As a set, the TCP/IP transport uses the OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA OID to request that a miniport driver add the specified security associations (SAs) to a NIC.
Note NDIS supports this OID with the direct OID request interface. For more information about the direct OID request interface, see NDIS 6.1 Direct OID Request Interface.
Note This OID is supported in NDIS 6.1 and 6.20. For NDIS 6.30 and later drivers see OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA_EX.
All NDIS 6.1 and 6.20 miniport drivers that support IPsec offload version 2 (IPsecOV2) must support this OID.
After TCP/IP transport determines that a NIC can perform IPsecOV2 operations, the TCP/IP transport requests the miniport driver to add SAs. The transport cannot offload IPsecOV2 operations to the NIC before the transport adds an SA.
The miniport driver receives an IPSEC_OFFLOAD_V2_ADD_SA structure that contains a pointer to the next IPSEC_OFFLOAD_V2_ADD_SA structure in a linked list. The miniport driver configures the NIC for IPsecOV2 processing on the SAs. With a successful set to OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA, the miniport driver supplies the handles that identify the offloaded SAs in the OffloadHandle member of IPSEC_OFFLOAD_V2_ADD_SA. (For example, the transport uses the handle in the send path to indicate which offloaded SA to use). If any of the SAs in the linked list were offloaded, the set request is successful.
The miniport driver can return a failure status for the OID request, for example, when the NIC runs out of capacity to offload more SAs. Also, the miniport driver might return a failure status because it needs to avoid a race condition. In this case, the NIC configuration changes and excludes a particular algorithm.
If the request fails, none of the SAs in the linked list were offloaded. If failure occurs for a particular SA in the linked list, the miniport driver should set the OffloadHandle member in the corresponding IPSEC_OFFLOAD_V2_ADD_SA structure to NULL.
The miniport driver reports the maximum number of SAs that a NIC can support in the SaOffloadCapacity member of the NDIS_IPSEC_OFFLOAD_V2 structure during initialization. If necessary, the TCP/IP transport can set the OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA OID to request that the miniport driver delete an SA from the NIC.
|Supported in NDIS 6.1 and 6.20. For NDIS 6.30 and later, use OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA_EX.|