Offloading IPsec Tasks in the Receive Path (NDIS 5.1)
Note NDIS 5. x has been deprecated and is superseded by NDIS 6. x. For new NDIS driver development, see Network Drivers Starting with Windows Vista. For information about porting NDIS 5. x drivers to NDIS 6. x, see Porting NDIS 5.x Drivers to NDIS 6.0.
When a NIC performs Internet Protocol security (IPsec) processing on a receive packet, it decrypts the packet if the packet contains an ESP payload and calculates the AH and/or ESP encryption checksum(s) for the packet. Before indicating the packet up to the TCP/IP transport, the miniport driver calls the NDIS_PER_PACKET_INFO_FROM_PACKET macro with an InfoTypeof IpSecNdisTask to obtain a pointer to the NDIS_IPSEC_PACKET_INFOstructure that is associated with a packet. Alternatively, it can call the NDIS_PACKET_EXTENSION_FROM_PACKET macro to obtain a pointer to the NDIS_PACKET_EXTENSION structure that is associated with the packet descriptor.
The miniport driver sets the CRYPTO_DONE flag in the NDIS_IPSEC_PACKET_INFO structure to indicate that its NIC performed IPsec checking on at least one IPsec payload in the receive packet. If the miniport driver's NIC performed IPsec checking on both the tunnel and transport portions of a receive packet, the miniport driver also sets the NEXT_CRYPTO_DONE flag in the NDIS_IPSEC_PACKET_INFO structure. The miniport driver sets NEXT_CRYPTO_DONE only if a packet has both tunnel and transport IPsec payloads. Otherwise, the miniport driver sets NEXT_CRYPTO_DONE to zero. To indicate the results of the IPsec checks, the miniport driver must also supply a value for the CryptoStatusmember in the NDIS_IPSEC_PACKET_INFO structure. If the NIC detects a checksum failure or a decryption failure, the miniport driver must indicate up the receive packet in whatever form it is and specify the appropriate CryptoStatusvalue.
Note that, if the miniport driver is not decrypting an incoming packet, it clears both the CRYPTO_DONE and the NEXT_CRYPTO_DONE flags. The miniport driver does this for all receive packets that it does not decrypt, regardless of whether the packet is AH-protected or ESP-protected. The miniport driver sets CryptoStatusto CRYPTO_SUCCESS for all packets that it does not decrypt.
After the miniport driver indicates the packet to the TCP/IP transport, the transport examines the results of the IPsec checks that the NIC performed, checks the sequence number(s) for the packet, and determines what to do with a packet that fails the checksum and/or sequencing tests.