Requirements and Restrictions That Apply to IPsec Offloads (NDIS 5.1)
Note NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.
The following requirements and restrictions apply to Internet Protocol security (IPsec) offloads:
The NIC must maintain the security association (SA) tables. This improves performance by eliminating the need to include keys or other information that is required for AH and ESP processing in send packets.
A NIC might be able to process both AH and ESP payloads for a single packet. In this case, the NIC must support the following possible combinations of integrity (authentication) algorithms for AH and ESP:
AH ESP MD5
MD5
SHA 1
SHA 1
MD5
SHA 1
SHA 1
MD5
MD5
Null (only if the NIC supports null encryption)
SHA 1
Null (only if the NIC supports null encryption)
A NIC that supports DES algorithms must generate the initialization vector (IV) that these algorithms require.
The only IPsec tasks that a NIC performs are processing encrypted AH checksums and/or ESP checksums and encrypting and decrypting ESP payloads. For send packets, the TCP/IP transport creates all headers, padding, and replay numbers and chooses SPI values that are unique to destination address/IPsec protocol pairs. For receive packets, the TCP/IP transport performs inbound policy checks, handles replay detection and prevention, and handles audit events.
For a send packet, the TCP/IP transport does not provide explicit offsets (such as indicating the start of encrypted data) because the offload driver can easily determine this information from the particular security association (SA) that it uses to process the packet.
A packet with IPsec protocols must have authentication information in an authentication header (AH) and/or the encapsulating security payload (ESP) header. It is not permissible for a IPsec packet to have no authentication.
IPsec tasks are not offloaded for send packets that require IP fragmentation or for receive packets that require reassembly from IP fragmentation.
IPsec tasks are not offloaded for send and receive packets that pass through a load-balancing miniport driver. For more information about load balancing, see Load Balancing and Failover.