Processing UDP-Encapsulated ESP Packets (NDIS 5.1)
Note NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.
When a NIC receives a UDP-encapsulated packet on port 4500, it checks whether the packet is an IKE (control) packet or an ESP (data) packet. For a description of the UDP encapsulation types for IKE and ESP packets, see UDP-ESP Encapsulation Types.
If the packet is an IKE packet, the NIC indicates the packet up to the transport without further IPsec-related processing.
If the packet is an ESP packet, the NIC checks whether the packet's inbound SA (or SAs in the case of a transport-over-tunnel packet) is currently offloaded to the NIC.
- If the inbound SAs are not currently offloaded to the NIC, the NIC indicates the packet up to the transport without further IPsec-related processing.
- If the inbound SAs are currently offloaded to the NIC, the NIC parses the packet by using the encapsulation type specified by the parser entry that is associated with the SAs. The NIC then processes the ESP payloads in the packet, as described in Offloading IPsec Tasks in the Receive Path.
If the incoming ESP packet is a UDP-encapsulated transport-over-tunnel packet, as described in UDP-ESP Encapsulation Types, the NIC first decrypts the ESP payload of tunnel-mode portion of the packet, which is not UDP-encapsulated. Then the NIC processes the UDP-encapsulated tunnel-mode portion of the packet.