NDIS_IPSEC_OFFLOAD_V2 structure (ntddndis.h)
[The IPsec Task Offload feature is deprecated and should not be used.]
The NDIS_IPSEC_OFFLOAD_V2 structure provides information about Internet protocol security (IPsec) version 2 task offload capabilities in the NDIS_OFFLOAD structure.
Syntax
typedef struct _NDIS_IPSEC_OFFLOAD_V2 {
ULONG Encapsulation;
BOOLEAN IPv6Supported;
BOOLEAN IPv4Options;
BOOLEAN IPv6NonIPsecExtensionHeaders;
BOOLEAN Ah;
BOOLEAN Esp;
BOOLEAN AhEspCombined;
BOOLEAN Transport;
BOOLEAN Tunnel;
BOOLEAN TransportTunnelCombined;
BOOLEAN LsoSupported;
BOOLEAN ExtendedSequenceNumbers;
ULONG UdpEsp;
ULONG AuthenticationAlgorithms;
ULONG EncryptionAlgorithms;
ULONG SaOffloadCapacity;
} NDIS_IPSEC_OFFLOAD_V2, *PNDIS_IPSEC_OFFLOAD_V2;
Members
Encapsulation
The MAC encapsulation types that are supported for IPsec offload. For more information about this member, see the following Remarks section.
IPv6Supported
A BOOLEAN value that is set to TRUE if IPsec offload processing on IPv6 traffic is supported. Otherwise, this member is FALSE.
IPv4Options
A BOOLEAN value that is set to TRUE if the NIC supports IPsec offload of packets with IPv4 options. Otherwise, this member is FALSE.
IPv6NonIPsecExtensionHeaders
A BOOLEAN value that is set to TRUE if the NIC supports IPsec offload processing for packets with non-IPsec IPv6 extension headers in addition to IPsec headers. Otherwise, this member is FALSE.
Ah
A BOOLEAN value that is set to TRUE if the NIC can perform IPsec offload operations on send and receive packets that contain an authentication header (AH) security payload. Otherwise, this member is FALSE.
Esp
A BOOLEAN value that is set to TRUE if the NIC can perform IPsec offload operations on send and receive packets that contain an encapsulating security payload (ESP). Otherwise, this member is FALSE.
AhEspCombined
A BOOLEAN value that is set to TRUE if the NIC can perform IPsec offload operations on send and receive packets that contain both an AH payload and an ESP payload. Otherwise, this member is FALSE.
Transport
A BOOLEAN value that is set to TRUE if the NIC can process security payloads for the transport-mode portion of send and receive packets. (The transport-mode portion of a packet pertains to an end-to-end connection.) Otherwise, this member is FALSE.
Tunnel
A BOOLEAN value that is set to TRUE if the NIC can process security payloads for the tunnel-mode portion of send and receive packets. (The tunnel-mode portion of a packet pertains to a tunnel connection.) Otherwise, this member is FALSE.
TransportTunnelCombined
A BOOLEAN value that is set to TRUE if the NIC can process security payloads for both the transport-mode portion and the tunnel-mode portion of send and receive packets. Otherwise, this member is FALSE. The transport-mode portion of a packet pertains to an end-to-end connection. The tunnel-mode portion of a packet pertains to a tunnel connection.
LsoSupported
A BOOLEAN value that is set to TRUE if the NIC supports large send offload (LSO). Otherwise, this member is FALSE. Note that the LSO capabilities of the NIC are specified in the LsoV1 or LsoV2 members of the NDIS_OFFLOAD structure. The LsoSupported flag indicates that the capabilities that are specified in those members are also valid if the connection is secured with IPsec.
ExtendedSequenceNumbers
A BOOLEAN value that is set to TRUE if the NIC supports IPsec extended sequence numbers. Otherwise, this member is FALSE.
UdpEsp
The types of UDP-encapsulated ESP data packets that the NIC can parse. For a description of the UDP-encapsulation types, see UDP-ESP Encapsulation Types. This member can be one or more of the following flags:
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_NONE
IPsec offload processing is not available for any UDP encapsulation type.
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_TRANSPORT
IPsec offload is supported for an ESP-encapsulated transport-mode packet that is encapsulated by UDP.
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_TUNNEL
IPsec offload is supported for the tunnel-mode portion of a packet that is UDP-encapsulated. The transport-mode portion of the packet is not UDP-encapsulated and is not ESP-protected.
IPSEC_OFFLOAD_V2_TRANSPORT_OVER_UDP_ESP_ENCAPSULATION_TUNNEL
IPsec offload is supported for the tunnel-mode portion of a packet that is UDP-encapsulated. The transport-mode portion of a packet is not UDP-encapsulated but is ESP-protected.
IPSEC_OFFLOAD_V2_UDP_ESP_ENCAPSULATION_TRANSPORT_OVER_TUNNEL
IPsec offload is supported for the tunnel-mode portion of a packet that is not UDP-encapsulated. The transport-mode portion of a packet is UDP-encapsulated and ESP-protected.
AuthenticationAlgorithms
A bit mask that identifies the IPsec authentication algorithms that the NIC supports. Miniport drivers specify a bitwise OR of the following values:
IPSEC_OFFLOAD_V2_AUTHENTICATION_MD5
The NIC can use the keyed message digest 5 (MD5) algorithm for computing or validating a cryptographic checksum.
IPSEC_OFFLOAD_V2_AUTHENTICATION_SHA_1
The NIC can use the secure hash algorithm (SHA) 1 algorithm for computing or validating a cryptographic checksum.
IPSEC_OFFLOAD_V2_AUTHENTICATION_SHA_256
The NIC can use the SHA 256 algorithm for computing or validating a cryptographic checksum.
IPSEC_OFFLOAD_V2_AUTHENTICATION_AES_GCM_128
The NIC can use the Advanced Encryption Standard - Galois/Counter Mode (AES-GMAC) 128 algorithm for computing or validating a cryptographic checksum.
IPSEC_OFFLOAD_V2_AUTHENTICATION_AES_GCM_192
The NIC can use the AES-GMAC 192 algorithm for computing or validating a cryptographic checksum.
IPSEC_OFFLOAD_V2_AUTHENTICATION_AES_GCM_256
The NIC can use the AES-GMAC 256 algorithm for computing or validating a cryptographic checksum.
EncryptionAlgorithms
A bit mask that identifies the IPsec encryption algorithms that the NIC supports. This bit mask is a bitwise OR of the following values:
IPSEC_OFFLOAD_V2_ENCRYPTION_NONE
The NIC can use null encryption--that is, the ESP payload without encryption but with authentication information.
IPSEC_OFFLOAD_V2_ENCRYPTION_DES_CBC
The NIC can use the DES algorithm for encrypting and decrypting ESP payloads.
IPSEC_OFFLOAD_V2_ENCRYPTION_3_DES_CBC
The NIC can use the triple-DES algorithm for encrypting and decrypting ESP payloads.
IPSEC_OFFLOAD_V2_ENCRYPTION_AES_GCM_128
The NIC can use the AES-GCM 128 algorithm for encrypting and computing a cryptographic checksum or decrypting and validating a cryptographic checksum for an ESP payload. Note that this algorithm is a combined mode algorithm.
IPSEC_OFFLOAD_V2_ENCRYPTION_AES_GCM_192
The NIC can use the AES-GCM 192 algorithm for encrypting and computing a cryptographic checksum or decrypting and validating a cryptographic checksum for an ESP payload. Note that this algorithm is a combined mode algorithm.
IPSEC_OFFLOAD_V2_ENCRYPTION_AES_GCM_256
The NIC can use the AES-GCM 256 algorithm for encrypting and computing a cryptographic checksum or decrypting and validating a cryptographic checksum for an ESP payload. Note that this algorithm is a combined mode algorithm.
IPSEC_OFFLOAD_V2_ENCRYPTION_AES_CBC_128
The NIC can use the Advanced Encryption Standard - cipher-block chaining mode (AES-CBC) 128 algorithm for encrypting and decrypting ESP payloads.
IPSEC_OFFLOAD_V2_ENCRYPTION_AES_CBC_192
The NIC can use the AES-CBC 192 algorithm for encrypting and decrypting ESP payloads.
IPSEC_OFFLOAD_V2_ENCRYPTION_AES_CBC_256
The NIC can use the AES-CBC 256 algorithm for encrypting and decrypting ESP payloads.
SaOffloadCapacity
The number of SA bundles, which might include ESP or AH or both, that can be offloaded to the NIC. The TCP/IP maintains a count of the number of offloaded SA bundles and should not add more than the maximum number of SA bundles that the miniport driver reported.
Remarks
In NDIS 6.1 and later versions, the NDIS_IPSEC_OFFLOAD_V2 structure is used in the IPsecV2 member of the NDIS_OFFLOAD structure. The NDIS_IPSEC_OFFLOAD_V2 structure specifies the current or supported capabilities that a miniport adapter provides for IPsec offload processing.
For OID_TCP_OFFLOAD_CURRENT_CONFIG, the NDIS_OFFLOAD structure specifies the task offload capabilities that a miniport adapter supports. If the current offload capabilities change, a miniport driver reports the new capabilities in an NDIS_STATUS_TASK_OFFLOAD_CURRENT_CONFIG status indication.
The Encapsulation member of NDIS_IPSEC_OFFLOAD_V2 defines the MAC encapsulations that a miniport adapter supports for IPsec offload.
In response to an OID_TCP_OFFLOAD_CURRENT_CONFIG query request, NDIS provides a bitwise OR of the encapsulation flags, which indicate the supported encapsulation settings, in the Encapsulation member. Miniport drivers must provide Ethernet encapsulation (NDIS_ENCAPSULATION_IEEE_802_3). The other types of encapsulation are optional.
For an NDIS_STATUS_TASK_OFFLOAD_CURRENT_CONFIG status indication, the miniport driver provides a bitwise OR of the encapsulation flags, which indicate the current capabilities, in the Encapsulation member.
The following flags are defined for the Encapsulation member:
Requirements
Requirement | Value |
---|---|
Minimum supported client | Supported in NDIS 6.1 and later. |
Header | ntddndis.h (include Ndis.h) |