OID_TCP_TASK_IPSEC_ADD_SA (Compact 2013)

  • Articolo

3/26/2014

This OID is set by the transport protocol to request that a miniport driver add one or more security associations (SAs) to a network adapter.

The information for each SA is formatted as an OFFLOAD_IPSEC_ADD_SA structure.

The first seven members of the OFFLOAD_IPSEC_ADD_SA structure (SrcAddr, SrcMask, DestAddr, DestMask, Protocol, SrcPort, and DestPort) form a filter that specifies the source and destination, and the IP protocols, to which the SAs apply. This filter applies to a transport-mode connection-that is, an end-to-end connection between two hosts. If the specified connection is made through a tunnel, the source and destination addresses of the tunnel are specified by SrcTunnelAddr and DestTunnelAddr, respectively.

If a filter parameter is set to zero, that parameter is not used to filter packets for the specified SAs. For example, if SrcAddr is set to zero, the specified SAs can apply to a packet that contains any source address. To take this to the extreme, if all the filter parameters are set to zero, the specified SAs apply to any source host sending any type of packet to any destination host.

The TCP/IP transport can specify an IP protocol in the Protocol member to indicate that the specified SAs apply only to packets of the specified protocol type. If Protocol is set to zero, the specified SAs apply to all packets sent from the specified source to the specified destination.

OFFLOAD_SECURITY_ASSOCIATION structure

An OFFLOAD_SECURITY_ASSOCIATION structure specifies a single security association (SA). The OFFLOAD_SECURITY_ASSOCIATION structure is an element in the SecAssoc variable-length array. SecAssoc contains one or two OFFLOAD_SECURITY_ASSOCIATION structures.

An SA specified for use in processing authentication headers (AH) will have an operation type of AUTHENTICATE and will have an IntegrityAlgo (integrity algorithm). The SA will not have an ConfAlgo (confidentiality algorithm). In this case, ConfAlgo will contain zeros.

An SA specified for use in processing encapsulating security payloads (ESPs) will have an operation type of ENCRYPT and may have an IntegrityAlgo (integrity algorithm) and/or a ConfAlgo (confidentiality algorithm).

OFFLOAD_ALGO_INFO structure

The OFFLOAD_ALGO_INFO structure, which is a member of an OFFLOAD_SECURITY_ASSOCIATION structure, specifies an algorithm that is used for a security association (SA).

Requirements

Header

ntddndis.h

See Also

Reference

Task Offload OIDs (NDIS 5.1)