How do we ensure plaintext never leaks?

[mtfriesen]

1. How do we ensure a QEO packet decrypted by the NIC never gets misdelivered to the wrong socket? Windows allows packets to be pended all over the place, so what happens if a local UDP port or QEO offload ID gets reused while a decrypted packet is sitting in a queue?
2. How do we ensure a QEO packet never gets transmitted onto the wire in plaintext? Is this 100% the responsibility of the NIC? What if an intermediate component calls NDIS APIs to clone a packet and fails to copy the QEO OOB?