Networking / Beginners

Security Associations

The Security Association ( SA ) is a fundamental element of IPsec. RFC 2401 defines the SA as " a simplex ' connection ' that affords security services to the traffic carried by it. " This rather murky definition is clarified by a description; an SA consists of three things.

  • A Security Parameter Index (SPI)
  • An IP destination address
  • A security protocol (AH or ESP) identifier

As a simplex connection, the SA associates a single destination with the SPI; thus, for typical IP traffic there will be two SAs: one in each direction that secure traffic flows (one each for source and destination host). SAs provide security services by using either AH or ESP but not both (if a traffic stream uses both AH and ESP, it has two-or more-SAs).

The Security Parameter Index ( SPI ) is an identifier indicating the type of IP header the security association is being used for (AH or ESP). The SPI is a 32-bit value identifying the SA and differentiating it from other SAs linked to the same destination address. For secure communication between two systems, there would be two different security associations, one for each destination address.

Each security association includes more information related to the type of security negotiated for that connection, so systems must keep track of their SAs and what type of encryption or authentication algorithms, key lengths, and key lifetimes have been negotiated with the SA destination hosts.

[Previous] [Contents] [Next]