Impact of Network Interface Changes on IPsec Offloads (NDIS 5.1)
Note NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.
The following events in the network interface affect the offloading of Internet Protocol security (IPsec) tasks:
A NIC is removed.
Before a NIC to which tasks are being offloaded is removed from the system, its miniport driver should delete all security associations (SAs) from the NIC. The miniport driver does not have to request that the TCP/IP transport delete the SAs.
A routing interface is changed.
When network traffic is routed through a new interface, the TCP/IP stack temporarily performs IPsec tasks until it has added the appropriate SAs to the NIC that is used in the new interface. The TCP/IP stack adds an SA to a NIC by issuing OID_TCP_TASK_IPSEC_ADD_SA. After the SAs on the NIC that is used for the old interface expire, the TCP/IP transport issues OID_TCP_TASK_IPSEC_DELETE_SA as many times as necessary to request that the NIC's miniport driver delete the SAs from the NIC.