Group Policy: IP Security (Ipsec) Protocol Extension

[MS-GPIPSEC]:

Group Policy: IP Security (IPsec) Protocol Extension

Intellectual Property Rights Notice for Open Specifications Documentation

Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions.

Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation.

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .

Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit

Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise.

Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it.

Revision Summary

Table of Contents

1Introduction

1.1Glossary

1.2References

1.2.1Normative References

1.2.2Informative References

1.3Overview

1.3.1Background

1.3.2IPsec Protocol Overview

1.4Relationship to Other Protocols

1.5Prerequisites/Preconditions

1.6Applicability Statement

1.7Versioning and Capability Negotiation

1.8Vendor-Extensible Fields

1.9Standards Assignments

2Messages

2.1Transport

2.2Message Syntax

2.2.1IPsec Policy Creation/Modification

2.2.1.1ipsecPolicy Object Attribute Details

2.2.1.1.1ipsecPolicy{GUID} Object Attribute Descriptions

2.2.1.2ipsecISAKMPPolicy Object Attribute Details

2.2.1.2.1ipsecISAKMPPolicy{GUID} Object Attribute Descriptions

2.2.1.3ipsecNFA Object Attribute Details

2.2.1.3.1ipsecNFA{GUID} Object Description

2.2.1.4ipsecNegotiationPolicy Object Attribute Details

2.2.1.4.1ipsecNegotiationPolicy{GUID} Object Description

2.2.1.5ipsecFilter Object Attribute Details

2.2.1.5.1ipsecFilter{GUID} Object Description

2.2.2IPsec Policy Assignment

2.2.3IPsec Policy Retrieval

2.2.3.1Policy Location, Name, and Description Retrieval

2.2.3.2Policy Data Retrieval

2.3Directory Service Schema Elements

3Protocol Details

3.1IPsec Group Policy Administrative Plug-in Details

3.1.1Abstract Data Model

3.1.2Timers

3.1.3Initialization

3.1.4Higher-Layer Triggered Events

3.1.5Message Processing Events and Sequencing Rules

3.1.5.1Configuring an LDAP BindRequest

3.1.5.2Terminating the LDAP BindRequest

3.1.5.3Retrieving the Assigned Policy Location, Name, and Description

3.1.5.4Reading the Assigned Policy Data

3.1.5.5Writing the Assigned Policy Data

3.1.5.6Modifying the Assigned Policy Data

3.1.5.7Deleting the Assigned Policy Data

3.1.5.8Policy Assignment

3.1.6Timer Events

3.1.7Other Local Events

3.2IPsec Group Policy Client-Side Plug-in Details

3.2.1Abstract Data Model

3.2.2Timers

3.2.3Initialization

3.2.4Higher-Layer Triggered Events

3.2.4.1Processing Group Policy Callbacks

3.2.5Message Processing Events and Sequencing Rules

3.2.5.1Locating a Domain Controller

3.2.5.2Establishing a Connection to the Domain Controller

3.2.5.3Retrieving the Assigned Policy Location, Name, and Description

3.2.5.4Retrieving the Assigned Policy Data

3.2.6Timer Events

3.2.6.1Local Timer Expiration

3.2.7Other Local Events

4Protocol Examples

4.1Administrative Creation/Assignment of Policy

4.1.1Policy Creation

4.1.2Policy Assignment

4.2Client Retrieval of Policy

4.2.1Retrieving the Assigned Policy Name, Description, and Location

4.2.2Retrieving the Assigned Policy Data

5Security

5.1Security Considerations for Implementers

5.2Index of Security Parameters

6Appendix A: Product Behavior

7Change Tracking

8Index

1Introduction

The Group Policy: IP Security (IPsec) Protocol Extension is layered on top of the Group Policy: Core Protocol (as specified in [MS-GPOL]). The transmitted configuration data enables centralized (common) configuration of the IPsec component on multiple client systems to provide basic traffic filtering, data integrity, and optionally, data encryption for IP traffic.

Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.

1.1Glossary

This document uses the following terms:

Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS-ADTS] describes both forms. For more information, see [MS-AUTHSOD] section 1.1.1.5.2, Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS.

authentication header (AH): An Internet Protocol Security (IPsec) encapsulation mode that provides authentication and message integrity. For more information, see [RFC4302] section 1.

binary large object (BLOB): A collection of binary data stored as a single entity in a database.

client-side extension GUID (CSE GUID): A GUID that enables a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object (GPO) on the Group Policy server, for that particular extension.

curly braced GUID string: The string representation of a 128-bit globally unique identifier (GUID) using the form {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, where X denotes a hexadecimal digit. The string representation between the enclosing braces is the standard representation of a GUID as described in [RFC4122] section 3. Unlike a GUIDString, a curly braced GUID string includes enclosing braces.

default response rule: A rule that ensures that computers respond to requests for secure communication. If an active policy does not have a rule defined for a computer that is requesting secure communication, the default response rule is applied and security is negotiated.

directory: The database that stores information about objects such as users, groups, computers, printers, and the directory service that makes this information available to users and applications.

directory string: A string encoded in UTF-8 as defined in [RFC2252] section 6.10.

distinguished name (DN): A name that uniquely identifies an object by using the relative distinguished name (RDN) for the object, and the names of container objects and domains that contain the object. The distinguished name (DN) identifies the object and its location in a tree.

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication (2) of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].

Encapsulating Security Payload (ESP): An Internet Protocol security (IPsec) encapsulation mode that provides authentication, data confidentiality, and message integrity. For more information, see [RFC4303] section 1.

fully qualified domain name (FQDN): An unambiguous domain name (2) that gives an absolute location in the Domain Name System's (DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and [RFC2181] section 11.

globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).

Group Policy: A mechanism that allows the implementer to specify managed configurations for users and computers in an Active Directory service environment.

Group Policy extension: A protocol that extends the functionality of Group Policy. Group Policy extensions consist of client-side extensions and Administrative tool extensions. They provide settings and other Group Policy information that can be read from and written to Group Policy data store components. Group Policy Extensions depend on the Group Policy: Core Protocol, via the core Group Policy engine, to identify GPOs containing a list of extensions that apply to a particular Group Policy client.

Group Policy Object (GPO): A collection of administrator-defined specifications of the policy settings that can be applied to groups of computers in a domain. Each GPO includes two elements: an object that resides in the Active Directory for the domain, and a corresponding file system subdirectory that resides on the sysvol DFS share of the Group Policy server for the domain.

Internet Key Exchange (IKE): The protocol that is used to negotiate and provide authenticated keying material for security associations (SAs) in a protected manner. For more information, see [RFC2409].

Internet Protocol security (IPsec): A framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. The Microsoft implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.

Internet Security Association and Key Management Protocol (ISAKMP): A cryptographic protocol specified in [RFC2408] that defines procedures and packet formats to establish, negotiate, modify and delete security associations (SAs). It forms the basis of the Internet Key Exchange (IKE) protocol, as specified in [RFC2409].

IPsec administrative plug-in: The Internet Protocol security (IPsec) extension plug-in that operates as part of the group policy configuration tool that reads and writes IPsec policy using the Group Policy: IP Security (IPsec) Protocol Extension [MS-GPIPSEC].

IPsec client-side plug-in: The Internet Protocol security (IPsec) extension plug-in that operates on the client machine to retrieve the policy using the Group Policy: IP Security (IPsec) Protocol Extension [MS-GPIPSEC].

IPsec component: The implementation of the Internet Protocol security (IPsec)/Internet Key Exchange (IKE) functionality on a client machine. This is the component that the Group Policy: IP Security (IPsec) Protocol Extension [MS-GPIPSEC] configures with the IPsec/IKE policy that is transferred as part of the protocol.

main mode (MM): The first phase of an Internet Key Exchange (IKE) negotiation that performs authentication and negotiates a main mode security association (MM SA) between the peers. For more information, see [RFC2409] section 5.

negotiation filter association (NFA): A term that is used to describe the logical binding together of the appropriate IPsec filter and IPsec negotiation policy settings for an IPsec policy.

security association (SA): A simplex "connection" that provides security services to the traffic carried by it. See [RFC4301] for more information.

tool extension GUID or administrative plug-in GUID: A GUID defined separately for each of the user policy settings and computer policy settings that associates a specific administrative tool plug-in with a set of policy settings that can be stored in a Group Policy Object (GPO).

Transmission Control Protocol (TCP): A protocol used with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. TCP handles keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet.

tunnel mode: An IP encapsulation mechanism, as specified in [RFC4301], that provides Internet Protocol security (IPsec) security to tunneled IP packets. IPsec processing is performed by the tunnel endpoints, which can be (but are typically not) the end hosts.

Unicode: A character encoding standard developed by the Unicode Consortium that represents almost all of the written languages of the world. The Unicode standard [UNICODE5.0.0/2007] provides three forms (UTF-8, UTF-16, and UTF-32) and seven schemes (UTF-8, UTF-16, UTF-16 BE, UTF-16 LE, UTF-32, UTF-32 LE, and UTF-32 BE).

User Datagram Protocol (UDP): The connectionless protocol within TCP/IP that corresponds to the transport layer in the ISO/OSI reference model.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

1.2References

Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata.

1.2.1Normative References

We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact . We will assist you in finding the relevant information.

[MS-ADA1] Microsoft Corporation, "Active Directory Schema Attributes A-L".

[MS-ADA2] Microsoft Corporation, "Active Directory Schema Attributes M".

[MS-ADA3] Microsoft Corporation, "Active Directory Schema Attributes N-Z".

[MS-ADSC] Microsoft Corporation, "Active Directory Schema Classes".

[MS-ADTS] Microsoft Corporation, "Active Directory Technical Specification".

[MS-DTYP] Microsoft Corporation, "Windows Data Types".

[MS-GPOL] Microsoft Corporation, "Group Policy: Core Protocol".

[MS-NRPC] Microsoft Corporation, "Netlogon Remote Protocol".

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997,

[RFC2251] Wahl, M., Howes, T., and Kille, S., "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997,

[RFC2254] Howes, T., "The String Representation of LDAP Search Filters", RFC 2254, December 1997,