Previous Next

OID_TCP_TASK_IPSEC_ADD_SA

The OID_TCP_TASK_IPSEC_ADD_SA OID is set by the transport protocol to request that a miniport driver add one or more security associations (SAs) to its NIC.

The information for each SA is formatted as an OFFLOAD_IPSEC_ADD_SA structure, which is defined as follows:

typedef struct _OFFLOAD_IPSEC_ADD_SA {
  IPAddr  SrcAddr;
  IPMask  SrcMask;
  IPAddr  DestAddr;
  IPMask  DestMask;
  ULONG  Protocol;
  USHORT  SrcPort;
  USHORT  DestPort;
  IPAddr  SrcTunnelAddr;
  IPAddr  DestTunnelAddr;
  USHORT  Flags;
  SHORT  NumSAs;
  OFFLOAD_SECURITY_ASSOCIATION  SecAssoc[OFFLOAD_MAX_SAS];
  NDIS_HANDLE  OffloadHandle;
  ULONG  KeyLen;
  UCHAR  KeyMat[1];
} OFFLOAD_IPSEC_ADD_SA, *POFFLOAD_IPSEC_ADD_SA;

The members of this structure contain the following information:

SrcAddr
Specifies the IP address of the source host (the host sending the packets)
SrcMask
Specifies the subnet mask for the source IP address
DestAddr
Specifies the IP address of the destination host (the host receiving the packets)
DestMask
Specifies the subnet mask for the destination IP address
Protocol
Specifies the IP protocol. Any combination of IP protocol types, such as TCP, UDP, ICMP, can be specified. The encoding of Protocol is identical to that of the Protocol field in an IP header. If Protocol is set to zero, the SA applies to any IP protocol.
SrcPort
Specifies a source TCP or UDP port. If SrcPort is set to zero, the SA applies to any source TCP/UDP port.
DestPort
Specifies a destination TCP or UDP port. If DestPort is set to zero, the SA applies to any source TCP/UDP port.
SrcTunnelAddr
Specifies the IP address for the source endpoint, such as a connector, of a tunnel. The miniport driver uses SrcTunnelAddr as the source address for the tunnel IP header of packets sent on the SA. SrcTunnelAddr is specified only for an SA that applies to the tunnel portion of a packet. SrcTunnelAddr is set to zero for an SA that applies to the transport portion of a packet.
DestTunnelAddr
Specifies the IP address for the destination endpoint, such as a connector, of a tunnel. The miniport driver uses DestTunnelAddr as the destination address for the tunnel IP header of packets sent on the SA. DestTunnelAddr is specified only for an SA that applies to the tunnel portion of a packet. DestTunnelAddr is set to zero for an SA that applies to the transport portion of a packet.
Flags
A bitmask that indicates whether the SA being added is an inbound or outbound SA as follows:
OFFLOAD_INBOUND_SA
Specifies an inbound SA.
OFFLOAD_OUTBOUND_SA
Specifies an outbound SA.
NumSAs
Specifies the number of elements in the SecAssoc array. Each element in the array is an OFFLOAD_SECURITY_ASSOCIATION structure, which is described below.
SecAssoc
Specifies a variable-length array that contains the information on the IP Security operations (AH and/or ESP) for the SA. The information for each IP Security operations is formatted as an OFFLOAD_SECURITY_ASSOCIATION structure, which is described below.

The TCP/IP transport specifies one or two OFFLOAD_SECURITY_ASSOCIATION structures in the buffer at SecAssoc. Each OFFLOAD_SECURITY_ASSOCIATION structure indicates the type of operation—authentication or encryption/decryption— for which the SA specified in the structure is to be used. The order of the OFFLOAD_SECURITY_ASSOCIATION structures in the array indicates the order in which the miniport driver should perform the operations for each SA. Only one combination of operations is supported: encryption/decryption (ESP) followed by authentication (AH).

OffloadHandle
Specifies the handle to the newly created SA. The miniport driver supplies this handle before completing the OID_TCP_TASK_IPSEC_ADD_SA request. The TCP/IP transport must specify this handle in the NDIS_IPSEC_PACKET_INFO structure before passing a send packet to the miniport driver. The TCP/IP transport must also specify this handle when deleting the SA with an OID_TCP_TASK_IPSEC_DELETE_SA request.
KeyLen
Specifies the length in bytes of the buffer at KeyMat.
KeyMat
Specifies a variable-length array that contains key(s) for the SA(s) specified at SecAssoc. If both a confidentiality (encryption/decryption) algorithm and an integrity (authentication) algorithm are specified by the ConfAlgo and IntegrityAlgo of an OFFLOAD_SECURITY_ASSOCIATION structure, the buffer at KeyMat contains key information for the confirmation algorithm first, followed immediately by key information for the integrity algorithm.

The length of each key in the buffer at KeyMat is specified by algoKeyLen in the OFFLOAD_ALGO_INFO structure that specifies the confidentiality or integrity algorithm. (An OFFLOAD_ALGO_INFO structure is a member of an OFFLOAD_SECURITY_ASSOCIATION structure.)

The first seven members of the OFFLOAD_IPSEC_ADD_SA structure (SrcAddr, SrcMask, DestAddr, DestMask, Protocol, SrcPort, and DestPort) constitute a filter that specifies the source and destination, as well as the IP protocol(s), to which the SA(s) apply. This filter pertains to a transport-mode connection—that is, an end-to-end connection between two hosts. If the specified connection is made through a tunnel, the source and destination addresses of the tunnel are specified by SrcTunnelAddr and DestTunnelAddr, respectively.

If a filter parameter is set to zero, that parameter is not used to filter packets for the specified SA(s). For example, if SrcAddr is set to zero, the specified SA(s) can apply to a packet that contains any source address. To take this to the extreme, if all the filter parameters are set to zero, the specified SA(s) apply to any source host sending any type of packet to any destination host.

The TCP/IP transport can specify an IP protocol in the Protocol member to indicate that the specified SA(s) apply only to packets of the specified protocol type. If Protocol is set to zero, the specified SA(s) apply to all packets sent from the specified source to the specified destination.

OFFLOAD_SECURITY_ASSOCIATION structure

An OFFLOAD_SECURITY_ASSOCIATION structure specifies a single security association (SA). The OFFLOAD_SECURITY_ASSOCIATION structure is an element in the SecAssoc variable-length array. SecAssoc contains one or two OFFLOAD_SECURITY_ASSOCIATION structures.

The OFFLOAD_SECURITY_ASSOCIATION structure is defined as follows:

typedef struct _OFFLOAD_SECURITY_ASSOCIATION {
  OFFLOAD_OPERATION_E  Operation;
  SPI_TYPE  SPI;
  OFFLOAD_ALGO_INFO  IntegrityAlgo;
  OFFLOAD_ALGO_INFO  ConfAlgo;
  OFFLOAD_ALGO_INFO  Reserved;
} OFFLOAD_SECURITY_ASSOCIATION, *POFFLOAD_SECURITY_ASSOCIATION;

The members of the OFFLOAD_SECURITY_ASSOCIATION structure contain the following information:

Operation
Specifies the IP security operation for which the SA is to be used. The following operations are supported:
AUTHENTICATE
Specifies that the SA is to be used for authentication (integrity checking).
ENCRYPT
Specifies that the SA is to be used for encryption/decryption (confidentiality).
SPI
Specifies the Security Parameters Index for the SA.
IntegrityAlgo
Specifies the integrity (authentication) algorithm for the SA, formatted as an OFFLOAD_ALGO_INFO structure. The OFFLOAD_ALGO_INFO structure is described below.
ConfAlgo
Specifies the confidentiality (encryption/decryption) algorithm for the SA, formatted as an OFFLOAD_ALGO_INFO structure. The OFFLOAD_ALGO_INFO structure is described below.
Reserved
This is reserved.

An SA specified for use in processing authentication headers (AH) will have an operation type of AUTHENTICATE and will have an IntegrityAlgo (integrity algorithm). The SA will not have an a ConfAlgo (confidentiality algorithm). In this case, ConfAlgo will contain zeros.

An SA specified for use in processing encapsulating security payloads (ESPs) will have an operation type of ENCRYPT and may have an IntegrityAlgo (integrity algorithm) and/or a ConfAlgo (confidentiality algorithm).

OFFLOAD_ALGO_INFO structure

The OFFLOAD_ALGO_INFO structure, which is a member of an OFFLOAD_SECURITY_ASSOCIATION structure, specifies an algorithm used for a security association (SA).

The OFFLOAD_ALGO_INFO structure is defined as follows:

typedef struct _OFFLOAD_ALGO_INFO {
  ULONG  algoIdentifier;
  ULONG  algoKeylen;
  ULONG  Reserved;
} OFFLOAD_ALGO_INFO, *POFFLOAD_ALGO_INFO;

The members of an OFFLOAD_ALGO_INFO structure contain the following information:

algoIdentifier
Specifies the confidentiality or integrity algorithm used for the SA.

If the algorithm is a confidentiality algorithm (that is, if the OFFLOAD_ALGO_INFO structure is specifying a ConfAlgo), algoIdentifier can be any of the following values:

OFFLOAD_IPSEC_CONF_NONE
Specifies no confidentiality algorithm. Used for null encryption—that is, when a packet is not encrypted but its ESP header contains authentication information.
OFFLOAD_IPSEC_CONF_DES
Specifies the DES algorithm.
OFFLOAD_IPSEC_CONF_3_DES
Specifies the triple-DES algorithm.

If the algorithm is an integrity algorithm (that is, if the OFFLOAD_ALGO_INFO structure is specifying an IntegrityAlgo), algoIdentifier can be either of the following values:

OFFLOAD_IPSEC_INTEGRITY_NONE
Specifies no integrity algorithm. Used when the ESP header contains no authentication information.
OFFLOAD_IPSEC_INTEGRITY_MD5
Specifies the keyed MD5 algorithm.
OFFLOAD_IPSEC_INTEGRITY_SHA
Specifies the SHA 1 algorithm.
algoKeylen
Specifies in bytes the length of the key for the algorithm. The key is contained in the buffer at KeyMat¸ which is the variable-length array specified in the OFFLOAD_IPSEC_ADD_SA structure.

If only an integrity algorithm (IntegrityAlgo) is specified in the OFFLOAD_SECURITY_ASSOCIATION structure, algoKeylen indicates the length of the key for the integrity algorithm, starting from the beginning of the buffer at KeyMat.

If both an integrity and a confidentiality algorithm (IntegrityAlgo and ConfAlgo) are specified, algoKeylen for the integrity algorithm indicates the length of the key for the integrity algorithm, starting from the beginning of the buffer at KeyMat. The algoKeylen for the confidentiality algorithm, in this case, indicates the length of the key for the confidentiality algorithm, starting the from the end of the key for the integrity algorithm.

Reserved
This is reserved.
Built on Friday, April 11, 2003