PowerShell Logo Small

New-NetIPsecDospSetting



This is the built-in help made by Microsoft for the command 'New-NetIPsecDospSetting', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates an IPsec DoS protection setting and adds the setting to the target computer.

SYNTAX


New-NetIPsecDospSetting [-AsJob] [-CimSession <CimSession[]>] [-DefBlockExemptDscp <UInt16>] [-DefBlockExemptRateLimitBytesPerSec <UInt32>] [-EnabledKeyingModules
<DospKeyModules>] [-FilteringFlags <DospFlags>] [-IcmpV6Dscp <UInt16>] [-IcmpV6RateLimitBytesPerSec <UInt32>] [-IpV6FilterExemptDscp <UInt32>]
[-IpV6FilterExemptRateLimitBytesPerSec <UInt32>] [-IpV6IPsecAuthDscp <UInt16>] [-IpV6IPsecAuthRateLimitBytesPerSec <UInt32>] [-IpV6IPsecUnauthDscp <UInt32>]
[-IpV6IPsecUnauthPerIPRateLimitBytesPerSec <UInt32>] [-IpV6IPsecUnauthRateLimitBytesPerSec <UInt32>] [-MaxPerIPRateLimitQueues <UInt32>] [-MaxStateEntries <UInt32>]
[-PerIPRateLimitQueueIdleTimeoutSeconds <UInt32>] [-PrivateV6Address <String>] [-PublicV6Address <String>] [-StateIdleTimeoutSeconds <UInt32>] [-ThrottleLimit <Int32>] -Name
<String> -PrivateInterfaceAliases <WildcardPattern[]> -PublicInterfaceAliases <WildcardPattern[]> [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-NetIPsecDospSetting cmdlet creates an IPsec DoS protection setting and adds it to the target computer.


The NetIPsecDospSetting configurations affect only IPv6-based connections that are protected by using Encapsulating Security Payload (ESP), and the IPsec negotiation traffic
and ICMPv6 traffic that is required to establish those connections.


Architecturally, the computer on which IPsec Dosp is configured using this cmdlet is located on the network edge and is in the path for any native IPv6 traffic and IPv6
traffic encapsulated inside tunnels such as Teredo, 6to4, and IP-HTTPS. The computer can be the same computer as the Teredo relay, 6to4 gateway or relay, or IP-HTTPS server.
In those cases, the IPsec DoS protection feature intercepts the forwarded packets after the packets are extracted from the tunnel. The only exception is that the IPsec DoS
protection feature cannot be deployed on an IPsec gateway, because IPsec tunnel traffic bypasses the IPsec DoS protection feature. To protect an IPsec gateway, place the
IPsec DoS protection feature on a separate computer that is between the Internet and the IPsec gateway.


By default, no interfaces are assigned to the IPsec DoS protection feature. At least one public interface using the PublicInterfaceAliases parameter and one internal
interface using the PrivateInterfaceAliases parameter for the feature must be added to be operational. Those features that are not specified are assigned the default values.
By default, AuthIP only is allowed to all internal addresses.


This cmdlet has no effect on existing IPsec connections; it only affects IPsec negotiation traffic that uses IKEv1, IKEv2 or AuthIP. ICMPv6 network traffic is always allowed
to enable Teredo and other advanced network scenarios to work.


IPsec-protected traffic that is part of an established connection that uses ESP is always allowed, as long as the connection has not been idle for more than the number of
seconds specified with the StateIdleTimeoutSeconds parameter. The DefBlockExemptRateLimitBytesPerSec, IcmpV6RateLimitBytesPerSec, IpV6FilterExemptRateLimitBytesPerSec,
IpV6IPsecAuthRateLimitBytesPerSec, IpV6IPsecUnauthPerIPRateLimitBytesPerSec, and IpV6IPsecUnauthRateLimitBytesPerSec parameters limit the rate of inbound traffic of the
specified type flowing from the public to the internal interface. You can specify an overall rate for all traffic of a specified type, or you can limit the rate of the
specified traffic to a specified IP address.


Note: the following two prerequisite steps must be taken for this cmdlet to succeed.

-- Set-NetIpv4Protocol -CimSession $session -GroupForwardedFragments Enabled

-- Set-NetIpv6Protocol -CimSession $session -GroupForwardedFragments Enabled

-- New-NetIPsecDospSetting -CimSession $session -Name "Enforce IPsec DoS protection" -PublicInterfaceAliases $publicInterface -PrivateInterfaceAliases $privateInterface



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=288040
Get-NetIPsecDospSetting
Remove-NetIPsecDospSetting
Set-NetIPsecDospSetting

REMARKS

<

Examples


EXAMPLE 1

PS C:\>New-NetIPsecDospSetting –Name PubNet-CorpNet -PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet



This example adds the public and internal network adapters as interfaces of the IPsec DoS protection feature.




EXAMPLE 2

PS C:\>New-NetIPsecDospSetting –Name IKEv1-PubNet-CorpNet –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet –EnabledKeyingModules IKEv1



This example enables IKEv1 negotiation traffic to all IPv6 addresses.




EXAMPLE 3

PS C:\>New-NetIPsecDospSetting –Name "IKEv1-PubNet-CorpNet-3ff3:401d:1f00:baa::1" –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet –EnabledKeyingModules IKEv1
–Privatev6Address 3ff3:401d:1f00:baa::1



This example enables IKEv1 negotiation traffic to a single IPv6 addresses.




EXAMPLE 4

PS C:\>New-NetIPsecDospSetting –Name "Block-3ffe:401d:1f00::/64-PubNet-CorpNet" –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -FilteringFlags FilterBlock
–Publicv6Address 3ff3:401d:1f00:baa::1



This example blocks all network traffic, even IPsec-protected traffic from the specified public IPv6 subnet.




EXAMPLE 5

PS C:\>New-NetIPsecDospSetting –Name PubNet-CorpNet-Unauth10 –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -IpV6IPsecUnauthDscp 10



This example marks all unauthenticated IPsec traffic with the value of 10.




EXAMPLE 6

PS C:\>New-NetIPsecDospSetting –Name PubNet-CorpNet –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -IpV6IPsecUnauthRateLimitBytesPerSec 2048



This example limits all IPsec unauthenticated network traffic to 2048 bytes per second.




EXAMPLE 7

PS C:\>New-NetIPsecDospSetting –Name PubNet-CorpNet –PublicInterfaceAliases PubNet –PrivateInterfaceAliases CorpNet -StateIdleTimeoutSeconds 480 –MaxStateEntries 100000



This example configures the IPsec DoS protection feature to stop tracking a connection after it is idle for 480 seconds, and to track a maximum of 100,000 connections.