Default IP filter policy and IP security policy

Policy Agent provides IP filter policy to the stack, as defined by the IP security policy configuration files. For the stack to be enabled for IP security for IPv4, the TCP/IP profile must have IPCONFIG IPSECURITY coded. For the stack to be enabled for IP security for IPv6, the TCP/IP profile must also have IPCONFIG6 IPSECURITY coded. For the stack to receive configured policy, the Policy Agent must be active. IP filter policy is installed when Policy Agent and the stack are active. If Policy Agent is not active when an IPSECURITY-enabled stack initializes, the stack cannot be provided with IP filter rules from that policy. Therefore, in the interest of network security, the stack provides a default IP filter policy when an IP filter policy is unavailable from Policy Agent. The default IP filter policy effectively denies all network traffic, with the exception of some select ICMP and ICMPv6 messages that are necessary for internal stack function. These deny rules are not explicitly coded, but rather are always implicitly added at any time that the default IP filter policy is in effect. The default IP filter policy can be in effect at times other than stack initialization. Default IP filter policy is in effect in all of the following cases:

• An IPSECURITY-enabled TCP/IP stack has been started but Policy Agent has not been started, or an IPSECURITY-enabled TCP/IP stack has been started but Policy Agent has not completely initialized.
• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, but no IP security configuration file exists.
• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, but the IP security configuration file contains errors.
• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, but no IpFilterPolicy statement exists in either IP security configuration file.
• An IPSECURITY-enabled TCP/IP stack and Policy Agent have been started, and IP filter policy has been provided to the stack, but the stack is using the default IP filter policy because the ipsec -f default command was issued.

This default behavior ensures that network security is not compromised in the event that IP filter policy is not installed, and is consistent with a secure default-deny policy. However, you can modify the default IP filter policy by coding an IPSECRULE statement (for IPv4) or IPSEC6RULE statement (for IPv6) in the TCP/IP profile. The IPSECRULE and IPSEC6RULE statements describe the attributes of the IP traffic that is allowed when the default policy is active. Because the default behavior is to deny all network traffic, IPSECRULE and IPSEC6RULE statements are always permit rules that denote exceptions to the default-deny policy.

It is also important to note that neither the default IP filter policy nor a modified default IP filter policy provides authentication and encryption capabilities such as those provided by a complete IP security policy; it offers the stack only the ability to perform simple IP filtering in the absence of an IP security policy.