OFFLOAD_IPSEC_ADD_SA (Compact 2013)

3/26/2014

This structure contains information for each security association (SA) that a miniport driver adds to a network adapter.

Syntax

typedef struct _OFFLOAD_IPSEC_ADD_SA {
  IPAddr  SrcAddr;
  IPMask  SrcMask;
  IPAddr  DestAddr;
  IPMask  DestMask;
  ULONG  Protocol;
  USHORT  SrcPort;
  USHORT  DestPort;
  IPAddr  SrcTunnelAddr;
  IPAddr  DestTunnelAddr;
  USHORT  Flags;
  SHORT  NumSAs;
  OFFLOAD_SECURITY_ASSOCIATION  SecAssoc[OFFLOAD_MAX_SAS];
  NDIS_HANDLE  OffloadHandle;
  ULONG  KeyLen;
  UCHAR  KeyMat[1];
} OFFLOAD_IPSEC_ADD_SA, *POFFLOAD_IPSEC_ADD_SA;

Members

  • SrcAddr
    The IP address of the source host (the host sending the packets).
  • SrcMask
    The subnet mask for the source IP address.
  • DestAddr
    The IP address of the destination host (the host receiving the packets).
  • DestMask
    The subnet mask for the destination IP address.
  • Protocol
    The IP protocol. You can specify any combination of IP protocol types (such as TCP, UDP, or ICMP). The encoding of Protocol is identical to that of the Protocol field in an IP header. If Protocol is set to zero, the SA applies to any IP protocol.
  • SrcPort
    A source TCP or UDP port. If SrcPort is set to zero, the SA applies to any source TCP/UDP port.
  • DestPort
    A destination TCP or UDP port. If DestPort is set to zero, the SA applies to any source TCP/UDP port.
  • SrcTunnelAddr
    The IP address for the source endpoint, such as a connector, of a tunnel. The miniport driver uses SrcTunnelAddr as the source address for the tunnel IP header of packets that are sent on the SA. SrcTunnelAddr is specified only for an SA that applies to the tunnel section of a packet. SrcTunnelAddr is set to zero for an SA that applies to the transport section of a packet.
  • DestTunnelAddr
    The IP address for the destination endpoint, such as a connector, of a tunnel. The miniport driver uses DestTunnelAddr as the destination address for the tunnel IP header of packets sent on the SA. DestTunnelAddr is specified only for an SA that applies to the tunnel section of a packet. DestTunnelAddr is set to zero for an SA that applies to the transport section of a packet.
  • Flags
    A bitmask that indicates whether the SA that is being added is an inbound or outbound SA as follows:

    • OFFLOAD_INBOUND_SA
      Specifies an inbound SA.
    • OFFLOAD_OUTBOUND_SA
      Specifies an outbound SA.
  • SecAssoc
    A variable-length array that contains the information about the Internet Protocol security (IPsec) operations (AH or ESP) for the SA. The information for each IPsec operations is formatted as an OFFLOAD_SECURITY_ASSOCIATION structure.

    The TCP/IP transport specifies one or two OFFLOAD_SECURITY_ASSOCIATION structures in the buffer at SecAssoc. Each OFFLOAD_SECURITY_ASSOCIATION structure indicates the type of operation-authentication or encryption/decryption-for which the SA specified in the structure should be used. The order of the OFFLOAD_SECURITY_ASSOCIATION structures in the array indicates the order in which the miniport driver should perform the operations for each SA. Only one combination of operations is supported: encryption/decryption (ESP) followed by authentication (AH).

  • OffloadHandle
    The handle to the newly created SA. The miniport driver supplies this handle before completing the OID_TCP_TASK_IPSEC_ADD_SA request. The TCP/IP transport must specify this handle in the NDIS_IPSEC_PACKET_INFO structure before passing a send packet to the miniport driver. The TCP/IP transport must also specify this handle when deleting the SA with an OID_TCP_TASK_IPSEC_DELETE_SA request.
  • KeyLen
    The length, in bytes, of the buffer at KeyMat.
  • KeyMat
    A variable-length array that contains keys for the SAs specified at SecAssoc. If both a confidentiality (encryption/decryption) algorithm and an integrity (authentication) algorithm are specified by the ConfAlgo and IntegrityAlgo members of an OFFLOAD_SECURITY_ASSOCIATION structure, the buffer at KeyMat contains key information for the confirmation algorithm first, followed immediately by key information for the integrity algorithm.

    The length of each key in the buffer at KeyMat is specified by algoKeyLen in the OFFLOAD_ALGO_INFO structure that specifies the confidentiality or integrity algorithm. (An OFFLOAD_ALGO_INFO structure is a member of an OFFLOAD_SECURITY_ASSOCIATION structure.)

Remarks

The OFFLOAD_IPSEC_ADD_SA structure is used in the OID_TCP_TASK_IPSEC_ADD_SA OID.

Requirements

Header

ntddndis.h

See Also

Reference

Task Offload Structures (NDIS 5.1)
OFFLOAD_ALGO_INFO
OFFLOAD_SECURITY_ASSOCIATION
OID_TCP_TASK_IPSEC_ADD_SA
OID_TCP_TASK_IPSEC_DELETE_SA