NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure

The NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure specifies information that is used in offloading Internet protocol security (IPsec) tasks from the TCP/IP transport to a miniport driver.

Syntax


typedef struct _NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO {
  union {
    struct {
      NDIS_HANDLE OffloadHandle;
    } Transmit;
    struct {
      USHORT SaDeleteReq  :1;
      USHORT CryptoDone  :1;
      USHORT NextCryptoDone  :1;
      USHORT Pad  :13;
      USHORT CryptoStatus;
    } Receive;
  };
} NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO, *PNDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO;

Members

Transmit

A structure that contains the following members:

OffloadHandle

A handle to the outbound security association (SA) for a packet that has just one IPsec payload, regardless of whether that payload is for a transport (end-to-end) connection or a tunnel connection.

Receive

A structure that contains the following members:

SaDeleteReq

A USHORT value that, when set, indicates that the TCP/IP transport should issue the OID_TCP_TASK_IPSEC_DELETE_SA OID once to delete the inbound SA that the packet was received over and once again to delete the outbound SA that corresponds to the deleted inbound SA. The network interface card (NIC) must not remove either of these SAs before it receives the corresponding OID_TCP_TASK_IPSEC_DELETE_SA request.

CryptoDone

A USHORT value that, when set, indicates that a NIC performed IPsec checking on at least one IPsec payload in the receive packet. When this value is cleared, it indicates that the NIC did not perform IPsec checking on the packet.

NextCryptoDone

A USHORT value that, when set, indicates that a NIC performed IPsec checking on both the tunnel and transport portions of the receive packet. CryptoDone must also be set in this case. NextCryptoDone is set only if a packet has both tunnel and transport IPsec payloads; otherwise, NextCryptoDone is set to zero.

Pad

Reserved for NDIS.

CryptoStatus

The result of IPsec checking that a NIC performed on a receive packet. This result can be described as one of the following values:

ValueMeaning
CRYPTO_SUCCESS

The packet was successfully decrypted, if necessary, and the authentication header (AH) checksums, encapsulating security payload (ESP) checksums, or both checksums in the packet were validated.

CRYPTO_GENERIC_ERROR

The packet failed the IPsec check for an unspecified reason.

CRYPTO_TRANSPORT_AH_AUTH_FAILED

The AH checksum for the transport portion of the packet was invalid.

CRYPTO_TRANSPORT_ESP_AUTH_FAILED

The ESP checksum for the transport portion of the packet was invalid.

CRYPTO_TUNNEL_AH_AUTH_FAILED

The AH checksum for the tunnel portion of the packet was invalid.

CRYPTO_TUNNEL_ESP_AUTH_FAILED

The ESP checksum for the tunnel portion of the packet was invalid.

CRYPTO_INVALID_PACKET_SYNTAX

The receive packet's length is invalid.

CRYPTO_INVALID_PROTOCOL

The IPsec protocols that were specified in the SA that the packet was received on do not match the IPsec protocols that were found in the packet. For example, this error occurs if the SA that the packet was received on specifies the AH protocol but the packet contained only an ESP header.

 

Remarks

Before the TCP/IP transport passes a send packet that a NIC will perform IPsec tasks on to the miniport driver of the NIC, the transport updates the IPsec information in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure that is associated with the NET_BUFFER_LIST structure.

Specifically, the TCP/IP transport supplies a value for the OffloadHandle member in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure. The OffloadHandle value specifies the handle to the outbound security association (SA) for a packet that has just one IPsec payload, regardless of whether that payload is for a transport (end-to-end) security association or a tunnel security association. The OffloadHandle value that is supplied in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure has the same value as the OffloadHandle value that the TCP/IP transport supplied when it set OID_TCP_TASK_IPSEC_ADD_SA to request the miniport driver to add the outbound SA to the NIC.

Before a miniport driver indicates up a receive packet that has one or more IPsec payloads, the driver updates the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure that is associated with the NET_BUFFER_LIST structure as follows:

  • If the NIC performed IPsec checks on at least one IPsec payload in the packet, the miniport driver sets the CryptoDone member and indicates the results of the checksum validation tests by specifying the appropriate value in the CryptoStatus member.

  • If the NIC performed IPsec checking on both the tunnel and transport portions of a receive packet, the miniport driver also sets the NextCryptoDone member. NextCryptoDone is set only if a packet has both tunnel and transport IPsec payloads; otherwise, NextCryptoDone is set to zero.

  • If the NIC did not perform IPsec checks on the packet, the miniport driver does not set CryptoDone or NextCryptoDone and does not supply a CryptoStatus value.

To create space for another SA on the NIC, the miniport driver of the NIC can set SaDeleteReq in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure for a receive packet. The TCP/IP transport subsequently issues OID_TCP_TASK_IPSEC_DELETE_SA once to delete the inbound SA that the packet was received over and once again to delete the outbound SA that corresponds to the deleted inbound SA. The NIC must not remove either of these SAs before receiving the corresponding OID_TCP_TASK_IPSEC_DELETE_SA request. The miniport driver of the NIC can set SaDeleteReq independently of CryptoDone .

To set and get the IPsec information, use the IPsecOffloadV1NetBufferListInfo index with the NET_BUFFER_LIST_INFO macro. NET_BUFFER_LIST_INFO returns the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure.

Requirements

Version

Supported in NDIS 6.0. For NDIS 6.1 and later, use NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO.

Header

Ndis.h (include Ndis.h)

See also

NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO
NET_BUFFER_LIST
NET_BUFFER_LIST_INFO
OID_TCP_TASK_IPSEC_ADD_SA
OID_TCP_TASK_IPSEC_DELETE_SA

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft