/
IPSec - Security Association (SA) - Security Parameter Index (SPI) - Security Policy Database (SPD)

IPSec - Security Association (SA) - Security Parameter Index (SPI) - Security Policy Database (SPD)

Dec 03, 2019

Security Association (SA)

  • SA is a cryptographically protected connection (i.e. IPSec session)
  • SA specifies the encryption/authentication algorithms, keys, parameters, etc
  • SA identified by:
    • Security Parameter Index (SPI)
    • Destination IP Address
    • Protocol Identifier (AH or ESP)
  • security policy database - specifies what kind of protection should be applied to packets 
    (acc. to source-destination address, port numbers, user ID, data sensitivity level, etc.)
  • each SA entry contains:

    • AH info – key, key lifetime, integrity algorithm, etc

    • ESP info – key, key lifetime, integrity algorithm, encryption algorithm, etc

    • sequence number counter

    • anti-replay window – at the destination SA

    • lifetime of the SA

    • others – protocol mode, Path MTU (PMTU), etc

  • a database of SA entries are stored at the host/router
  • a single SA defines the IPSec communication between a 2 hosts/routers, therefore 2 copies are stored (one for each host/router)