IPSEC_OFFLOAD_V2_ADD_SA_EX structure (ndis.h)
[The IPsec Task Offload feature is deprecated and should not be used.]
The IPSEC_OFFLOAD_V2_ADD_SA_EX structure defines information about a security association (SA) that a miniport driver should add to a NIC.
Syntax
typedef struct _IPSEC_OFFLOAD_V2_ADD_SA_EX {
NDIS_OBJECT_HEADER Header;
ULONG NumExtHdrs;
ULONG Flags;
union {
struct {
IPAddr SrcAddr;
IPAddr DestAddr;
} IPv4Endpoints;
struct {
UCHAR SrcAddr[16];
UCHAR DestAddr[16];
} IPv6Endpoints;
};
NDIS_HANDLE OffloadHandle;
ULONG UdpEspEncapsulation;
IPSEC_OFFLOAD_V2_SECURITY_ASSOCIATION SecAssoc[IPSEC_OFFLOAD_V2_MAX_EXTENSION_HEADERS];
ULONG KeyLength;
ULONG KeyOffset;
NDIS_SWITCH_PORT_ID SourceSwitchPortId;
USHORT VlanId;
} IPSEC_OFFLOAD_V2_ADD_SA_EX, *PIPSEC_OFFLOAD_V2_ADD_SA_EX;
Members
Header
The NDIS_OBJECT_HEADER structure for the IPSEC_OFFLOAD_V2_ADD_SA_EX structure. Set the Type member of the structure that Header specifies to NDIS_OBJECT_TYPE_DEFAULT, the Revision member to NDIS_IPSEC_OFFLOAD_V2_ADD_SA_EX_REVISION_1, and the Size member to NDIS_SIZEOF_IPSEC_OFFLOAD_V2_ADD_SA_EX_REVISION_1.
NumExtHdrs
The number of IPsec extension headers. This member can be one of the following values.
Type of security | Extension headers |
---|---|
AH authentication only | 1 |
ESP authentication only | 1 |
ESP encryption only | 1 |
ESP authentication plus encryption | 1 |
AH plus ESP authentication plus encryption | 2 |
UDP ESP | 1 |
Flags
A bitmask that indicates whether the SA that is being added is an inbound or outbound SA as follows:
IPSEC_OFFLOAD_V2_IPv6
If this flag is set, the addresses are IPv6. Otherwise, the addresses are IPv4
IPSEC_OFFLOAD_V2_INBOUND
If this flag is set, the SA is inbound. Otherwise, the SA is outbound.
IPv4Endpoints
The IPv4 endpoint addresses. This structure contains the following members:
IPv4Endpoints.SrcAddr
The IPv4 address of the source host (the host that is sending the packets).
IPv4Endpoints.DestAddr
The IPv4 address of the destination host (the host that is receiving the packets).
IPv6Endpoints
The IPv6 endpoint addresses. This structure contains the following members:
IPv6Endpoints.SrcAddr[16]
The IPv6 address of the source host (the host that is sending the packets).
IPv6Endpoints.DestAddr[16]
The IPv6 address of the destination host (the host that is receiving the packets).
OffloadHandle
The handle to the newly created SA. The miniport driver supplies this handle before completing the
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA_EX request. The TCP/IP transport must specify this handle in the
NDIS_IPSEC_OFFLOAD_V2_NET_BUFFER_LIST_INFO or
NDIS_IPSEC_OFFLOAD_V2_TUNNEL_NET_BUFFER_LIST_INFO structure before passing a send packet to the
miniport driver. The TCP/IP transport must also specify this handle when deleting the SA with an
OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA request.
UdpEspEncapsulation
The UDP ESP encapsulation type. This member can be one or more of the following flags:
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_NONE
No UDP encapsulation is used.
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_TRANSPORT
An ESP-encapsulated transport-mode packet is encapsulated by UDP.
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_TUNNEL
The tunnel-mode portion of a packet is UDP-encapsulated. The transport-mode portion of the packet is not UDP-encapsulated and is not ESP-protected.
IPSEC_OFFLOAD_V2_TRANSPORT_OVER_UDP_ESP_ENCAPSULATION_TUNNEL
The tunnel-mode portion of a packet is UDP-encapsulated. The transport-mode portion of a packet is not UDP-encapsulated but is ESP-protected.
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_TRANSPORT_OVER_TUNNEL
The tunnel-mode portion of a packet is not UDP-encapsulated. The transport-mode portion of a packet is UDP-encapsulated and ESP-protected.
SecAssoc[IPSEC_OFFLOAD_V2_MAX_EXTENSION_HEADERS]
An array with two elements that contain the information about the IPsec operations (AH, ESP, or both) for the SA. The number of provided elements is specified in the NumExtHdrs member. The information for each IPsec operations is formatted as an IPSEC_OFFLOAD_V2_SECURITY_ASSOCIATION structure, which is described below.
The TCP/IP transport specifies one or two IPSEC_OFFLOAD_V2_SECURITY_ASSOCIATION structures in the buffer at SecAssoc . Each IPSEC_OFFLOAD_V2_SECURITY_ASSOCIATION structure indicates the type of operation--authentication or encryption/decryption--for which the SA specified in the structure is to be used. The order of the IPSEC_OFFLOAD_V2_SECURITY_ASSOCIATION structures in the array indicates the order in which the miniport driver should perform the operations for each SA. Only one combination of operations is supported: encryption/decryption (ESP) followed by authentication (AH).
KeyLength
The length, in bytes, of the buffer at KeyOffset.
KeyOffset
The offset, in bytes, from the beginning of the IPSEC_OFFLOAD_V2_ADD_SA_EX structure to the beginning of a variable-length array that contains keys for the SA that is specified at SecAssoc. If both an encryption algorithm and an authentication algorithm are specified by the EncryptionAlgorithm and AuthenticationAlgorithm members of an IPSEC_OFFLOAD_V2_SECURITY_ASSOCIATION structure, the buffer at KeyOffset contains key information for one followed by the other. The beginning and the length of the key are specified by the IPSEC_OFFLOAD_V2_ALGORITHM_INFO structure's KeyOffsetBytes and KeyLength members, respectively.
SourceSwitchPortId
Reserved.
VlanId
Reserved.
Remarks
The IPSEC_OFFLOAD_V2_ADD_SA_EX structure specifies a security SA that should be added. The IPSEC_OFFLOAD_V2_ADD_SA_EX structure is
used with the
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA_EX OID.
The IPSEC_OFFLOAD_V2_ADD_SA_EX structure specifies the source and destination, as well as the IP protocols, to which the SA applies. This filter pertains to a transport-mode connection--that is, an end-to-end connection between two hosts. If the specified connection is made through a tunnel, the source and destination addresses of the tunnel are specified.
If a member is set to zero, that parameter is not used to filter packets for the specified SA. For example, if SrcAddr is set to zero, the specified SA can apply to a packet that contains any source address. If all of the filter parameters are set to zero, the specified SA applies to any source host that is sending any type of packet to any destination host.
This structure is nearly identical to the previous version, IPSEC_OFFLOAD_V2_ADD_SA. The Next and KeyData members have been removed. The KeyOffset, SourceSwitchPortId and VlanId members have been added.
Requirements
Requirement | Value |
---|---|
Minimum supported client | Supported in NDIS 6.30 and later. |
Header | ndis.h (include Ndis.h) |