Offloading IPsec Tasks in the Send Path (NDIS 5.1)
Note NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.
Before the TCP/IP transport passes to the miniport driver a packet descriptor for a packet on which the miniport driver's NIC will perform Internet Protocol security (IPsec) tasks, it updates the IPsec information that is associated with the packet descriptor. The TCP/IP transport specifies this information in an NDIS_IPSEC_PACKET_INFOstructure, which is part of the per-packet (extended out-of-band) data that is associated with the packet descriptor.
The NDIS_IPSEC_PACKET_INFO structure is defined as:
typedef struct _NDIS_IPSEC_PACKET_INFO
{
union
{
struct
{
NDIS_HANDLE OffloadHandle;
NDIS_HANDLE NextOffloadHandle;
} Transmit;
struct
{
ULONG SA_DELETE_REQ:1;
ULONG CRYPTO_DONE:1;
ULONG NEXT_CRYPTO_DONE:1;
ULONG CryptoStatus;
} Receive;
};
} NDIS_IPSEC_PACKET_INFO, *PNDIS_IPSEC_PACKET_INFO;
The TCP/IP transport supplies an OffloadHandle, which specifies the handle to the outbound SA for the transport (end-to-end connection) portion of the send packet. If the packet will be transmitted through a tunnel, the TCP/IP transport also supplies the NextOffloadHandle, which specifies the handle to the outbound SA for the tunnel portion of the send packet.
After a miniport driver receives the packet descriptor in its MiniportSend, MiniportSendPackets, or MiniportCoSendPacketsfunction, it can call the NDIS_PER_PACKET_INFO_FROM_PACKETmacro with an InfoTypeof IpSecNdisTask to obtain a pointer to the NDIS_IPSEC_PACKET_INFO structure that is associated with the packet descriptor. Alternatively, it can call the NDIS_PACKET_EXTENSION_FROM_PACKETmacro to obtain a pointer to the NDIS_PACKET_EXTENSIONstructure that is associated with the packet descriptor. The miniport driver can then use the IpSecPacketInfo array index to obtain a pointer to the NDIS_IPSEC_PACKET_INFO structure.
When the NIC performs IPsec processing on a send packet, it calculates the AH and/or ESP encryption checksums for the packet and, if the packet contains an ESP payload, encrypts the packet. The TCP/IP transport has already framed the packet, padded it (if necessary), and assigned it a sequence number and SPI.