IPsec and L2TP implementation in Windows 2000

This article describes IP Protocol Security (IPsec) and its implementation in Windows 2000 and in Windows Server 2003. It also discusses IPsec and Layer 2 Tunneling Protocol (L2TP) interoperation with third-party products.

Description of IPsec

IPsec is designed to encrypt data as it travels between two computers, protecting the data from modification and interpretation. IPsec is a key line of defense against internal, private network, and external attacks. Although most network security strategies have focused on preventing attacks from outside an organization's network, a great deal of sensitive information can be lost by internal attacks that interpret data on the network. Most data is not protected when it travels across the network, so employees, supporting staff members, or visitors may be able to plug into your network and copy data for later analysis. They can also mount network-level attacks against other computers. Firewalls offer no protection against such internal threats, so using IPsec offers significantly greater security for corporate data.

IPsec is a Security service that gives administrators the ability to monitor traffic, examine addresses, and apply various security methods to the IP data packet regardless of which program generates the data.

Using IP filtering, IPsec examines all IP packets for addresses, ports, and transport protocols. Rules contained in local or group policies tell IPsec to ignore or secure specific packets, depending on addressing and protocol information.

IPsec implementation in Windows 2000 and in Windows Server 2003

IPsec and Internet Key Exchange (IKE) is only included in Windows 2000 and in Windows Server 2003. These operating systems adhere to the IPsec RFC suite (2401+) as much as a first release can--there are still some aspects of the RFCs that have not been implemented. It is tightly integrated with many other aspects of these operating systems, such as the TCP/IP stack, device Plug and Play, certificate services and cryptographic modules (CAPIv2) and to some extent, Group Policy for the delivery of directory-based IPsec policy.

Only L2TP uses IPsec by default to secure the UDP 1701 IP packets that are the tunnel. IPsec is not included in Microsoft Windows 98. IPsec and related services in Windows 2000 and in Windows Server 2003 were jointly developed by Microsoft and Cisco Systems, Inc. The L2TP implementation itself was performed by Microsoft and integrated with IPsec after Beta 2.

Components

• The IPsec driver that monitors, filters, and secures traffic.
• The Internet Security Association Key Management Protocol (ISAKMP/Oakley) key exchange and management services that oversee security negotiations between hosts, and provide keys for use with security algorithms.
• The Policy agent that looks for policies and delivers them to the IPsec driver and ISAKMP.
• The IP Security policy and the Security Associations derived from those policies that define the security environment in which two hosts communicate.
• The Security Association API that provides the interface between the IPsec driver, ISAKMP, and the Policy agent.
• The management tools that create policies, monitor IP Security statistics, and log IP Security events.

Interaction of components

• An IP packet matches an IP filter that is part of an IP Security policy.
• The IP Security policy can have several optional security methods. The IPsec driver needs to know which method to use to secure the packet. The IPsec driver requests that ISAKMP negotiate a security method and security key.
• ISAKMP negotiates a security method and sends it with a security key to the IPsec driver.
• The method and key become the IPsec Security Association (SA). The IPsec driver stores this SA in its database.
• Both communicating hosts need to secure or unsecure IP traffic, so both need to know and store the SA.

IP security methods

IP Security methods are applied to an IP packet by the IPsec driver. There are two security methods that can be used, either separately or in unison. The two methods are:

• Data and address integrity through keyed hashing (HMAC)
• Data integrity plus confidentiality through encryption

IPsec policy configuration

You can use Microsoft Management Console (MMC) can be used to increase the protection of Unicast IP traffic by using a configuration 'policy' that is built on the client and server or router. You can configure this policy either locally (by using the IP Security Policies on Local Machine snap-in) or in Active Directory (by using the IP Security Policies on Active Directory tool). When you apply the policy, IPsec uses packet filters to determine which traffic to secure, block, or permit. When it secures traffic, IKE is used to negotiate security settings and perform cryptographic key exchanges, and IPsec SA establishment and automatic rekeys. IPsec functions as transparently as possible to layers above IP.

If the IPsec policy specifies it, IKE can use the Windows Kerberos 5 security protocol for computer authentication to avoid the requirement for certificate deployment. The Windows 2000 and Windows Server 2003 implementation is according to Derrell Piper's draft (as described later in this article). Kerberos is not used for IPsec keying, only for IKE main-mode computer authentication. No Kerberos extensions are used in the ticket because it is not a user or service ticket--it is a computer ticket--so it should work when you configure either operating system for MIT-compatibility mode of Kerberos 5 with other computers that are members of Kerberos 5 realms. For additional information, see the following Web sites: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

IPsec API and policy

The Windows 2000 and Windows Server 2003 IPsec APIs and policy schema have not been published yet. IPsec and IKE identity-protect mode (main mode and quick mode) do not lend themselves to program-based, connection-oriented APIs. IPsec is not intended as a replacement for the SSL/TLS connection-oriented methods normally used to secure Web communications.

The Windows 2000 and Windows Server 2003 definition of 'policy' is a set of IPsec-specific settings that can be delivered to and then applied to the host. 'Policy' implies static settings/data that have not been evaluated on the enforcement point of the end-computer that receives these settings. The typical IPsec deployment is for a domain administrator to configure an IPsec policy in Active Directory as needed for clients, servers, and other special-purpose computers, and then assign it and deliver it by using the Group Policy system. You can also fully configure the IPsec policy .

Microsoft intends to change the policy storage formats in future releases of Windows. Therefore, the Windows IPsec directory policy and local registry storage formats are considered a Microsoft private, unpublished data structure.

You can still batch script IPsec policy creation. Ipsecpol.exe is a command-line tool in the Microsoft Windows 2000 Resource Kit that you can use to script policy construction (documentation is included with the tool). In the Support Tools folder on the CD-ROM, you can use the netdiag.exe /test:ipsec /v /debug command to see the details of the IPsec policy, filtering, and so on (if you are logged on with the same privileges as the user who assigned the policy).

For a future release (not necessarily the next release), Microsoft is working on APIs that allow API clients to plumb filters and offers to the engine. Microsoft will make APIs available after a detailed third-party vendor design review. Policy-management solutions will be able to design their own policy formats and then plumb them to the IPsec system by using the APIs.

Work is being done on a proposal for an IPsec policy model/schema as a first draft of what an administrative policy-oriented API might support. However, vendors and interested customers would need to review this draft substantially to see if the model would work. For additional information, see the following Web site: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

IPsec interoperation

For virtual private network (VPN) scenarios, Microsoft recommends IPsec tunnels only for gateway-to-gateway scenarios in which L2TP/IPsec will not work, and for end-to-gateway scenarios (not VPN remote access clients, because it is an RFC-compatible tunnel implementation, and so does not support IKECFG or XAUTH) where each point has a static IP address and therefore static IPsec rules with filters to enable the tunnel. For more information about configuring IPSec tunneling in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base: Although technically you can configure policy filters to provide IPsec tunnels for protocols and ports (because the policy configuration tool is very general), these type of tunnels are not supported by Microsoft. IPsec interoperability is not clearly defined. Some vendors have decided to run their own program. Both of the following Web sites are conducting interoperability testing programs: Windows 2000 and Windows Server 2003 have not been submitted to either of these yet. Customer demand and review of the interoperation criteria used in these testing programs versus how they want to use IPsec will determine whether Microsoft will apply for certification in these programs.

Suggested interoperability levels

• Protocol compatible:
  Can be determined by looking at technical specifications of supported options such as IKE features and modes of operation, authentication methods (such as certificate vendor support, hierarchies, key sizes) and security methods (such as DES, 3DES, MD5 and PFS).
• Protocol interoperable:
  Engineers can configure certain versions of two products to send and receive data. The lowest version of this is what is being tested at vendor interoperability workshops, and the highest version of this is what product test teams would do.
  Note that Interoperation workshops often do not test retail code. The final version of Windows 2000, build 2195, was used at the last workshop. Workshop interoperation results are not public because they are engineering workshops for testing products in development. The results are only meaningful to the engineers testing their code.
• Product interoperable:
  Works in the way the customer wants to configure it in a specific scenario (doing real work) and is "operationally verified" (it meets reliability and manageability requirements and carries real traffic loads). A vendor's testing is feasible only for a few scenarios with a few products, and customers must verify the testing because their security and operational requirements are often unique.

L2TP/IPsec interoperation

Windows 2000 and Windows Server 2003 are compliant with RFC 2661 ("Layer Two Tunneling Protocol"). RFC 2661 indicates that L2TP traffic can be secured with IPsec, but does not provide details about how to implement this security. An Internet-draft document is currently being worked on that will specify the details of securing L2TP traffic with IPsec. Internet-draft documents are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups.

Because the protection of L2TP traffic with IPsec is not yet a standard (there is no RFC for it), the interoperation of these Windows operating systems using L2TP/IPsec must be tested.

Use the following basic information about the protection of L2TP traffic using IPsec in Windows 2000 and Windows Server 2003 as guidance when you are testing with third-party vendors:

• Certificates are used for computer authentication--it is possible to use a preshared key for testing.
• The Transport mode of IPsec is used to protect L2TP traffic.
• UDP port 1701 is used for both source and destination ports. This is non-negotiable.

Microsoft is continuing to test both IPsec only and L2TP/IPsec with other vendors based on customer demand. Microsoft Knowledge Base articles will be published if issues are found. Visit the following Microsoft Web site for the latest on interoperation information: It is common for some vendors to claim interoperation with Windows 2000 and Windows Server 2003, even if Microsoft may not have had a chance to verify it with that vendor.

Security

Microsoft has taken a number of steps to ensure the quality of the design and implementation, which has included internal and external (private) design and code reviews. Microsoft will continue to provide documentation and guidance for customers on proper use. As with any security tool, it is important that users read the online Help and Resource Kit documentation to understand IPsec and its usage thoroughly. IPsec and IKE are implemented to IETF RFC standards, but they are still new technology in the industry which means they will come under heavy scrutiny and attack by malicious users.

Microsoft recommends the following actions to maintain a secure environment:

• Install the Strong Cryptography update pack to obtain 3DES encryption capability for all computers that you expect to use IPsec. You can download this from the following Microsoft Web site:
  http://windowsupdate.microsoft.com/
  .
• Ensure that IPsec policies require 3DES only where privacy for IPsec communication is required. DES encryption has been shown to be insufficiently strong against cryptographic attacks. Use 3DES hardware acceleration with IPsec-enabled network adapters for computers that require high throughput for IPsec protected traffic.
• Enable Security Log auditing for logon and logoff issues and monitor these issues for IPsec-related events 541 and 542.
• Monitor the System log for events from the IPsec source.
• Upgrade to the most current service pack (when it is released) to obtain the latest fixes and security updates for your computer components. Apply release candidate versions, if available, of the latest service packs (in your lab environment) for operational verification before the final release. Contact your Product Support Services representative about problems immediately.
• When you are designing an IPsec deployment, consult the Microsoft Knowledge Base (http://support.microsoft.com/search ) for the latest configuration details, known issues, and workarounds.
• Monitor the Microsoft Security Web site (http://www.microsoft.com/technet/security) to stay informed of security news and patches.
• Contact secure@microsoft.com if you think you have discovered a reproducible security vulnerability. Please provide as much detail as possible in order to expedite the investigation.

Microsoft points of contact

For media inquiries, contact Waggener Edstrom at 425-637-9097. Identify that you are inquiring about IPsec and network security. They will be able to contact the appropriate product management and technical resources to help you.

For IPsec as a technology in the Windows platform, please send an e-mail message to ipsecreq@microsoft.com.

Microsoft customers with support agreements have access to Windows 2000 Support Professionals who have been working with the product team over the course of the Windows 2000 beta cycle. Customers who already deploy or will deploy Windows 2000 or Windows Server 2003 IPsec for end-to-end or end-to-router scenarios should contact their Microsoft Support Representative directly. For information about Microsoft Support options, visit the following Microsoft Web site: Microsoft needs customer and vendor feedback to improve the functionality in the platform. We would like to know who is using it and how, and what your experience is. To that end, it is most helpful if customers escalate issues through the support channel. If you are an IPsec vendor and have a specific implementation or interoperation question, see our walkthrough and Microsoft Knowledge Base articles for how to turn on debugging. After investigation, send an e-mail message to the alias on the interoperation test site, explain who you are, what is happening, and so on.

The online Help (in both Windows 2000 Professional and Server) contains the same content for IPsec, but it is represented differently in the table of contents. The online Help is also available at the following Microsoft Web site: The Windows 2000 Server Resource Kit is oriented to network and server administrators who are new to IPsec. For information about the Windows 2000 Resource Kit, see the following Microsoft Web site: Detailed procedures for using IPsec to protect traffic end-to-end as well as more information about the implementation is available at the following Microsoft Web site: The Windows 2000 Networking newsgroup is available at microsoft.public.win2000.networking. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: For information about Windows 2000-based virtual private network and supporting VPN interoperability, see the following Microsoft Web site: