TCP/IP packet processing path (Ipnat.sys, Ipfltdrv.sys, Ipsec.sys)

Turn from: https://technet.microsoft.com/library/bb878072 page content

Brief introduction
TCP/IP architecture for packet processing
Packet processing path
More information

Brief introduction

With the addition of Windows Firewall MICROSOFT®WINDOWS®XP Service Pack 2 and Windows server™2003 Service Pack 1, and Internet Protocol security (IPSEC) in the public A growing range of applications in the company Intranet, Information Technology (IT) professionals need to understand the TCP/IP protocol and the specific way in which related components in Windows handle unicast Internet Protocol (IP) packets. Detailed knowledge of IP packet processing paths makes it easier for you to master configuration packet processing and filtering components, as well as specific ways to troubleshoot.

The contents of this article are as follows:

• The basic architecture of the TCP/IP protocol that is used to version 4, and some other components for processing packets.

• Packet processing path for unicast traffic sent, received, and forwarded by a Windows-based computer

note for the sake of brevity, this article will not discuss multicast, broadcast, fragmentation, or tunneling packets.

Back to top of the page TCP/IP architecture for packet processing

is a brief description of the TCP/IP protocol driver (Tcpip.sys) and the related components that are used to process IP packets in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

The following components can handle IP packets:

• IP forwarding   Determines the next-hop interface and address for packets sent or forwarded.

• TCP/IP filtering   allows you to specify the type of traffic that can be accepted for incoming local host traffic (packets destined to the host) by IP protocol, TCP port, or UDP port. You can configure TCP/IP filtering in the Network Connections folder from the Options tab of the advanced Properties of Internet Protocol (TCP/IP) components.

• filter Hook driver   The Windows component can use the filter hook API to filter incoming and outgoing IP packets. On a computer that is running Windows Server 2003, the filter hook driver is Ipfltdrv.sys and belongs to a component of Routing and Remote Access. When enabled, Routing and Remote Access allows users to configure separate inbound and outbound IP packet filters for each interface using the Routing and Remote Access snap-in. The Ipfltdrv.sys checks both the local host and the brokered IP traffic (packets that are not destined for the host).

• firewall Hook driver   The Windows component can use the firewall hook API to check incoming and outgoing packets. On a computer that is running Windows XP, the firewall hook driver is Ipnat.sys, shared by both Internet Connection Sharing and Windows Firewall. Internet Connection Sharing is an underlying network address translator (NAT). Windows Firewall is a host-based stateful firewall. Ipnat.sys can check both local host and transit IP traffic. On a computer that is running Windows Server 2003, Ipnat.sys is shared by the nat/Basic Firewall components of Internet Connection Sharing, Windows firewall, and Routing and Remote Access. If you enable the Nat/Basic Firewall component for Routing and Remote Access, you can no longer enable Windows firewall or Internet Connection Sharing. The

• IPSec  ipsec component--ipsec.sys--is an implementation of IPSec in Windows that provides encryption protection for IP traffic. Ipsec.sys can check both local host and transit IP traffic, and allow, block, or protect traffic.

Returns the top of the page packet processing path

The following sections describe the specific packet processing paths for the following traffic:

• source Traffic is initiated by a Windows-based send host.

• The target traffic reaches the final Windows-based target host.

• Transit Traffic is forwarded by the Windows-based IP router.

Only the components that are included with Windows Server 2003 or Windows XP are discussed here, and do not involve Windows Sockets layered service providers or NDIS intermediate miniport drivers.

SOURCE Traffic

The Data packet processing path for the source amount is shown.

2. After the IP packet is formed, Tcpip.sys passes it to the firewall Hook driver (ipnat.sys) for processing.

   Windows Firewall checks whether the traffic belongs to the specific Internet Control Message Protocol (ICMP) message type that you want to block. If an ICMP message is blocked, Windows firewall discards the packet.

   Windows Firewall checks whether the traffic is part of a point-to-Point Tunneling Protocol (PPTP) tunnel to maintain traffic. If so, Windows firewall parses the traffic and determines the generic Routing Encapsulation (GRE) call ID used to identify a specific PPTP tunnel, allowing GRE-based incoming traffic for PPTP tunnels.

   If required, Windows firewall adds a dynamic item to the exception list to allow response traffic.

   After processing, Ipnat.sys will pass the IP packet back to Tcpip.sys, who will use the IP forwarding component to determine the next hop IP address and interface. For more information, see Understanding IP routing tables.

4. Tcpip.sys passes the packet to the filter hook driver (ipfltdrv.sys) for processing.

   The Ipfltdrv.sys compares the packet to the configured outbound IP packet filter based on the next hop interface.

   If the outbound IP packet filter does not allow the packet, the Ipfltdrv.sys discards the packet without prompting. If the outbound IP packet filter allows the packet, Ipfltdrv.sys will pass the packet back to Tcpip.sys.

6. Tcpip.sys passes the packet to Ipsec.sys for processing.

   Ipsec.sys determines whether to allow, block, or protect the packet, based on the IPsec filter group. If allowed, Ipsec.sys will send it back to Tcpip.sys without modifying the packet. If it is blocked, Ipsec.sys will discard the packet without giving any hint. To protect, Ipsec.sys adds the appropriate IPSEC protection to the packet before it is passed back to Tcpip.sys. For more information about IPSec filters, see sorting IPSec filters (a column of network experts released in February 2005.

   The Tcpip.sys then sends the packet to the next hop IP address through the next-hop interface.

Target traffic

The packet processing path for the target traffic is as shown.

2. When an IP packet is received, Tcpip.sys passes it to ipsec.sys for processing.

   If the packet has IPsec protection (an IP protocol field value indicating the authentication header [AH] or encapsulated security payload [ESP]), it will be processed and removed. If the Windows firewall: Allow authenticated IPSec bypass Group Policy setting is applied to a computer, Ipsec.sys sets an IPSEC Bypass tag that is associated with the packet. The Ipsec.sys returns the resulting packet back to Tcpip.sys.

   If the packet does not have IPSec protection, Ipsec.sys will decide whether to allow, block, or protect the packet based on the IPSec filter group. If allowed, Ipsec.sys will send it back to Tcpip.sys without modifying the packet. If the packet is blocked or needs to be protected, Ipsec.sys discards the packet without prompting.

4. Tcpip.sys passes the packet to Ipfltdrv.sys for processing.

   The Ipfltdrv.sys compares the packet to the configured inbound IP packet filter based on the interface that receives the packet.

   If the packet is not allowed by the inbound IP packet filter, Ipfltdrv.sys discards the packet without prompting. If the inbound IP packet filter allows the packet, Ipfltdrv.sys will pass the packet back to Tcpip.sys.

6. Tcpip.sys passes the packet to Ipnat.sys for processing.

   If you enable Internet Connection Sharing or nat/a basic firewall, and the interface that receives the packet is a public interface connected to the Internet, Ipnat.sys compares the packet to its NAT translation table. If a match is found, the IP packet is converted and the resulting packet is treated as the source of the stream.

   Windows Firewall checks the IPSEC Bypass tag associated with the packet. If an IPsec Bypass tag is set, Windows firewall will pass the packet back to Tcpip.sys.

   If the IPsec Bypass tag is not set, Windows firewall compares the packet to its exception list. If the packet matches an exception, Ipnat.sys will pass the IP packet back to Tcpip.sys. If it does not match, Ipnat.sys discards the IP packet without prompting.

8. Tcpip.sys compares IP packets to the set of packets that are allowed by the configured TCP/IP filtering.

   If TCP/IP filtering does not allow the packet, Tcpip.sys discards the packet without prompting. If TCP/IP filtering allows the packet, Tcpip.sys will continue to process it and eventually pass the packet payload to TCP, UDP, or other upper layer protocols.

Transit traffic

The first half of the transit traffic is shown in the path.

2. When an IP packet is received, Tcpip.sys passes it to ipfltdrv.sys for processing.

   The Ipfltdrv.sys compares the packet to the configured inbound IP packet filter based on the interface that receives the IP packet.

   If the packet is not allowed by the inbound IP packet filter, Ipfltdrv.sys discards the IP packet without prompting. If the inbound IP packet filter allows the packet, Ipfltdrv.sys will pass the IP packet back to Tcpip.sys.

   The Tcpip.sys passes the packet to the IP forwarding component, which determines the next-hop interface and address used to forward the packet.

   The second half of the transit traffic is shown in the path.

4. The Tcpip.sys passes the packet to Ipnat.sys.

   If Internet Connection Sharing or nat/Basic Firewall is enabled, and the interface that receives the packet is a private interface connected to the Intranet, Ipnat.sys compares the packet to its NAT translation table. If an Internet connection is shared or the nat/Basic Firewall finds a match, the IP packet is converted and the resulting packet is treated as the source of the stream. If an Internet connection share or nat/Basic Firewall does not find a match, a new NAT translation table entry is created, the IP packet is converted, and the resulting packet is treated as the source of the stream.

   If Internet Connection Sharing is not enabled, Ipnat.sys will pass IP packets back to Tcpip.sys.

6. The Tcpip.sys passes the packet to Ipfltdrv.sys.

   The Ipfltdrv.sys compares the packet to the configured outbound IP packet filter based on the next hop interface.

   If the outbound IP packet filter does not allow the packet, the Ipfltdrv.sys will discard the IP packet without prompting. If the outbound IP packet filter allows the packet, Ipfltdrv.sys will pass the IP packet back to Tcpip.sys.

8. Tcpip.sys passes the packet to Ipsec.sys for processing.

   Ipsec.sys determines whether to allow, block, or protect the packet, based on the IPsec filter group. If allowed, Ipsec.sys will send it back to Tcpip.sys without modifying the packet. If it is blocked, Ipsec.sys will discard the packet without giving any hint. To protect, Ipsec.sys adds the appropriate IPSEC protection to the packet before it is passed back to Tcpip.sys.

   The Tcpip.sys then sends the IP packet to the next hop address through the next-hop interface.

For a client or server computer that is running Windows XP SP2 or Windows Server 2003 SP1 and takes a general configuration (not acting as a router or NAT, and TCP/IP filtering is disabled), the packet processing path for the source traffic involves the following components:

1. Windows Firewall

2. Ipsec

For Windows-based computers with general configuration described above, the packet processing path for target traffic involves the following components:

1. Ipsec

2. Windows Firewall

If IPsec is used and Windows firewall is enabled, you may need to configure both components to allow the desired traffic. For example, if you are configuring a Web server and using IPsec to protect web traffic destined for that server, you must configure the following items:

1. An IPsec rule that requires the security of the IP address and TCP Port 80 that is destined for and from the server.

2. A Windows firewall exception for TCP Port 80.

This IPsec rule ensures that traffic destined to the WEB Server service is protected. This Windows Firewall exception makes sure that Windows Firewall does not discard unsolicited incoming requests to create a connection to the WEB server over TCP Port 80. Because both IPsec and Windows firewall handle IP packets as separate components, both components must be configured at the same time. If you do not want Windows Firewall to handle IPSEC-protected packets, configure the Windows Firewall: Allow authenticated IPsec bypass Group Policy setting. For more information, see Deploy Windows Firewall settings to Microsoft Windows XP Service Pack 2.

TCP/IP packet processing path (Ipnat.sys, Ipfltdrv.sys, Ipsec.sys)