Edit

Share via

Reporting a NIC's IPsec Capabilities

  • Article

[The IPsec Task Offload feature is deprecated and should not be used.]

An NDIS miniport driver specifies the current Internet protocol security (IPsec) offload configuration of a NIC in an NDIS_IPSEC_OFFLOAD_V1 structure.Miniport drivers must include the current IPsec offload configuration in the NDIS_MINIPORT_ADAPTER_OFFLOAD_ATTRIBUTES structure. Miniport drivers call the NdisMSetMiniportAttributes function from the MiniportInitializeEx function and pass in the information in NDIS_MINIPORT_ADAPTER_OFFLOAD_ATTRIBUTES.

Miniport drivers must report changes in the IPsec offload capabilities, if any, in the NDIS_STATUS_TASK_OFFLOAD_CURRENT_CONFIG status indication.

In response to a query of OID_TCP_OFFLOAD_CURRENT_CONFIG, NDIS includes the NDIS_IPSEC_OFFLOAD_V1 structure in the NDIS_OFFLOAD structure that NDIS returns in the InformationBuffer member of the NDIS_OID_REQUEST structure. NDIS uses the information that the miniport driver provided.

A miniport driver indicates the following information in the NDIS_IPSEC_OFFLOAD_V1 structure:

  • Encapsulation settings, in the Encapsulation member. For more information about this member, see the Remarks section in NDIS_IPSEC_OFFLOAD_V1.

  • Whether a NIC can perform combined IPsec operations on a packet--that is, whether the NIC can process a packet that contains both an authentication header (AH) and an encapsulating security payload (ESP) in a packet with the following format:

    [IP][AH][ESP][rest of packet]

  • Whether a NIC can perform IP security processing on both the transport-mode portion and the tunnel-mode portion of send and receive packets. The transport-mode portion of a packet pertains to an end-to-end security association, and the tunnel-mode portion of a packet pertains to a tunnel security association.

  • Whether a NIC can perform IP security operations on packets if the packet's IP headers contain IP options.

A miniport driver specifies the following capabilities of a NIC to calculate or validate (or calculate and validate) encrypted checksums for AH payloads and authentication information:

  • The integrity algorithms (MD5 or SHA 1) that the NIC can use

  • Whether the NIC can process AH security payloads for:

    • The transport-mode portion of a packet
    • The tunnel-mode portion of a packet
    • Send packets
    • Receive packets

A miniport driver specifies the following capabilities of a NIC to process ESP payloads:

  • The confidentiality algorithms (DES, triple DES, or both) that the NIC can use

  • Whether the NIC supports null encryption (that is, the ESP payload without encryption but with authentication hashes)

  • Whether the NIC can do ESP processing for:

    • The transport-mode portion of a packet
    • The tunnel-mode portion of a packet
    • Send packets
    • Receive packets

Determining Task Offload Capabilities