LWF driver and TCP Large Segment Offload ...

Matthew_Grooms · December 15, 2010, 4:52pm

All,

I have a LWF driver that is part of an IPsec VPN client. It is designed
to intercept traffic on both the send and receive paths. I recently had
a bug report related to slow performance when sending data over a TCP
stream. We narrowed it down to TCP Large Segment Offload being handled
incorrectly by the kernel driver. I have implemented software emulation
to segment the large TCP packet so I can process it successfully. I say
successfully because when the segmented packets are sent to the peer, it
ACKs the appropriate TCP sequences. However, it would appear that the
Microsoft stack thinks that the LSO operations have failed. Shortly
after sending down the LSO packet, it will send a non LSO packet that
duplicates the first segment of the LSO packet ( as if the LSO packet
were not processed correctly ). It will then send another LSO packet
that references a sequence number that would be appropriate for a packet
that follows the non LSO packet. In other words, it looks like this …

SEND LSO SEGMENTS A,B,C
RECV ACK UP TO C
SEND NON-LSO SEGMENT A
SEND LSO SEGMENTS B,C,D
RECV ACK UP TO D
SEND NON-LSO SEGMENT B
SEND LSO SEGMENTS C,D,E
RECV ACK UP TO E
SEND NON-LSO SEGMENT C

This cycle continues until the TCP data stream is completely sent,
albeit at the rate of about 20KB/s

I have read this page about a dozen times now, and I don’t think I’ve
missed anything …

http://msdn.microsoft.com/en-us/library/ff568840(v=VS.85).aspx

… After completing my fake offload segmentation, I mark the original
NBL NDIS_TCP_LARGE_SEND_OFFLOAD_NET_BUFFER_LIST_INFO appropriately for
the LSO version ( V1 or V2 ), the NBL status with success and complete
the NBL send operation. I have tested this code with separate NICs that
implement both V1 and V2 and I always experience the same problem. All
sent IP and TCP header checksums are correct according to wireshark (
also emulated by my driver ) and, as I said before, the LSO segments are
ACKd by the TCP peer. I really have no idea what’s going wrong.

Anyone have a suggestion? I am trying hard to be a good NDIS citizen by
not disabling LSO features for adapter bindings. Are there other ways a
Miniport indicates that it has successfully processed LSO besides the
NDIS_TCP_LARGE_SEND_OFFLOAD_NET_BUFFER_LIST_INFO information? I’ve been
at this for a few days now and am all out of ideas.

Thanks in advance,

-Matthew

Matthew_Grooms · December 16, 2010, 12:49am

On 12/15/2010 3:50 PM, Matthew Grooms wrote:

Anyone have a suggestion? I am trying hard to be a good NDIS citizen by
not disabling LSO features for adapter bindings. Are there other ways a
Miniport indicates that it has successfully processed LSO besides the
NDIS_TCP_LARGE_SEND_OFFLOAD_NET_BUFFER_LIST_INFO information? I’ve been
at this for a few days now and am all out of ideas.

Thanks in advance,

Please disregard. I found the problem.

Thanks,

-Matthew