Netsh Commands for IPsec Denial of Service Protection in Windows Server 2008 R2

Updated: September 30, 2009

Applies To: Windows Server 2008 R2

The netsh ipsecdosprotection context is included in computers that are running Windows Server® 2008 R2 and helps to prevent the computers in your organization from being impacted by denial-of-service (DoS) attacks against IPv6-based Internet Protocol security (IPsec) computers on your network. It acts as a type of firewall, preventing unwanted traffic from being forwarded from a public interface to a network connected to an internal interface. It also helps to protect your network by limiting the rate of data permitted network traffic, and by configuring the Differentiated Services Code Point (DSCP) field of the IPv6 packet header to prioritize traffic for use by routers configured to use Quality of Service (QoS) and other devices on your network.

The IPsec DoS Protection component runs on a computer that has connections to two or more networks, where the networks are categorized as public or private. The netsh ipsecdosprotection command configures the IPsec DoS Protection component. Network traffic flowing from the public network to the private network is allowed or blocked depending on the filters configured on the computer.

The netsh ipsecdosprotection commands affect only IPv6-based connections that are protected by using Encapsulating Security Payload (ESP), and the IPsec negotiation traffic and ICMPv6 traffic that is required to establish those connections.

Architecturally, the computer that you configure by running netsh ipsecdosprotection is located on the network edge and is in the path for any native IPv6 traffic and IPv6 traffic encapsulated inside tunnels such as Teredo, 6to4, and IP-HTTPS. The computer can be the same computer as the Teredo relay, 6to4 gateway or relay, or IP-HTTPS server. In those cases, the IPsec DoS Protection component intercepts the forwarded packets after they are extracted from the tunnel. The only exception is that the IPsec DoS Protection component cannot be deployed on an IPsec gateway, because IPsec tunnel traffic bypasses the IPsec DoS Protection component. To protect an IPsec gateway, place the IPsec DoS Protection component on a separate computer that is between the Internet and the IPsec gateway.

Important

When enabled, the IPsec DoS Protection component drops all IPv4 traffic, and IPv6 traffic that is not protected by IPsec, except ICMPv6. Ensure that IPv4 network traffic has another route onto your network, protected by whatever security tools your organization uses to filter incoming IPv4 network packets.

Most netsh ipsecdosprotection commands do nothing until you enable the IPsec DoS Protection component. To do so, use the add interface command to specify both the public and internal interfaces. For more information, see add interface.

A typical use for IPsec denial-of-service Protection is with DirectAccess. DirectAccess is a feature available in Windows Server 2008 R2 that enables remote client computers that are running Windows® 7 to securely access enterprise network shares, Web sites, and applications without having to first connect to a virtual private network (VPN). DirectAccess automatically and transparently establishes bi-directional connectivity with an enterprise network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the enterprise network, and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

Because DirectAccess allows specific types of traffic through the perimeter network to access the corporate network, there is a need for a layer of protection that limits access to only legitimate IPsec-protected traffic, and rate limits IPsec negotiation requests and ICMPv6 to help prevent denial-of-service attacks on your resources. DirectAccess is an IPv6-only technology. It works over the IPv4 Internet by using IPv6 transition technologies, such as Teredo, which tunnels IPv6 network packets inside of IPv4 packets.

Important

The netsh ipsecdosprotection commands are supported only on computers that are running Windows Server 2008 R2. They are not available on earlier versions or on client versions of Windows.

For general information about netsh, see Netsh Overview and Enter a Netsh Context.

For information on how to interpret netsh command syntax, see Formatting Legend.

Commands in the Netsh ipsecdosprotection context

This section provides usage details for commands in the netsh ipsecdosprotection context.

The following commands are available within the netsh ipsecdosprotection context:

  • add

  • delete

  • reset

  • set

  • show

add

The add commands in the netsh ipsecdosprotection context enable you to add the following configuration elements to the IPsec DoS Protection component:

  • add allowedkeyingmodule

  • add filter

  • add interface

add allowedkeyingmodule

Adds the specified keying module to the IPsec DoS Protection configuration. You can optionally specify the IPv6 address or subnet to which the specified IPsec negotiation protocol is allowed to be sent. By default, only IPsec negotiation traffic that uses AuthIP is allowed to all addresses.

Syntax

add allowedkeyingmodule

name = ] { ikev1 | ikev2 | authip }

[ [ internalprefix = ] IPv6 address[**/**Prefix length] ]

Parameters

  • name = ] { ikev1 | ikev2 | authip }
    Specifies the IPsec negotiation protocol to allow. By default, AuthIP only is allowed to all internal addresses (represented as ::/0).
  • internalprefix = ] IPv6 address[/Prefix length]
    Specifies the IPsec address or subnet to which network traffic is allowed to be sent. Network traffic of the specified protocol sent to an address or subnet not on the list is dropped. To specify a subnet, include the forward slash (/) followed by the number of digits that represent the network identifier.

Remarks

  • This command has no effect on existing IPsec connections; it only affects IPsec negotiation traffic that uses IKEv1, IKEv2 or AuthIP.

  • IPsec-protected traffic that is part of an established connection that uses ESP is always allowed, as long as the connection has not been idle for more than the number of seconds specified in the set miscellaneous stateidletimeout setting.

  • ICMPv6 network traffic is always allowed to enable Teredo and other advanced network scenarios to work.

Example commands

  • The following command enables IKEv1 negotiation traffic to all IPv6 addresses:

    add allowedkeyingmodule ikev1

  • The following command enables IKEv2 negotiation traffic to only a single IPv6 address:

    add allowedkeyingmodule ikev2 3ff3:401d:1f00:baa::1

add filter

Adds a filter that either blocks or exempts (allows) network traffic that is not IPv6 and IPsec-protected from the specified public address or subnet to the specified internal address or subnet.

Syntax

add filter

[ [ **publicprefix = IPv6 address[/**Prefix length ] ]

[ [ **internalprefix = IPv6 address[/**Prefix length ] ]

[ **action = **] { exempt | block }

Parameters

  • **[ **publicprefix = IPv6 address[/PrefixLength ]
    Optional. Specifies the public IPv6 address or subnet that matches this filter. To specify a subnet, include the forward slash (/) followed by the number of bits that represent the network identifier. If publicprefix is not specified, then the filter matches all public IPv6 addresses.
  • **[ **internalprefix = IPv6 address[/Prefix length ]
    Optional. Specifies the internal IPv6 address or subnet that matches this filter. To specify a subnet, include the forward slash (/) followed by the number of bits that represent the network identifier. If internalprefix is not specified, then the filter matches all internal IPv6 addresses.
  • ****action = exempt | block }
    Required. Specifies the action to take on network traffic that matches this filter. Exempt specifies that IPv6 network traffic that matches the filter does not have to be IPsec-protected to be allowed through. Block specifies that network traffic that matches the filter is blocked even if it is IPsec-protected.

Remarks

  • Only one filter can be applied to a specific address or subnet. If you attempt to create a second rule with the exact same address or subnet parameter, then an error is displayed.

  • If an address matches more than one filter, then the most specific match is selected, and the corresponding filter is applied. For example, 2006:2006::2 matches a filter with the prefix 2006:2006::2/128 better than a filter with the prefix 2006:2006::2/64.

  • If you specify both publicprefix and internalprefix parameters, then the filter treats them as an “and” operator. Traffic matches the filter if it comes from an address with the specified public prefix and it is destined for an address with the specified internal prefix.

  • There are no default filters. All traffic is blocked by default except IPsec-protected IPv6 network traffic, the AuthIP negotiation protocol, and ICMPv6 to or from any address.

Example commands

  • The following command blocks all network traffic, even IPsec-protected traffic from the specified public IPv6 subnet:

    add filter publicprefix=3ffe:401d:1f00::/64 action=block

add interface

Adds the specified interface to the IPsec DoS Protection configuration as either a public or internal interface.

Syntax

add interface

name = ] NameOfInterface

type = ] { public | internal }

Parameters

  • name = ] NameOfInterface
    Required. Specifies the name of the interface, as it appears in the Network Connections folder.
  • type = ] { public | internal }
    Required. Specifies whether the interface is connected to the public network or the protected, internal network.

Remarks

  • By default, no interfaces are assigned to the IPsec DoS Protection component. You must add at least one public and one internal interface for the component to be operational.

Example commands

  • The following command adds the network adapter identified as “Local Area Connection” as a public interface of the IPsec DoS Protection component:

    add interface "local area connection" public

  • The following command adds the connection “Local Area Connection 2” as an internal interface:

    add interface name="local area connection 2" internal

delete

The delete commands in the netsh ipsecdosprotection context enables you to delete various aspects of the IPsec Denial of Service Protection component:

  • delete allowedkeyingmodule

  • delete filter

  • delete interface

delete allowedkeyingmodule

Deletes the specified keying module from the IPsec DoS Protection configuration. You can optionally specify the IPv6 address or subnet from which the specified IPsec negotiation protocol is blocked from being sent. By default, only IPsec negotiation traffic that uses AuthIP is allowed to all addresses.

Syntax

delete allowedkeyingmodule

name = ] { ikev1 | ikev2 | authip }

[ [ internalprefix = ] IPv6 address[**/**Prefix length] ]

Parameters

  • name = ] { ikev1 | ikev2 | authip }
    Specifies the IPsec negotiation protocol to no longer allow. By default, AuthIP only is allowed to all addresses (represented as ::/0).
  • internalprefix = ] IPv6 address[/Prefix length]
    Specifies the internal IPsec address or subnet to which network traffic is no longer allowed to be sent. To specify a subnet, include the forward slash (/) followed by the number of bits that represent the network identifier.

Remarks

  • This command has no effect on existing IPsec connections; it only affects IPsec negotiation traffic that uses IKEv1, IKEv2 or AuthIP.

  • IPsec-protected traffic that is part of an established connection that uses ESP is always allowed, as long as the connection has not been idle for more than the number of seconds specified in the set miscellaneous stateidletimeout setting.

  • ICMPv6 network traffic is always allowed to enable Teredo and other advanced network scenarios to work.

Example commands

  • The following command disables IKEv1 negotiation traffic to all IPv6 addresses:

    delete allowedkeyingmodule ikev1

  • The following command disables IKEv2 negotiation traffic to only a single IPv6 address. If another command has enabled IKEv2 to other addresses, then IKEv2 packets to those addresses are still allowed:

    delete allowedkeyingmodule ikev2 3ff3:401d:1f00:baa::1

delete filter

Deletes a filter that was added previously. A filter either blocks or exempts (allows) network traffic that is not IPv6 and IPsec-protected from the specified public address or subnet to the specified internal address or subnet.

Syntax

delete filter

[ [ **publicprefix = IPv6 address[/**Prefix length ] ]

[ [ **internalprefix = IPv6 address[/**Prefix length ] ]

Parameters

  • **[ **publicprefix = IPv6 address[/PrefixLength ]
    Optional. Specifies the public IPv6 address or subnet that matches the filter. To specify a subnet, include the forward slash (/) followed by the number of digits that represent the network identifier. If specified, this must match the public prefix specified by the add filter command used to create the filter.
  • **[ **internalprefix = IPv6 address[/integer ]
    Optional. Specifies the internal IPv6 address or subnet of that matches this filter. To specify a subnet, include the forward slash (/) followed by the number of bits that represent the network identifier. If specified, this must match the internal prefix specified by the add filter command used to create the filter.

Remarks

  • There are no default filters. You can delete a filter only after you have created one.

  • You can only have one filter that identifies a specific IP address or subnet, block or exempt, and either type is deleted with this command.

Example commands

  • The following command removes the filter for a public subnet that was previously created by using the add filter command:

    delete filter publicprefix=3ffe:401d:1f00::/64

delete interface

Removes the specified interface from the IPsec DoS Protection configuration as either a public or internal interface. Traffic coming to or from the specified interface is no longer affected by the IPsec DoS Protection component.

Syntax

delete interface

name = ] NameOfInterface

Parameters

  • name = ] NameOfInterface
    Required. Specifies the name of the interface, as it appears in the Network Connections folder.

Remarks

  • By default, no interfaces are assigned to the IPsec DoS Protection component.

Example commands

  • The following command deletes the network adapter identified as “Local Area Connection”:

    Delete interface "local area connection"

reset

The reset command of the netsh ipsecdosprotection context completely removes all IPsec DoS Protection configuration, and sets the state back to disabled. After running this command, no network traffic is blocked.

Syntax

reset

Remarks

  • Before resetting and losing any configuration settings that you might have in place, consider first running the dump command and capturing its output to a text file to save the current configuration.

set

The set commands of the netsh ipsecdosprotection context enable you to configure various aspects of the IPsec DoS Protection component not specific to keying modules, interfaces, or filters:

  • set dscp

  • set miscellaneous

  • set ratelimit

set dscp

Specifies that the configured inbound network traffic is marked by using a Differentiated Services Code Point (DSCP) value. This 6-bit value, specified as an integer, can be used in Quality of Service (QoS) implementations to prioritize network traffic and help ensure that less important network packets do not consume so much bandwidth that they interfere with the successful delivery of more important network packets. You can specify the type of traffic to mark, and the numeric value between 1 and 63 to assign to that type of traffic.

Syntax

set dscp

type = ] { ipsecauthenticated | ipsecunauthenticated | icmpv6 | filtered | default }

value ] { DSCP Value | disable }

Parameters

  • type = ] { ipsecauthenticated | ipsecunauthenticated | icmpv6 | filtered | default }
    Specifies the traffic type that you want marked by DSCP. You can specify one of the following types:

    • ipsecauthenticated: Authenticated IPv6 IPsec-protected traffic.

    • ipsecunauthenticated: Unauthenticated IPv6 IPsec-protected traffic.

    • icmpv6: ICMPv6 protocol traffic.

    • filtered: IPv6 traffic with an IP address that is exempted by using an address filter. For more information, see the add filter command.

    • default: Traffic that is by default exempted from the default block behavior. This includes ipsecauthenticated, ipsecunauthencated, and icmpv6.

  • value ] { DSCP Value | disable }
    Specifies the 6-bit value, specified as an integer from 1 to 63, that is placed in the Differentiated Services Code Point field of the IPv6 header when the traffic type matches the type parameter of this command. Alternatively, you can specify the disable parameter to turn off DSCP marking for the specified type of network traffic.

Remarks

  • By default, DSCP marking for all traffic types is disabled.

Example commands

  • The following command DSCP marks all unauthenticated IPsec traffic with the value of 10:

    set dscp ipsecunathenticated 10

  • The following command disables DSCP marking for ICMPv6 traffic:

    set dscp icmpv6 disable

set miscellaneous

The set miscellaneous command enables you to configure a variety of settings for the IPsec DoS Protection component, including enabling and disabling the component.

Syntax

set miscellaneous

[ [ stateidletimeout = ] seconds ]

[ [ peripratelimitidletimeout = ] seconds ]

[ [ maxentries = ] integer ]

[ [ maxperipratelimitqueues = ] integer ]

[ [ defaultblock = ] { enable | disable } ]

Parameters

  • stateidletimeout = ] seconds
    Specifies the number of seconds that an IPsec session can be idle before the IPsec DoS Protection component stops considering it to be a valid IPsec-protected connection that is allowed by the component. After the specified number of seconds, the IPsec session is considered stale, and traffic that is part of the session is no longer allowed through the component by default. This can be a value ranging from 1 through 4,294,967,295. The default value is 360 seconds (six minutes).
  • maxentries = ] integer
    Specifies the maximum number of connections that the IPsec DoS Protection component can keep track of. This can be a value ranging from 1 through 4,294,967,295. The default value is 75,000 sessions.
  • peripratelimitidletimeout = ] seconds
    When using rate limits on unauthenticated traffic, this value specifies the timeout in seconds that the connection can be idle before the IPsec DoS Protection component treats it as stale and stops tracking state. This can be a value ranging from 1 through 4,294,967,295. The default value is 360 seconds (six minutes). To set the rate limit, see set ratelimit.
  • maxperipratelimitqueues = ] integer
    When using rate limits on unauthenticated traffic, this value specifies the maximum number of queues that can be used to hold traffic while it is delivered at the configured rate. This can be a value ranging from 1 through 4,294,967,295. The default value is 50,000 queues. To set rate limits, see set ratelimit.
  • defaultblock = ] { enable | disable }
    This option enables or disables the IPsec DoS Protection component behavior. When enabled, the IPsec DoS Protection component drops all IPv4 traffic, and all non-IPsec IPv6 traffic (except ICMPv6) that is forwarded between a public interface and an internal interface. When disabled, the IPsec DoS Protection component blocks no traffic.

Example commands

  • The following command configures the IPsec DoS Protection component to stop tracking a connection after it is idle for 480 seconds, and to track a maximum of 100,000 connections:

    set miscellaneous 480 100000

  • The following command enables the IPsec DoS Protection component:

    set miscellaneous defaultblock=enable

set ratelimit

Limits the rate of inbound traffic of the specified type flowing from the public to the internal interface. You can specify an overall rate for all traffic of a specified type, or you can limit the rate of the specified traffic to a specified IP address.

Syntax

set ratelimit

type = ] { ipsecauthenticated | ipsecunauthenticated | ipsecunathenticatedperip | icmpv6 | filtered | default }

value = ] { bytespersec | disable }

Parameters

  • type = ] { ipsecauthenticated | ipsecunauthenticated | ipsecunathenticatedperip | icmpv6 | filtered | default }
    Specifies the type of network traffic subject to the rate limit imposed by this command. You can specify one of the following types:

    • ipsecauthenticated: Authenticated IPv6 IPsec-protected traffic. By default, the rate limit for this traffic is disabled.

    • ipsecunauthenticated: Unauthenticated IPv6 IPsec-protected traffic. By default, the rate limit for this traffic is 10,240 bytes per second.

    • ipsecunauthenticatedperip: Unauthenticated IPv6 IPsec-protected traffic. This rate limit is applied on a per IP address basis, instead of network-wide. By default, the rate limit for this traffic is 10,240 bytes per second.

    • icmpv6: ICMPv6 protocol traffic. By default, the rate limit for this traffic is 10,240 bytes per second.

    • filtered: IPv6 traffic with an IP address that is exempted by using an address filter. By default, the rate limit for this traffic is 102,400 bytes per second. For more information, see the add filter command.

    • default: Traffic that is by default exempted from the default block behavior. This includes ipsecauthenticated, ipsecunauthencated, and icmpv6. By default, the rate limit for this traffic is 102,400 bytes per second.

  • value = ] { bytespersec | disable }
    Specifies the rate at which network traffic is forwarded from the public to the internal interface for the specified type of network traffic. The value is in bytes per second, and can be an integer from 1 through 4,294,967,295.

Remarks

  • If a per IP address rate limit is defined, then it is used instead of the global rate limit.

  • To rate limit on a per IP address basis, configure the number of per IP queues to support this by using the set miscellaneous command with the maxperipratelimitqueues parameter.

Example commands

  • The following command limits all IPsec unauthenticated network traffic to 2048 bytes per second:

    set ratelimit ipsecunauthenticated 2048

  • The following command disables all rate limits for traffic that matches a configured exemption filter:

    set ratelimit filtered disable

show

The show command of the netsh ipsecdosprotection context displays information about the IPsec DoS Protection component and its current operational state.

  • show all

  • show allowedkeyingmodule

  • show dscp

  • show filter

  • show interface

  • show miscellaneous

  • show ratelimit

  • show state

  • show statistics

show all

Displays the current configuration, currently tracked connections, and statistics for the IPsec DoS Protection component.

Syntax

show all

Remarks

The output includes the following information:

Configuration information

  • The list of configured public and internal interfaces.

  • The list of allowed keying modules and the internal IP addresses to which the traffic can be forwarded.

  • DSCP marking configuration.

  • Rate limiting configuration.

  • Idle time-outs for authenticated traffic.

  • Number of connections that the component is currently tracking.

  • Number of per IP address rate limit queues.

  • Default block state: enabled or disabled

Statistics

  • The number of total and current state entries.

  • The number of packets allowed and discarded for each traffic type.

show allowedkeyingmodule

Displays the list of allowed keying modules and the internal IP addresses to which the traffic can be forwarded.

Syntax

Show allowedkeyingmodule

Remarks

  • If the address for a keying module shows ::/0, then all internal addresses are allowed for that keying module.

  • To add or remove entries from the list, use the add allowedkeyingmodule and delete allowedkeyingmodule commands.

show dscp

Displays the DSCP marking configuration for the specified traffic type. If the type is not specified, then all DSCP marking configuration is displayed.

Syntax

show dscp

[ [ type = ] { ipsecauthenticated | ipsecunauthenticated | icmpv6 | filtered | default } ]

Parameters

  • type = ] { ipsecauthenticated | ipsecunauthenticated | icmpv6 | filtered | default } ]
    Specifies the network traffic type for which you want to see DSCP marking configuration.

Remarks

  • To configure DSCP marking configuration for a traffic type, use the set dscp command.

Example commands

  • The following command displays all DSCP marking configuration information:

    show dscp

  • The following command displays the DSCP marking configuration information for authenticated IPv6 network traffic:

    show dscp ipsecauthenticated

show filter

Displays the list of filters, the IPv6 addresses to which they apply, and whether they exempt or block the traffic.

Syntax

show filter

Remarks

  • To add or remove a filter, use the add filter and delete filter commands.

show interface

Displays the list of interfaces configured to be protected by the IPsec DoS Protection component, and whether each is assigned as a public or internal interface.

Syntax

show interface

[ [ type = ] { public | internal } ]

Parameters

  • [ [ type = ] { public | internal } ]
    Specifies whether you want to see only public or internal interfaces. If you do not specify, then all interfaces are displayed.

Remarks

  • To add or remove an interface, use the add interface and delete interface commands.

Example commands

  • The following command displays the public interfaces:

    show interface public

  • The following command displays all interfaces protected by the IPsec DoS Protection component:

    show interface

show miscellaneous

Displays the configuration of the miscellaneous system-wide settings, including the following:

  • State idle time-out

  • Per IP address rate limit queue idle time-out

  • Maximum number of state entries

  • Maximum number of per IP address rate limit queues

  • Default block

Syntax

show miscellaneous

Remarks

  • To configure the miscellaneous settings, use the set miscellaneous command.

show ratelimit

Displays the rate limit for the configured traffic type.

Syntax

show ratelimit

[ [ type = ] { ipsecauthenticated | ipsecunauthenticated | ipsecunathenticatedperip | icmpv6 | filtered | default } ]

Parameters

  • type = ] { ipsecauthenticated | ipsecunauthenticated | ipsecunathenticatedperip | icmpv6 | filtered | default } ]
    Specifies the type of traffic for which you want to view the rate limit configuration. If you do not specify a type, then the rate limit configuration for all traffic types is displayed.

Remarks

  • To configure rate limiting for a specified network traffic type, use the set ratelimit command.

Example commands

  • The following command displays the rate limit configuration for ICMPv6 network traffic:

    show ratelimit type=icmpv6

  • The following command displays the rate limit configuration for all traffic types:

    show ratelimit

show state

Displays the list of currently active tracked connections that match the specified IP addresses.

Syntax

show state

[ [ publicprefix = ] IPv6 address[**/**Prefix length] ]

[ [ internalprefix = ] IPv6 address[**/**Prefix length] ]

Parameters

  • publicprefix = ] IPv6 address[/Prefix length ]
    Specifies the public IPv6 address or subnet for which you want to see state entries.
  • internalprefix = ] IPv6 address[/Prefix length ]
    Specifies the internal IPv6 address or subnet for which you want to see state entries.

Remarks

  • If you do not specify either publicprefix or internalprefix then the command displays the state entries for all addresses.

  • State entries are removed when the time out expires due to inactivity.

Example commands

  • The following command displays all of the currently active state entries:

    show state

  • The following command displays the state entries for one public subnet:

    show state publicprefix=3ffe://16

  • The following command displays the state entries for one internal IPv6 address:

    show state internalprefix=3ffe:401d:1f00:baa::1

show statistics

Displays the current IPsec DoS Protection statistics, in the form of counts of inbound packets allowed and dropped for each traffic type, and the reason any drops.

Syntax

show statistics