Welcome To Security.Fx-Vista.Com

Computer Security Information

Home

MS Windows 2000 TCP/IP Implementation Details - Part 1

<<< Back

Operating System

 

White Paper

By Dave MacDonald and Warren Barkley

 

 

Abstract

This white paper describes the Microsoft® Windows® 2000 operating system TCP/IP implementation details, and is a supplement to the Microsoft Windows 2000 TCP/IP manuals. The Microsoft TCP/IP protocol suite is examined from the bottom up. Throughout the paper, network traces are used to illustrate key concepts. These traces were gathered and formatted using Microsoft Network Monitor, a software-based protocol tracing and analysis tool included in the Microsoft Systems Management Server product. The intended audience for this paper is network engineers and support professionals who are already familiar with TCP/IP.

Introduction

Microsoft has adopted TCP/IP as the strategic enterprise network transport for its platforms. In the early 1990s, Microsoft started an ambitious project to create a TCP/IP stack and services that would greatly improve the scalability of Microsoft networking. With the release of the Microsoft® Windows NT® 3.5 operating system, Microsoft introduced a completely rewritten TCP/IP stack. This new stack was designed to incorporate many of the advances in performance and ease of administration that were developed over the past decade. The stack is a high-performance, portable 32-bit implementation of the industry-standard TCP/IP protocol. It has evolved with each version of Windows NT to include new features and services that enhance performance and reliability.

The goals in designing the TCP/IP stack were to make it:

  • Standards-compliant

  • Interoperable

  • Portable

  • Scalable

  • High performance

  • Versatile

  • Self-tuning

  • Easy to administer

  • Adaptable

 

This paper describes Windows 2000 implementation details and is a supplement to the Microsoft Windows 2000 TCP/IP manuals. It examines the Microsoft TCP/IP implementation from the bottom up and is intended for network engineers and support professionals who are familiar with TCP/IP.

 

This paper uses network traces to help illustrate concepts. These traces were gathered and formatted using Microsoft Network Monitor 2.0, a software-based protocol tracing and analysis tool included in the Microsoft Systems Management Server product. Windows 2000 Server includes a reduced functionality version of Network Monitor. The primary difference between this version and the Systems Management Server version is that the limited version can only capture frames that would normally be seen by the computer that it is installed on, rather than all frames that pass over the network (which requires the adapter to be in promiscuous mode). It also does not support connecting to remote Network Monitor Agents.

 

Capabilities and Functionality

 

Overview

The TCP/IP suite for Windows 2000 was designed to make it easy to integrate Microsoft systems into large-scale corporate, government, and public networks, and to provide the ability to operate over those networks in a secure manner. Windows 2000 is an Internet-ready operating system.

 

Support for Standard Features

Windows 2000 supports the following standard features:

  • Ability to bind to multiple network adapters with different media types

  • Logical and physical multihoming

  • Internal IP routing capability

  • Internet Group Management Protocol (IGMP) version 2 (IP Multicasting)

  • Duplicate IP address detection

  • Multiple default gateways

  • Dead gateway detection

  • Automatic Path Maximum Transmission Unit (PMTU) discovery

  • IP Security (IPSec)

  • Quality of Service (QoS)

  • ATM Services

  • Virtual Private Networks (VPNs)

  • Layer 2 Tunneling Protocol (L2TP)

 

Performance Enhancements

In addition, Windows 2000 has the following performance enhancements:

  • Protocol stack tuning, including increased default window sizes and new algorithms for high delay links, which increases throughput

  • TCP-scalable window sizes (supported by RFC 1323)

  • Selective acknowledgments (SACK)

  • TCP fast retransmit

  • Round Trip Time (RTT) and Retransmission Timeout (RTO) calculation improvements

  • Improved performance for management of large numbers of connections

  • Hardware task offload mechanisms

 

Services Available

The Windows 2000 Server family of operating systems provides the following services:

  • Dynamic Host Configuration Protocol (DHCP) client and service

  • Windows Internet Name Service (WINS), a NetBIOS name client and server

  • Dynamic Domain Name Server (DDNS)

  • Dial-up (PPP/SLIP) support

  • Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol. (L2TP), used for remote virtual private networks

  • TCP/IP network printing (lpr/lpd)

  • SNMP agent

  • NetBIOS interface

  • Windows Sockets version 2 (Winsock2) interface

  • Remote Procedure Call (RPC) support

  • Network Dynamic Data Exchange (NetDDE)

  • Wide Area Network (WAN) browsing support

  • High-performance Microsoft Internet Information Services (IIS)

  • Basic TCP/IP connectivity utilities, including: finger, ftp, rcp, rexec, rsh, telnet, and tftp

  • Server software for simple network protocols, including: Character Generator, Daytime, Discard, Echo, and Quote of the Day

  • TCP/IP management and diagnostic tools, including: arp, ipconfig, nbtstat, netstat, ping, pathping, route, nslookup, and tracert

 

Feature Comparison Table for Microsoft TCP/IP Versions

The table below lists features and the operating system versions that they are present in as a reference. Features are described in more detail throughout this document.

 

Table 1 N=No, Y=Yes, and D=Disabled by Default

Product

Windows 95

Windows 95 Winsock 2

Windows 98

Windows 98 SE

Windows NT 4.0 SP5

Windows 2000

Dead Gateway Detect

N

N

Y

Y

Y

Y

VJ Fast Retransmit

N

Y

Y

Y

Y

Y

AutoNet

N

N

Y

Y

N

Y

SACK (Selective ACK)

N

Y

Y

Y

N

Y

Jumbo frame support

Y

Y

Y

Y

Y

Y

Large Windows

N

D

D

D

N

D

Dynamic DNS

N

N

N

N

N

Y

Media Sense

N

N

N

N

N

Y

Wake-On-LAN

N

N

N

N

N

Y

IP Forwarding

N

N

N

D

D

D

NAT

N

N

N

D

N

D

Kerberos v5

N

N

N

N

N

Y

IPSec (IP Security)

N

N

N

N

N

Y

PPTP

N

N

Y

Y

Y

Y

L2TP

N

N

N

N

N

Y

IP Helper API

N

N

Y

Y

Y

Y

Winsock2 API

N

Y

Y

Y

Y

Y

GQoS API

N

N

Y

Y

N

Y

IP Filtering API

N

N

N

N

N

Y

Firewall Hooks

N

N

N

N

N

Y

Packet Scheduler

N

N

N

N

N

D

RSVP

N

N

Y

Y

N

Y

ISSLO

N

N

Y

Y

N

Y

Trojan Filtering

N

N

N

N

D

D

Blocking src routing

N

N

N

Y

Y

Y

ICMP Router Discovery

N

Y

Y

Y

D

D

Offload-TCP

N

N

N

N

N

Y

Offload-IPSec

N

N

N

N

N

Y

 

Internet RFCs Supported by Microsoft Windows 2000 TCP/IP

Requests for Comments (RFCs) are a constantly evolving series of reports, proposals for protocols, and protocol standards used by the Internet community. You can use FTP to obtain RFCs from any of the following:

  • nis.nsf.net

  • nisc.jvnc.net

  • wuarchive.wustl.edu

  • src.doc.ic.ac.uk

  • normos.org

 

Table 2 RFCs supported by this version of Microsoft TCP/IP

RFC

Title

768

User Datagram Protocol (UDP)

783

Trivial File Transfer Protocol (TFTP)

791

Internet Protocol (IP)

792

Internet Control Message Protocol (ICMP)

793

Transmission Control Protocol (TCP)

816

Fault Isolation and Recovery

826

Address Resolution Protocol (ARP)

854

Telnet Protocol (TELNET)

862

Echo Protocol (ECHO)

863

Discard Protocol (DISCARD)

864

Character Generator Protocol (CHARGEN)

865

Quote of the Day Protocol (QUOTE)

867

Daytime Protocol (DAYTIME)

894

IP over Ethernet

919, 922

IP Broadcast Datagrams (broadcasting with subnets)

950

Internet Standard Subnetting Procedure

959

File Transfer Protocol (FTP)

1001, 1002

NetBIOS Service Protocols

1065, 1035, 1123, 1886

Domain Name System (DNS)

1042

A Standard for the Transmission of IP Datagrams over IEEE 802 Networks

1055

Transmission of IP over Serial Lines (IP-SLIP)

1112

Internet Group Management Protocol (IGMP)

1122, 1123

Host Requirements (communications and applications)

1144

Compressing TCP/IP Headers for Low-Speed Serial Links

1157

Simple Network Management Protocol (SNMP)

1179

Line Printer Daemon Protocol

1188

IP over FDDI

1191

Path MTU Discovery

1201

IP over ARCNET

RFC

Title

1256

ICMP Router Discovery Messages

1323

TCP Extensions for High Performance (see the TCP1323opts registry parameter)

1332

PPP Internet Protocol Control Protocol (IPCP)

1518

Architecture for IP Address Allocation with CIDR

1519

Classless Inter-Domain Routing (CIDR): An Address Assignment and Aggregation Strategy

1534

Interoperation Between DHCP and BOOTP

1542

Clarifications and Extensions for the Bootstrap Protocol

1552

PPP Internetwork Packet Exchange Control Protocol (IPXCP)

1661

The Point-to-Point Protocol (PPP)

1662

PPP in HDLC-like Framing

1748

IEEE 802.5 MIB using SMIv2

1749

IEEE 802.5 Station Source Routing MIB using SMIv2

1812

Requirements for IP Version 4 Routers

1828

IP Authentication using Keyed MD5

1829

ESP DES-CBC Transform

1851

ESP Triple DES-CBC Transform

1852

IP Authentication using Keyed SHA

1886

DNS Extensions to Support IP Version 6

1994

PPP Challenge Handshake Authentication Protocol (CHAP)

1995

Incremental Zone Transfer in DNS

1996

A Mechanism for Prompt DNS Notification of Zone Changes

2018

TCP Selective Acknowledgment Options

2085

HMAC-MD5 IP Authentication with Replay Prevention

2104

HMAC: Keyed Hashing for Message Authentication

2131

Dynamic Host Configuration Protocol

2136

Dynamic Updates in the Domain Name System (DNS UPDATE)

2181

Clarifications to the DNS Specification

2205

Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification

2236

Internet Group Management Protocol, Version 2

2308

Negative Caching of DNS Queries (DNS NCACHE)

2401

Security Architecture for the Internet Protocol

2401

Security Architecture for the Internet Protocol

2402

IP Authentication Header

2406

IP Encapsulating Security Payload (ESP)

2581

TCP Congestion Control

 

Architectural Model

 

Overview

The Microsoft TCP/IP suite contains core protocol elements, services, and the interfaces between them. The Transport Driver Interface (TDI) and the Network Device Interface Specification (NDIS) are public, and their specifications are available from Microsoft.1 http://www.microsoft.com/ and ftp://ftp.microsoft.com/).

 

In addition, there are a number of higher-level interfaces available to user-mode applications. The most commonly-used are Windows Sockets, remote procedure call (RPC), and NetBIOS.

 

Plug and Play

Windows 2000 introduces support for Plug and Play. Plug and Play has the following capabilities and features:

  • Automatic and dynamic recognition of installed hardware. This includes initial system installation, recognition of static hardware changes that may occur between boots, and response to run-time hardware events, such as dock or undock, and insertion or removal of cards.

  • Streamlined hardware configuration in response to automatic and dynamic recognition of hardware, including dynamic hardware activation, resource arbitration, device driver loading, drive mounting, and so on.

  • Support for particular buses and other hardware standards that facilitate automatic and dynamic recognition of hardware and streamlined hardware configuration, including Plug and Play ISA, PCI, PCMCIA, PC Card/CardBus, USB, and 1394. This includes promulgation of standards and advice about how hardware should behave.

  • An orderly Plug and Play framework in which driver writers can operate. This includes infrastructure, such as device information (INF) interfaces, APIs, kernel-mode notifications, executive interfaces, and so on.

  • Mechanisms that allow user-mode code and applications to learn of changes in the hardware environment so that they can take appropriate actions.

 

Plug and Play operation does not require Plug and Play hardware. To the degree possible, the first two bullets above apply to legacy hardware, as well as Plug and Play hardware. In some cases, orderly enumeration of legacy devices is not possible because the detection methods are destructive or inordinately time-consuming.

 

The primary impact that Plug and Play support has on protocol stacks is that network interfaces can come and go at any time. The Windows 2000 TCP/IP stack and related components have been adapted to support Plug and Play.

 

The NDIS Interface and Below

Microsoft networking protocols use the Network Device Interface Specification (NDIS) to communicate with network card drivers. Much of the OSI model link layer functionality is implemented in the protocol stack. This makes development of network card drivers much simpler.

 

Network Driver Interface Specification (3.1 through 5.0)

NDIS 3.1 supports basic services that allow a protocol module to send raw packets over a network device and allow that same module to be notified of incoming packets received by a network device.

NDIS 4.0 added the following new features to NDIS 3.1:

  • Out-of-band data support (required for Broadcast PC)

  • WirelessWAN Media Extension

  • High-speed packet send and receive (a significant performance win)

  • Fast IrDA Media Extension

  • Media Sense (required for the Designed for Windows logo in PC 97 and later Hardware Design Guide). The Microsoft Windows 2000 TCP/IP stack utilizes media sense information, which is described in the "Automatic Client Configuration" section of this white paper.

  • All local packet filter (prevents Network Monitor from monopolizing the CPU)

  • Numerous new NDIS system functions (required for miniport binary compatibility across Windows 95, Windows 98, Windows NT, and Windows 2000)

 

NDIS 5.0 includes all functionality defined in NDIS 4.0, plus the following extensions:

  • NDIS power management (required for Network Power Management and Network Wake-up)

  • Plug and Play. (Windows 95 NDIS had Plug and Play support already; therefore, this change applies to Windows 2000 network drivers only.)

  • Support for Windows Management Instrumentation (WMI), which provides Web-based Enterprise Management (WBEM)–compatible instrumentation of NDIS miniports and their associated adapters

  • Support for a single INF format across Windows operating systems. The new INF format is based on the Windows 98 INF format.

  • Deserialized miniport for improved performance

  • Task offload mechanisms, such as TCP and UDP checksum and Fast Packet Forwarding

  • Broadcast Media Extension (needed for Broadcast Services for Windows)

  • Connection-oriented NDIS (required to support Asynchronous Transfer Mode [ATM], Asymmetric Digital Subscriber Line [ADSL], and Windows Driver Model–Connection Streaming Architecture [WDM-CSA]

  • Support for Quality of Service (QoS)

  • Intermediate Driver Support (required for Broadcast PC, Virtual LANs, Packet Scheduling for QoS, and NDIS support of IEEE 1394 network devices)

 

NDIS can power down network adapters when the system requests a power level change. Either the user or the system can initiate this request. For example, the user may want to put the computer in sleep mode, or the system may request a power level change based on keyboard or mouse inactivity. In addition, disconnecting the network cable can initiate a power-down request if the network interface card (NIC) supports this functionality. In this case, the system waits a configurable time period before powering down the NIC because the disconnect could be the result of temporary wiring changes on the network, rather than the disconnection of a cable from the network device itself.

 

NDIS power management policy is no network activity–based. This means that all overlying network components must agree to the request before the NIC can be powered down. If there are any active sessions or open files over the network, the power-down request can be refused by any or all of the components involved.

 

The computer can also be awakened from a lower power state, based on network events. A wakeup signal can be caused by:

  • Detection of a change in the network link state (for example, cable reconnect)

  • Receipt of a network wakeup frame