In Windows, the IPsec SPD for every host can be remotely managed via GPOs [MS-GPIPSEC] [MS-GPFAS] . The structure of the Windows IPsec SPD is derived from the structure defined in [RFC4301] section 4.4.1). The SPD controls the packet processing rules for IPsec and provides the parameters for IKE when it establishes security associations .
The Windows IPsec SPD, like the SPD defined in [RFC4301], consists of a list of rules, similar in structure to firewall rules . Each rule specifies an action, ALLOW, BYPASS, or BLOCK ([MS-GPFAS] section 2.2.2.5 ), to be applied to a class of IP packets defined by a set of filters that are called selectors .
The PROTECT rules specify, for a particular class of packets defined by a set of filters, the cryptography policies for main mode security association (MM SA) and quick mode security association (QM SA) negotiation, the authentication policy MM SA negotiation, and in the case of AuthIP, extended mode (EM) negotiation. Authentication policies specify such parameters as permitted authentication methods such as packet signing, certificate formats, and certificate authorities. The cryptography policies specify such parameters as permitted cryptography algorithms, modes, and key lengths. The cryptography policies for QM SAs also include policies for per-packet cryptographic protection, such as whether to use Encapsulating Security Payload (ESP) mode ( [RFC4303] section 2) or authentication header (AH) ( [RFC4302] section 2), and which algorithms, modes, and key lengths to use.