Security association

A security association (SA) is a group of algorithms and parameters used to encrypt and authenticate the flow of IP traffic in a particular direction. An SA contains the information IPsec needs to process an IP packet. IPsec identifies SAs by:
  • Security Parameter Index (SPI)

  • Protocol value (either AH or ESP)

  • Destination address to which the SA applies

Creation of a security association

Typically SAs exist in pairs; one in each direction, either inbound or outbound.

You can create SAs manually or dynamically. After you create an SA manually, the SA has no defined lifetime and the SA exists until you manually delete the SA.

After the device creates the SA dynamically, the SA can have a lifetime value that IPsec peers negotiate through use of a key management protocol. If the device uses the key excessively unauthorized access can occur. You must define the IPsec lifetime and other configurable parameters manually.

Security associations reside in the Security Association Database (SADB), which maintains a list of active SAs. The IPsec feature uses outbound SAs to secure the outgoing traffic and inbound SAs to process the incoming traffic. The device checks every ingress or egress packet for the IPsec base protocol, either AH or ESP. The base protocol interacts with the security policy database (SPD) and security association database (SADB) to check the level of security to apply to that packet.

The IPsec feature restricts SAs to the source and destination address of the connected router.