CBC [RFC2451]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

AES-CBC with key sizes of 128, 192, and 256 bits [RFC3602]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

AES-GCM with key sizes of 128, 192, and 256 bits [RFC4106]

Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Diffie-Hellman

Operating systems

The default 768-bit modular exponential (MODP) group [RFC2409]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

The alternate 1024-bit MODP group [RFC2409]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

The 2048-bit MODP group [RFC3526]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

ECP_256 [ECP]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

ECP_384 [ECP]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

<3> Section 1.7: Capability negotiation. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The following vendor IDs are supported by the Microsoft implementation of the Authenticated Internet Protocol.

Operating system version

4-byte version number

Windows Vista

00 00 00 05

Windows Server 2008

00 00 00 06

Windows 7

00 00 00 07

Windows Server 2008 R2

00 00 00 08

Windows 8

00 00 00 09

Windows Server 2012

00 00 00 09

Windows 8.1

00 00 00 09

Windows Server 2012 R2

00 00 00 09

Common name

String representation

Wire representation (MD5 hash of string)

Microsoft implementation Windows Vista

"MS NT5 ISAKMPOAKLEY"

+version number 5

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 05

Microsoft implementation Windows Vista SP1, Windows Server 2008

"MS NT5 ISAKMPOAKLEY"

+version number 6

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 06

Microsoft implementation Windows 7

"MS NT5 ISAKMPOAKLEY"

+version number 7

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 07

Microsoft implementation Windows Server 2008 R2

"MS NT5 ISAKMPOAKLEY"

+version number 8

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 08

Microsoft implementation Windows 8

"MS NT5 ISAKMPOAKLEY"

+version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Microsoft implementation Windows Server 2012

"MS NT5 ISAKMPOAKLEY"

+version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Microsoft implementation Windows 8.1

"MS NT5 ISAKMPOAKLEY"

+version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Microsoft implementation Windows Server 2012 R2

"MS NT5 ISAKMPOAKLEY"

+version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Kerberos authentication supported [GSS]

"GSSAPI"

62 1B 04 BB 09 88 2A C1 E1 59 35 FE FA 24 AE EE

NLB/MSCS fast failover supported [MS-IKEE]

"Vid-Initial-Contact"

26 24 4D 38 ED DB 61 B3 17 2A 36 E3 D0 CF B8 19

NLB/MSCS fast failover supported [MS-IKEE]

"NLBS_PRESENT"

72 87 2B 95 FC DA 2E B7 08 EF E3 22 11 9B 49 71

Fragmentation avoidance supported [MS-IKEE]

"FRAGMENTATION"

40 48 B7 D5 6E BC E8 85 25 E7 DE 7F 00 D6 C2 D3

NAT-T supported [MS-IKEE]

"RFC 3947"

4A 13 1C 81 07 03 58 45 5C 57 28 F2 0E 95 45 2F

Negotiation discovery supported [MS-IKEE]

"MS-Negotiation Discovery Capable"

FB 1D E3 CD F3 41 B7 EA 16 B7 E5 BE 08 55 F1 20

<4> Section 1.7: Vendor ID payload. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The following Vendor ID is sent by the Microsoft IKEv1 implementation when the initiator or responder supports both IKEv1 and the Authenticated Internet Protocol.

Common name

String representation

Wire representation (MD5 hash of string)

Authenticated Internet Protocol supported

MS-MamieExists

21 4C A4 FA FF A7 F3 2D 67 48 E5 30 33 95 AE 83

<5> Section 2.1: UDP ports. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The Authenticated Internet Protocol runs on UDP ports 500 and 4500. The UDP ports are not configurable.

<6> Section 2.2.3.1: Error codes. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The Authenticated Internet Protocol logs the failure to the Security Event Log. The Authenticated Internet Protocol does not report the error to the application whose network activity triggered the Authenticated Internet Protocol exchange. For more information about these codes, see [MS-ERREF].

<7> Section 2.2.3.1: Kerberos via proxy authentication is only supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<8> Section 2.2.3.2.2: In Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 implementations of the Authenticated Internet Protocol, the responder adds 8 bytes of Initialization_Vector after the seqNUM field if the GSS-API exchange has completed. The presence of the Initialization_Vector is indicated by the length of the Crypto payload (16 bytes if the Initialization_Vector is present; otherwise, 8 bytes).

<9> Section 2.2.3.5: Error codes. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. This field may take on any Windows error-code value. For more information about these codes, see [MS-ERREF].

<10> Section 3.1: Negotiation retransmission timer. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. See section 3.1.2 and its associated Windows behavior information for details about a Windows implementation of retransmission timers.

<11> Section 3.1: Cryptographic parameters. The Authenticated Internet Protocol is implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 only. Microsoft implements the following algorithms.

Message authentication algorithm

Key length (bytes)

Operating systems

NULL [RFC2410]

N/A

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

HMAC-SHA1-96 [RFC2404]

20

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

HMAC-MD5-96 [RFC2403]

16

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

AES-GMAC with key sizes of 128, 192, and 256 bits [RFC4543]

16, 24, and 32

Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

SHA-256 [SHA256]

32

Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Encryption algorithm

Key length (bytes)

Operating systems

NULL [RFC2410]

N/A

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

DES-CBC [RFC2405]

8

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Triple DES-CBC [RFC2451]

24

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

AES-CBC with key sizes of 128, 192, and 256 bits [RFC3602]

16, 24, and 32

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

AES-GCM with key sizes of 128, 192, and 256 bits [RFC4106]

16, 24, and 32

Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Diffie-Hellman

Operating systems

Default 768-bit MODP group [RFC2409]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Alternate 1024-bit MODP group [RFC2409]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

2048-bit MODP group [RFC3526]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

ECP_256 [ECP]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

ECP_384 [ECP]

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

<12> Section 3.1.1: Kerberos via proxy authentication is only supported in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<13> Section 3.1.2: Negotiation retransmission timer, notify retransmission timer, authentication retry timer, responder time-out timer, NAT-T keep-alive timer, QM rekey timer. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Negotiation retransmission timer: The first retransmission occurs after two seconds. The time-out is doubled for each subsequent retransmission up to a maximum of four retransmissions. In the shutdown phase, one retransmission, at most, is performed as described in section 3.1.7.

In Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, the number of retransmissions of the first negotiation packet sent by the initiator is reduced to 3. Additionally, if in co-existence mode (section 1.7), and the IKEv1 negotiation gets a valid response to its first packet, then AuthIP stops its retransmission timer. If in negotiation discovery mode (see [MS-IKEE] section 1.3.5), and the responder replies with cleartext (TCP or UDP for example), then AuthIP stops its retransmission timer on receiving cleartext for the same connection that caused the initial the AuthIP negotiation.

Notify retransmission timer: The first retransmission occurs after two seconds. The time-out is doubled for each subsequent retransmission up to a maximum of four retransmissions. In the shutdown phase, one retransmission, at most, is performed as described in section 3.1.7.

Authentication retry timer: The first authentication retry is triggered within a negotiation when the current authentication method fails and there are remaining authentication methods (or remaining authentication parameters for the current methods) that can be tried before failing the negotiation. The retry timer expires when all existing authentication methods (and all authentication parameters for each configured authentication method) are exhausted. The timers mentioned in the retry state (section 3.1) are explicitly the negotiation retransmission timer on initiator and the responder time-out timer on responder.

Responder time-out timer: The responder deletes its state if it does not receive a message from the initiator within 60 seconds. The responder MUST send a NOTIFY_STATUS notify payload.

NAT-T keep-alive timer: The timer expires after 20 seconds.

QM rekey timer: The timer expires after 60 seconds and all old QM SAs are deleted. The responder MUST send a NOTIFY_STATUS notify payload.

<14> Section 3.2.4: Vendor ID payload. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The following Vendor ID is sent by the Microsoft IKEv1 implementation when the initiator or responder supports both IKEv1 and the Authenticated Internet Protocol.

Common name

String representation

Wire representation (MD5 hash of string)

Authenticated Internet Protocol supported

MS-MamieExists

21 4C A4 FA FF A7 F3 2D 67 48 E5 30 33 95 AE 83

<15> Section 3.2.5.1: Message ID field verification. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. These operating systems do not verify that the message ID field is zero.

<16> Section 3.3.5.1: Message ID field verification. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. These operating systems do not verify that the message ID field is zero.

<17> Section 3.4.5.1: KeyDictationWt is supported only in Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

<18> Section 3.6.5.1: Encrypted flag verification is implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 implementations do not verify that the encrypted flag is not set for payloads denoted as HDR in the payload exchange.

<19> Section 3.7.5.1: Message ID field verification is implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. Windows Vista does not verify that the message ID field is set to one. Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 verify that the message ID field is one.

<20> Section 3.8.5.1: Encrypted flag verification is implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 implementations do not verify that the encrypted flag is not set for payloads denoted as HDR in the payload exchange.

<21> Section 3.8.7.1: Encrypted flag verification is implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 implementations do not verify that the encrypted flag is not set for payloads denoted as HDR in the payload exchange.

<22> Section 4.3: Error codes. Implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The Authenticated Internet Protocol logs the failure to the Security Event Log. For more information about these codes, see [MS-ERREF].

 
Show:
© 2014 Microsoft