Share via


NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO (Compact 7)

3/12/2014

This structure specifies information that is used in offloading Internet protocol security (IPsec) tasks from the TCP/IP transport to a miniport driver.

Syntax

typedef struct _NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO
{
  union {
    struct {
      NDIS_HANDLE  OffloadHandle;
    } Transmit;
    struct {
      USHORT  SaDeleteReq:1;
      USHORT  CryptoDone:1;
      USHORT  NextCryptoDone:1;
      USHORT  Pad:13;
      USHORT  CryptoStatus;
    } Receive;
  };
} NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO, *PNDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO;

Members

  • OffloadHandle
    A handle to the outgoing security association (SA) for a packet that has only one IPsec payload, regardless of whether that payload is for a transport (end-to-end) connection or a tunnel connection.
  • SaDeleteReq
    A USHORT value that, when set, indicates that the TCP/IP transport should issue the OID_TCP_TASK_IPSEC_DELETE_SA OID once to delete the incoming SA that the packet was received over and again to delete the outgoing SA that corresponds to the deleted incoming SA. The network adapter (NIC) must not remove either of these SAs before it receives the corresponding OID_TCP_TASK_IPSEC_DELETE_SA request.
  • CryptoDone
    A USHORT value that, when set, indicates that a network adapter performed IPsec checking on at least one IPsec payload in the receive packet. When this value is cleared, it indicates that the network adapter did not perform IPsec checking on the packet.
  • NextCryptoDone
    A USHORT value that, when set, indicates that a network adapter performed IPsec checking on both the tunnel and transport sections of the receive packet. CryptoDone must also be set in this case. NextCryptoDone is set only if a packet has both tunnel and transport IPsec payloads; otherwise, NextCryptoDone is set to zero.
  • Pad
    Reserved for NDIS.
  • CryptoStatus
    The result of IPsec checking that a network adapter performed on a receive packet. This result can be described as one of the following values:

    • CRYPTO_SUCCESS
      The packet was successfully decrypted, if necessary, and the authentication header (AH) checksums, encapsulating security payload (ESP) checksums, or both checksums in the packet were validated.
    • CRYPTO_GENERIC_ERROR
      The packet failed the IPsec check for an unspecified reason.
    • CRYPTO_TRANSPORT_AH_AUTH_FAILED
      The AH checksum for the transport part of the packet was invalid.
    • CRYPTO_TRANSPORT_ESP_AUTH_FAILED
      The ESP checksum for the transport part of the packet was invalid.
    • CRYPTO_TUNNEL_AH_AUTH_FAILED
      The AH checksum for the tunnel part of the packet was invalid.
    • CRYPTO_TUNNEL_ESP_AUTH_FAILED
      The ESP checksum for the tunnel part of the packet was invalid.
    • CRYPTO_INVALID_PACKET_SYNTAX
      The receive packet's length is invalid.
    • CRYPTO_INVALID_PROTOCOL
      The IPsec protocols that were specified in the SA that the packet was received on do not match the IPsec protocols that were found in the packet. For example, this error occurs if the SA that the packet was received on specifies the AH protocol but the packet contained only an ESP header.

Remarks

Before the TCP/IP transport passes a send packet that a network adapter will perform IPsec tasks on to the miniport driver of the network adapter, the transport updates the IPsec information in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure that is associated with the NET_BUFFER_LIST structure.

Specifically, the TCP/IP transport supplies a value for the OffloadHandle member in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure. The OffloadHandle value specifies the handle to the outgoing security association (SA) for a packet that has only one IPsec payload, regardless of whether that payload is for a transport (end-to-end) security association or a tunnel security association. The OffloadHandle value that is supplied in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure has the same value as the OffloadHandle value that the TCP/IP transport supplied when it set OID_TCP_TASK_IPSEC_ADD_SA to request the miniport driver to add the outgoing SA to the network adapter.

Before a miniport driver indicates up a receive packet that has one or more IPsec payloads, the driver updates the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure that is associated with the NET_BUFFER_LIST structure as follows:

  • If the network adapter performed IPsec checks on at least one IPsec payload in the packet, the miniport driver sets the CryptoDone member and indicates the results of the checksum validation tests by specifying the appropriate value in the CryptoStatus member.
  • If the network adapter performed IPsec checking on both the tunnel and transport sections of a receive packet, the miniport driver also sets the NextCryptoDone member. NextCryptoDone is set only if a packet has both tunnel and transport IPsec payloads; otherwise, NextCryptoDone is set to zero.
  • If the network adapter did not perform IPsec checks on the packet, the miniport driver does not set CryptoDone or NextCryptoDone and does not supply a CryptoStatus value.

To create space for another SA on the network adapter, the miniport driver of the network adapter can set SaDeleteReq in the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure for a receive packet. The TCP/IP transport subsequently issues OID_TCP_TASK_IPSEC_DELETE_SA once to delete the incoming SA that the packet was received over and again to delete the outgoing SA that corresponds to the deleted incoming SA. The network adapter must not remove either of these SAs before receiving the corresponding OID_TCP_TASK_IPSEC_DELETE_SA request. The miniport driver of the network adapter can set SaDeleteReq independently of CryptoDone.

To set and get the IPsec information, use the IPsecOffloadV1NetBufferListInfo index with the NET_BUFFER_LIST_INFO macro. NET_BUFFER_LIST_INFO returns the NDIS_IPSEC_OFFLOAD_V1_NET_BUFFER_LIST_INFO structure.

Requirements

Header

ntddndis.h

See Also

Reference

NDIS TCP/IP Offload Structures
NET_BUFFER_LIST
NET_BUFFER_LIST_INFO
OID_TCP_TASK_IPSEC_ADD_SA
OID_TCP_TASK_IPSEC_DELETE_SA