IPSec compatibility RRS feed

  • Question

  • We are developing a firewall product that is currently filtering at the transport and ALE layers through a callout driver.  As we filter at the transport layer we noticed that there are some guidelines for maintaining IPSEC compatibility.  The majority of these guidelines make sense, e.g. weighting your sublayer below the universal sublayer and ensuring that the traffic is detunnelled.  However can someone add any information regarding the guideline:

    "An incoming transport packet that requires ALE classification must be inspected at the ALE authorize receive/accept layers (FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4 or _V6). Such a packet must be permitted from incoming transport layers."

    Why is it not safe to ignore this guideline and block traffic at the transport layer rather than permitting it and blocking it at the ALE layer? 

    We have performed some basic IPSEC tests and whether this guideline is followed or not doesn't seem to make much difference.  If it's important we aren't currently inspecting, pending or injecting packets but we may have need in the future.

    Any help greatly appreciated.
    Wednesday, April 20, 2011 9:00 AM


  • This is not safe to ignore when performing injection.  IPsec does some additional processing on the first inbound packet after it has left INBOUND_TRANSPORT (i.e. at RECV_ACCEPT).  If you inject before this happens, then some neccessary info needed by IPsec may be lost.

    If you are solely blocking the packet, then you can safely ignore this.

    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights
    Thursday, April 21, 2011 6:01 PM