Sending Network Data with IPsec Offload Version 2

[The IPsec Task Offload feature is deprecated and should not be used.]

The TCP/IP transport provides IPsec Offload Version 2 (IPsecOV2) information for one or more SAs with the OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA OID. Before the miniport driver returns a successful result for OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA, the miniport driver initializes an offload handle. The TCP/IP transport requests the miniport driver to offload the processing of a NET_BUFFER_LIST structure by specifying IPsecOV2 information in the NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO and NDIS_IPSEC_OFFLOAD_V2_HEADER_NET_BUFFER_LIST_INFO structures, which are part of the NET_BUFFER_LIST out-of-band (OOB) information.

The TCP/IP transport supplies an offload handle in the OffloadHandle member of NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO that specifies the handle to the outbound security association (SA) for the transport (end-to-end connection) portion of the send packet.

The TCP/IP transport supplies the following header information in the NDIS_IPSEC_OFFLOAD_V2_HEADER_NET_BUFFER_LIST_INFO structure:

• Header offsets for an AH header, ESP header, or both.

• The next protocol value (identical to the one that is contained in the ESP trailer).

• The pad length that is used for a combined large send offload (LSO) and IPsec offload.

Also, if the send packet will be transmitted through a tunnel, the TCP/IP transport supplies an NDIS_IPSEC_OFFLOAD_V2_TUNNEL_NET_BUFFER_LIST_INFO structure. This structure specifies the offload handle to the outbound SA for the tunnel portion of the send packet. For more information about accessing OOB information, see Accessing NET_BUFFER_LIST Information in IPsec Offload Version 2.

The miniport driver provided the offload handles in response to an OID set request of OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA. For more information about SAs, see Managing Security Associations in IPsec Offload Version 2.

When a miniport driver handles a send request in the MiniportSendNetBufferLists function, the miniport driver:

• Verifies that the hardware is configured to handle IPsec offload services. If the hardware is not configured to handle IPsec offload services, the miniport driver should handle the send request without providing the offload services.

• Verifies the handles in the NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO and NDIS_IPSEC_OFFLOAD_V2_TUNNEL_NET_BUFFER_LIST_INFO structures to determine if IPsec cryptographic processing is required. An offload handle value of zero indicates that no IPsec task offload should be performed for the NET_BUFFER_LIST. If the miniport driver cannot find the offloaded SA that corresponds to the specified offload handle, the send packet should fail with an NDIS_STATUS_FAILURE value.

• Verifies the handles in the NDIS_TCP_LARGE_SEND_OFFLOAD_NET_BUFFER_LIST_INFO structures to determine if segmentation offload should be performed for the NET_BUFFER_LIST.

• Completes the required AH and ESP processing for all of the send packets in the NET_BUFFER_LIST. When the NIC performs IPsec processing on a send packet, it performs the cryptographic operations on the packet data. The TCP/IP transport has already framed the packet, padded it (if necessary), and assigned it a sequence number and security parameters index (SPI). For a combined LSO and IPsec offload, the NET_BUFFER might have padding that will be discarded while the NIC segments the large packet. The amount of padding is specified in the PadLength member of the NDIS_IPSEC_OFFLOAD_V2_HEADER_NET_BUFFER_LIST_INFO structure. Segmented packets might require padding to support IPsec operations.

When a protocol driver transmits a packet that requests both LSO and IPsecOV2, it will not frame the ESP trailer. This is because the information in the ESP trailer, such as the padding length, will not be accurate for the last segment that was generated by the NIC.