Reporting a NIC's IPsec Capabilities
[The IPsec Task Offload feature is deprecated and should not be used.]
An NDIS miniport driver specifies the current Internet protocol security (IPsec) offload configuration of a NIC in an NDIS_IPSEC_OFFLOAD_V1 structure.Miniport drivers must include the current IPsec offload configuration in the NDIS_MINIPORT_ADAPTER_OFFLOAD_ATTRIBUTES structure. Miniport drivers call the NdisMSetMiniportAttributes function from the MiniportInitializeEx function and pass in the information in NDIS_MINIPORT_ADAPTER_OFFLOAD_ATTRIBUTES.
Miniport drivers must report changes in the IPsec offload capabilities, if any, in the NDIS_STATUS_TASK_OFFLOAD_CURRENT_CONFIG status indication.
In response to a query of OID_TCP_OFFLOAD_CURRENT_CONFIG, NDIS includes the NDIS_IPSEC_OFFLOAD_V1 structure in the NDIS_OFFLOAD structure that NDIS returns in the InformationBuffer member of the NDIS_OID_REQUEST structure. NDIS uses the information that the miniport driver provided.
A miniport driver indicates the following information in the NDIS_IPSEC_OFFLOAD_V1 structure:
Encapsulation settings, in the Encapsulation member. For more information about this member, see the Remarks section in NDIS_IPSEC_OFFLOAD_V1.
Whether a NIC can perform combined IPsec operations on a packet--that is, whether the NIC can process a packet that contains both an authentication header (AH) and an encapsulating security payload (ESP) in a packet with the following format:
[IP][AH][ESP][rest of packet]
Whether a NIC can perform IP security processing on both the transport-mode portion and the tunnel-mode portion of send and receive packets. The transport-mode portion of a packet pertains to an end-to-end security association, and the tunnel-mode portion of a packet pertains to a tunnel security association.
Whether a NIC can perform IP security operations on packets if the packet's IP headers contain IP options.
A miniport driver specifies the following capabilities of a NIC to calculate or validate (or calculate and validate) encrypted checksums for AH payloads and authentication information:
The integrity algorithms (MD5 or SHA 1) that the NIC can use
Whether the NIC can process AH security payloads for:
- The transport-mode portion of a packet
- The tunnel-mode portion of a packet
- Send packets
- Receive packets
A miniport driver specifies the following capabilities of a NIC to process ESP payloads:
The confidentiality algorithms (DES, triple DES, or both) that the NIC can use
Whether the NIC supports null encryption (that is, the ESP payload without encryption but with authentication hashes)
Whether the NIC can do ESP processing for:
- The transport-mode portion of a packet
- The tunnel-mode portion of a packet
- Send packets
- Receive packets
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for