Managing Security Associations in IPsec Offload Version 2
After the TCP/IP transport determines that a NIC can perform IPsec offload version 2 (IPsecOV2) operations (see Reporting a NIC's IPsec Offload Version 2 Capabilities), the transport requests that the NIC's miniport driver add one or more security associations (SAs) to the NIC before the transport can offload IPsec tasks to the NIC. After adding SAs, the TCP/IP transport can also delete or update them. The IPsecOV2 interface requires the NDIS direct OID interface for add, delete, and update OIDs.
Note NDIS provides a direct OID request interface for NDIS 6.1 and later drivers. The direct OID request path supports OID requests that are queried or set frequently.
To request that a miniport driver add one or more SAs to a NIC, the TCP/IP transport sets the OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA OID. The miniport driver receives an IPSEC_OFFLOAD_V2_ADD_SA structure and configures the NIC for IPsecOV2 processing on an SA. With a successful set to OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA, the miniport driver initializes a handle that identifies the offloaded SA in the IPSEC_OFFLOAD_V2_ADD_SA structure. The transport uses this handle in subsequent requests to the miniport driver (that is, on the send path or in the calls to modify or delete the SA). For more information about using the SA handle in the send path, see Sending Network Data with IPsec Offload Version 2.
The miniport driver reports the number of SAs that a NIC can support in the SaOffloadCapacity member of the NDIS_IPSEC_OFFLOAD_V2 structure.
The miniport driver can set the SaDeleteReq flag in the NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO structure for a receive packet. The TCP/IP transport subsequently issues OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA one time to delete the inbound SA that the packet was received over and one time again to delete the outbound SA that corresponds to the deleted inbound SA.
The TCP/IP transport issues OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA to delete an inbound SAs over which a packet was received and to delete the outbound SAs that correspond to the deleted inbound SAs. A NIC must not remove these SAs before it receives the corresponding OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA request.
The TCP/IP transport sets the OID_TCP_TASK_IPSEC_OFFLOAD_V2_UPDATE_SA OID to request that a miniport driver update a NIC with the higher order bits for an SA with extended sequence numbers (ESN). For NICs that support ESN, when the miniport driver receives this request, the driver should update the sequence number of the specified SA in the NIC in accordance with the IPSEC_OFFLOAD_V2_OPERATION enumeration value that is specified in the Operation member of the IPSEC_OFFLOAD_V2_UPDATE_SA structure.