Introduction to IPsec Offload Version 2
[The IPsec Task Offload feature is deprecated and should not be used.]
IPsec offload version 2 (IPsecOV2) extends services that are provided in IPsec offload version 1 (IPsecOV1). For more information about IPsecOV1 offload and IPsec, see IPsec Offload Version 1.
An NDIS 6.1 and later miniport driver reports the IPsecOV2 offload capabilities of a miniport adapter to NDIS. To report IPsec capabilities:
During initialization, a miniport driver reports the task offload default configuration and the hardware capabilities of a miniport adapter in the NDIS_MINIPORT_ADAPTER_OFFLOAD_ATTRIBUTES structure.
If the configured capabilities change, the miniport driver reports the current configuration with the NDIS_STATUS_TASK_OFFLOAD_CURRENT_CONFIG status indication. The configuration can change if the OID_TCP_OFFLOAD_PARAMETERS OID sets the current task offload configuration of a miniport adapter. Also, if the hardware configuration under a MUX intermediate driver changes, the MUX intermediate driver must report the hardware configuration changes with the NDIS_STATUS_TASK_OFFLOAD_HARDWARE_CAPABILITIES status indication.
NDIS reports the default configuration of the offload capabilities of a miniport adapter to overlying protocol drivers in the NDIS_BIND_PARAMETERS structure. Overlying protocol drivers can choose IPsecOV2 task offload services from the services that are supported in the current configuration. The NDIS_STATUS_TASK_OFFLOAD_CURRENT_CONFIG status indication ensures that all of the overlying protocol drivers are updated with the new capabilities information.
When reporting hardware capabilities during initialization, the miniport driver must read the standardized keywords from the registry. For more information about IPsecOV2 offload capabilities, see Reporting a NIC's IPsec Offload Version 2 Capabilities.
Note NDIS provides a direct OID request interface for NDIS 6.1 and later drivers. The direct OID request path supports OID requests that are queried or set frequently.
IPsecOV2 provides the OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA, OID_TCP_TASK_IPSEC_OFFLOAD_V2_UPDATE_SA, and OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA direct OID requests to enable protocol drivers to add, update, and delete security associations (SAs). For more information about SAs, see Managing Security Associations in IPsec Offload Version 2.
A NIC can perform IPsec offload tasks on the send and receive paths. NDIS drivers use the NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO, NDIS_IPSEC_OFFLOAD_V2_HEADER_NET_BUFFER_LIST_INFO, and NDIS_IPSEC_OFFLOAD_V2_TUNNEL_NET_BUFFER_LIST_INFO structures to access the IPsec out-of-band (OOB) information.
On the send path, the overlying drivers set the handle to the outbound SA and IPsec header information in OOB information in the NET_BUFFER_LIST structure to specify that the NIC should perform IPsecOV2 offload tasks.
On the receive path, after the SA is offloaded, the NIC must perform the IPsec processing on all the received packets that match the capabilities that the miniport driver reported to NDIS. The miniport driver sets the appropriate flags in OOB information in the NET_BUFFER_LIST structure to specify specific offload tasks that the NIC performed and the result of those operations.
For more information about send and receive processing in IPsecOV2, see Sending Network Data with IPsec Offload Version 2 and Receiving Network Data with IPsec Offload Version 2.