Microsoft KB Archive/253169

From BetaArchive Wiki
Knowledge Base

Traffic That Can--and Cannot--Be Secured by IPSec

Article ID: 253169

Article Last Modified on 10/12/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition

This article was previously published under Q253169


IP Security Protocol (IPSec) in Windows 2000 is designed to secure IP traffic between two computers that communicate by using their IP addresses. It uses filters defined in an IPSec policy to classify IP packets. After a packet is classified (matched to a filter), the configured filter action takes place.


IPSec is applied to IP packets as they are sent and received. Packets are matched against filters when they are being sent (outbound) to see if they should be secured, blocked, or passed in clear text. Packets are also matched when they are received (inbound) to see if they should have been secured, should be blocked, or should be passed (permitted) into the system in clear text.

By design, the following types of IP traffic are exempted and cannot be secured by IPSec in Windows 2000:

  • Broadcast

Traffic going from one sender to many receivers that are unknown to the sender. This type of packet cannot be classified by IPSec filters. For example, a standard class C subnet using 192.168.0.x would have a broadcast address of Your broadcast address depends on your subnet mask.

  • Multicast

As with Broadcast traffic, one sender sends an IP packet to many receivers that are unknown to the sender. These are addresses in the range from through

  • Resource Reservation Protocol (RSVP)

This traffic uses IP protocol 46 and is used to provide Quality Of Service (QoS) in Windows 2000. Exemption of RSVP traffic is a requirement to allow QOS markings for traffic that may be secured by IPSec.

  • Internet Key Exchange (IKE)

IKE is a protocol used by IPSec to securely negotiate security parameters (if the filter action indicates that security needs to be negotiated) and establish shared encryption keys after a packet is matched to a filter. Windows 2000 always uses a User Datagram Protocol (UDP) source and destination port 500 for IKE traffic.

  • Kerberos

Kerberos is the core Windows 2000 security protocol typically used by IKE for IPSec authentication. This traffic uses a UDP/TCP protocol source and destination port 88. Kerberos is itself a security protocol that does not need to be secured by IPSec. The Kerberos exemption is basically this: If a packet is TCP or UDP and has a source or destination port = 88, permit.

NOTE: These exemptions apply to IPSec transport mode filters for packets that have a source address of the computer that is sending the packet. IPSec tunnels can secure only unicast IP traffic. IPSec tunnel-mode filters also cannot process multicast or broadcast packets. If Kerberos, IKE, or RSVP packets are received on one adapter and routed out of another adapter (by using packet forwarding or Routing and Remote Access Services), they are not exempt from IPSec tunnel-mode filters and could be carried inside the tunnel.

For more information about the IKE protocol see RFC 2409:

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional information about RSVP, click the article number below to view the article in the Microsoft Knowledge Base:

227261 Description of the Resource Reservation Protocol (RSVP)

For more information about Kerberos, see the "Kerberos V5 Authentication" topic in Windows 2000 Help, and also the technical documents about Kerberos located at the following Microsoft Web site:

For additional information about the IPSec feature in Microsoft Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

810207 IPSec Default Exemptions Are Removed in Windows Server 2003

Keywords: kbinfo kbipsec kbnetwork KB253169