22.2. Security associations
The concept of a security association is germane to IPsec. Security protocols make use of Security Associations (SAs) as they provide security services (the main responsibility of key management is to establish and manage SAs). An SA is a relationship between two entities that defines how they are going to use security services to secure their communications. It includes information on authentication and/or encryption algorithms, cryptographic keys and key lengths as well as the Initialization Vectors (IVs) that are shared between the entities. An SA is unidirectional; so, typically two SAs are needed for a bidirectional flow of traffic – one for inbound (read) traffic and one for outbound (write) traffic. An SA is uniquely identified by the following three items:
Security Parameter Index (SPI);
destination IP address;
security protocol (either AH or ESP).
The management of SAs involves two databases: the SPD and the SAD. The SPD contains the policies by which all inbound and outbound traffic is categorized on a host or a security gateway. The SAD is a container for all active SAs and related parameters. A set of selectors – IP layer and upper layer (e.g., TCP and UDP) protocol field values – is used by the SPD to map traffic to a specific SA.
Get The IMS: IP Multimedia Concepts And Services, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
