Reporting a NIC's IPsec Capabilities (NDIS 5.1)
Note NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.
A miniport driver specifies its NIC's Internet Protocol security (IPsec) capabilities in an NDIS_TASK_IPSECstructure. In response to a query of OID_TCP_TASK_OFFLOAD, the miniport driver overlays this structure on the TaskBufferof an NDIS_TASK_OFFLOADstructure that the miniport driver returns in an InformationBuffer.
The NDIS_TASK_IPSEC structure is defined as:
typedef struct _NDIS_TASK_IPSEC
{
struct
{
ULONG AH_ESP_COMBINED;
ULONG TRANSPORT_TUNNEL_COMBINED;
ULONG V4_OPTIONS;
ULONG RESERVED;
} Supported;
struct
{
ULONG MD5:1;
ULONG SHA_1:1;
ULONG Transport:1;
ULONG Tunnel:1;
ULONG Send:1;
ULONG Receive:1;
} V4AH;
struct
{
ULONG DES:1;
ULONG RESERVED:1;
ULONG TRIPLE_DES:1;
ULONG NULL_ESP:1;
ULONG Transport:1;
ULONG Tunnel:1;
ULONG Send:1;
ULONG Receive:1;
} V4ESP;
} NDIS_TASK_IPSEC, *PNDIS_TASK_IPSEC;
A miniport driver indicates the following general capabilities in the NDIS_TASK_IPSEC structure:
Whether its NIC can perform combined IPsec operations on a packet--that is, whether it can process a packet that contains both an authentication header (AH) and an encapsulating security payload (ESP) in a packet with the following format:
[IP][AH][ESP][rest of packet]
Whether its NIC can do IP security processing on both the transport-mode portion and the tunnel-mode portion of send and receive packets. The transport-mode portion of a packet pertains to an end-to-end security association, whereas the tunnel-mode portion of a packet pertains to a tunnel security association.
Whether its NIC can perform IP security operations on packets if the packet's IP header(s) contain(s) IP options.
A miniport driver specifies the following capabilities of its NIC to calculate and/or validate encrypted checksums for AH payloads and authentication information:
The integrity algorithm(s) (MD5 or SHA 1) that its NIC can use.
Whether its NIC can process AH security payloads for:
- The transport-mode portion of a packet.
- The tunnel-mode portion of a packet.
- Send packets.
- Receive packets.
A miniport driver specifies the following capabilities of its NIC to process ESP payloads:
The confidentiality algorithm(s) (DES and/or triple DES) that its NIC can use.
Whether its NIC supports null encryption, which is the ESP payload without encryption but with authentication hashes.
Whether its NIC can do ESP processing for:
- The transport-mode portion of a packet.
- The tunnel-mode portion of a packet.
- Send packets.
- Receive packets.
If a miniport driver can parse UDP-encapsulated ESP packets, it specifies the UDP-ESP encapsulation subtypes that it can parse. For more information, see Reporting, Enabling, and Disabling a NIC's Ability to Parse UDP-ESP Packets.