Compartir a través de


Reporting a NIC's IPsec Capabilities (NDIS 5.1)

Note   NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.

A miniport driver specifies its NIC's Internet Protocol security (IPsec) capabilities in an NDIS_TASK_IPSECstructure. In response to a query of OID_TCP_TASK_OFFLOAD, the miniport driver overlays this structure on the TaskBufferof an NDIS_TASK_OFFLOADstructure that the miniport driver returns in an InformationBuffer.

The NDIS_TASK_IPSEC structure is defined as:

typedef struct _NDIS_TASK_IPSEC
{
  struct
  {
    ULONG    AH_ESP_COMBINED;
    ULONG    TRANSPORT_TUNNEL_COMBINED;
    ULONG    V4_OPTIONS;
    ULONG    RESERVED;
  } Supported;
 
  struct
  {
    ULONG    MD5:1;
    ULONG    SHA_1:1;
    ULONG    Transport:1;
    ULONG    Tunnel:1;
    ULONG    Send:1;
    ULONG    Receive:1;
  } V4AH;
 
  struct
  {
    ULONG    DES:1;
    ULONG    RESERVED:1;
    ULONG    TRIPLE_DES:1;
    ULONG    NULL_ESP:1;
    ULONG    Transport:1;
    ULONG    Tunnel:1;
    ULONG    Send:1;
    ULONG    Receive:1;
  } V4ESP;
 
} NDIS_TASK_IPSEC, *PNDIS_TASK_IPSEC;

A miniport driver indicates the following general capabilities in the NDIS_TASK_IPSEC structure:

  • Whether its NIC can perform combined IPsec operations on a packet--that is, whether it can process a packet that contains both an authentication header (AH) and an encapsulating security payload (ESP) in a packet with the following format:

    [IP][AH][ESP][rest of packet]

  • Whether its NIC can do IP security processing on both the transport-mode portion and the tunnel-mode portion of send and receive packets. The transport-mode portion of a packet pertains to an end-to-end security association, whereas the tunnel-mode portion of a packet pertains to a tunnel security association.

  • Whether its NIC can perform IP security operations on packets if the packet's IP header(s) contain(s) IP options.

A miniport driver specifies the following capabilities of its NIC to calculate and/or validate encrypted checksums for AH payloads and authentication information:

  • The integrity algorithm(s) (MD5 or SHA 1) that its NIC can use.

  • Whether its NIC can process AH security payloads for:

    • The transport-mode portion of a packet.
    • The tunnel-mode portion of a packet.
    • Send packets.
    • Receive packets.

A miniport driver specifies the following capabilities of its NIC to process ESP payloads:

  • The confidentiality algorithm(s) (DES and/or triple DES) that its NIC can use.

  • Whether its NIC supports null encryption, which is the ESP payload without encryption but with authentication hashes.

  • Whether its NIC can do ESP processing for:

    • The transport-mode portion of a packet.
    • The tunnel-mode portion of a packet.
    • Send packets.
    • Receive packets.

If a miniport driver can parse UDP-encapsulated ESP packets, it specifies the UDP-ESP encapsulation subtypes that it can parse. For more information, see Reporting, Enabling, and Disabling a NIC's Ability to Parse UDP-ESP Packets.

 

 

Send comments about this topic to Microsoft