14 DAY TRIAL // Customers can experience a deterioration of network performance when the AuthNoEncap policy is switched on, Microsoft confirmed.
According to the software giant IT professionals can experience network problems when AuthNoEncap is leveraged to deal with large payloads.
Since AuthNoEncap was introduced in Windows 7 and Windows Server 2008 R2, these two are the only operating systems affected, the company said. Of course, customers running Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 can also come across this glitch.
“You may experience a significant decrease in network performance,” Microsoft revealed describing the symptoms associated with the issue detailed in KB 2570170.
“This issue occurs because the TCP stack uses the IPsec slow path instead of the IPsec fast path when the TCP stack processes AuthNoEncap traffic. This behavior causes the decrease in network performance,” the company explained.
Since end users are highly unlikely to ever turn to Network Shell (Netsh) in order to enable authentication-only for the protection of network packets instead of encapsulation or encryption, this problem will most probably impact IT pros.
In addition to offering details, KB 2570170 also contains the link to a hotfix designed to help IT professionals resolve the issues. Microsoft indicates that the KB 2570170 hotfix will be included into Windows 7 SP2 and Windows Server 2008 R2.
The Knowledge base article also provides information on a manual workaround IT pros can use instead of deploying the hotfix.
“AuthNoEncap - Network connections that are authenticated, but not encapsulated by ESP or AH match this rule. This option is useful for connections that must be monitored by network equipment, such as intrusion detection systems (IDS), that are not compatible with ESP NULL-protected network packets,” Microsoft explains.
“The initial connection is authenticated by IPsec by using AuthIP, but the quick mode SA permits cleartext traffic. To use this option, you must also configure a connection security rule that specifies authnoencap as a quick mode security method.”
Windows 7 SP1 RTM and Windows Server 2008 R2 SP1 RTM are available for download here.