Netsh Commands for IPsec Denial of Service Protection in Windows Server 2008 R2
Applies To: Windows Server 2008 R2
The netsh ipsecdosprotection context is included in computers that are running Windows Server® 2008 R2 and helps to prevent the computers in your organization from being impacted by denial-of-service (DoS) attacks against IPv6-based Internet Protocol security (IPsec) computers on your network. It acts as a type of firewall, preventing unwanted traffic from being forwarded from a public interface to a network connected to an internal interface. It also helps to protect your network by limiting the rate of data permitted network traffic, and by configuring the Differentiated Services Code Point (DSCP) field of the IPv6 packet header to prioritize traffic for use by routers configured to use Quality of Service (QoS) and other devices on your network.
The IPsec DoS Protection component runs on a computer that has connections to two or more networks, where the networks are categorized as public or private. The netsh ipsecdosprotection command configures the IPsec DoS Protection component. Network traffic flowing from the public network to the private network is allowed or blocked depending on the filters configured on the computer.
The netsh ipsecdosprotection commands affect only IPv6-based connections that are protected by using Encapsulating Security Payload (ESP), and the IPsec negotiation traffic and ICMPv6 traffic that is required to establish those connections.
Architecturally, the computer that you configure by running netsh ipsecdosprotection is located on the network edge and is in the path for any native IPv6 traffic and IPv6 traffic encapsulated inside tunnels such as Teredo, 6to4, and IP-HTTPS. The computer can be the same computer as the Teredo relay, 6to4 gateway or relay, or IP-HTTPS server. In those cases, the IPsec DoS Protection component intercepts the forwarded packets after they are extracted from the tunnel. The only exception is that the IPsec DoS Protection component cannot be deployed on an IPsec gateway, because IPsec tunnel traffic bypasses the IPsec DoS Protection component. To protect an IPsec gateway, place the IPsec DoS Protection component on a separate computer that is between the Internet and the IPsec gateway.
Commands in the Netsh ipsecdosprotection context
This section provides usage details for commands in the netsh ipsecdosprotection context.
The following commands are available within the netsh ipsecdosprotection context:
add
delete
reset
set
show
he add commands in the netsh ipsecdosprotection context enable you to add the following configuration elements to the IPsec DoS Protection component:
add allowedkeyingmodule
add filter
add interface
Parameters
[ name = ] NameOfInterface
Required. Specifies the name of the interface, as it appears in the Network Connections folder.
[ type = ] { public | internal }
Required. Specifies whether the interface is connected to the public network or the protected, internal network.
Reference: Netsh Commands for IPsec Denial of Service Protection in Windows Server 2008 R2
Applies To: Windows Server 2008 R2
The netsh ipsecdosprotection context is included in computers that are running Windows Server® 2008 R2 and helps to prevent the computers in your organization from being impacted by denial-of-service (DoS) attacks against IPv6-based Internet Protocol security (IPsec) computers on your network. It acts as a type of firewall, preventing unwanted traffic from being forwarded from a public interface to a network connected to an internal interface. It also helps to protect your network by limiting the rate of data permitted network traffic, and by configuring the Differentiated Services Code Point (DSCP) field of the IPv6 packet header to prioritize traffic for use by routers configured to use Quality of Service (QoS) and other devices on your network.
The IPsec DoS Protection component runs on a computer that has connections to two or more networks, where the networks are categorized as public or private. The netsh ipsecdosprotection command configures the IPsec DoS Protection component. Network traffic flowing from the public network to the private network is allowed or blocked depending on the filters configured on the computer.
The netsh ipsecdosprotection commands affect only IPv6-based connections that are protected by using Encapsulating Security Payload (ESP), and the IPsec negotiation traffic and ICMPv6 traffic that is required to establish those connections.
Architecturally, the computer that you configure by running netsh ipsecdosprotection is located on the network edge and is in the path for any native IPv6 traffic and IPv6 traffic encapsulated inside tunnels such as Teredo, 6to4, and IP-HTTPS. The computer can be the same computer as the Teredo relay, 6to4 gateway or relay, or IP-HTTPS server. In those cases, the IPsec DoS Protection component intercepts the forwarded packets after they are extracted from the tunnel. The only exception is that the IPsec DoS Protection component cannot be deployed on an IPsec gateway, because IPsec tunnel traffic bypasses the IPsec DoS Protection component. To protect an IPsec gateway, place the IPsec DoS Protection component on a separate computer that is between the Internet and the IPsec gateway.
Commands in the Netsh ipsecdosprotection context
This section provides usage details for commands in the netsh ipsecdosprotection context.
The following commands are available within the netsh ipsecdosprotection context:
add
delete
reset
set
show
he add commands in the netsh ipsecdosprotection context enable you to add the following configuration elements to the IPsec DoS Protection component:
add allowedkeyingmodule
add filter
add interface
Parameters
[ name = ] NameOfInterface
Required. Specifies the name of the interface, as it appears in the Network Connections folder.
[ type = ] { public | internal }
Required. Specifies whether the interface is connected to the public network or the protected, internal network.
Reference: Netsh Commands for IPsec Denial of Service Protection in Windows Server 2008 R2
update Ultima actualizare: 21/08/2012
done Informatiile cuprinse in aceasta sectiune sunt verificate si actualizate periodic.
list Articole recente
arrow_back Inapoi
done Informatiile cuprinse in aceasta sectiune sunt verificate si actualizate periodic.
list Articole recente
arrow_back Inapoi