101
0/228
Loading content...
When two hosts or networks need to communicate securely using IPSec, they don't simply encrypt packets and hope the receiver can decrypt them. Instead, they establish a Security Association (SA)—a carefully negotiated agreement that defines exactly how security services will be applied to their communication.
Think of an SA as a security contract between two parties. Before any encrypted data flows, both sides must agree on:
Without Security Associations, IPSec would be chaos. Each packet would need to carry its own negotiation data, and receivers would have no way to know how to decrypt or verify incoming packets. SAs provide the essential framework that makes IPSec practical and scalable.
By the end of this page, you will understand the Security Association concept at a deep level—what SAs are, why they exist, how they're identified, and their unidirectional nature. This knowledge forms the foundation for understanding SA parameters, databases, and the IKE protocol in subsequent pages.
A Security Association (SA) is a simplex (one-way) logical connection that provides security services to the traffic carried over it. In formal terms, an SA is a set of security parameters that define a specific security relationship between two communicating entities.
The Formal Definition (RFC 4301):
An SA is:
"A simplex 'connection' that affords security services to the traffic carried by it. Security services are afforded to an SA by the use of either AH or ESP, but not both."
Let's break this definition down systematically:
Think of an SA as a legal contract between two parties. The contract specifies: "We agree to encrypt all traffic using AES-256-GCM with this specific key, and we'll use this HMAC for integrity checking, and this agreement expires in 8 hours." Both parties must have identical copies of this contract to communicate securely.
The unidirectional (simplex) nature of Security Associations is one of the most critical concepts to understand. This design choice isn't arbitrary—it provides flexibility and security benefits that a bidirectional model wouldn't allow.
Why Unidirectional?
Consider a scenario where Host A and Host B need secure communication:
| Direction | SA Required | Purpose | Unique Parameters |
|---|---|---|---|
| A → B | SA₁ (Outbound for A, Inbound for B) | Protects traffic from A to B | Keys, algorithms, SPI chosen for A→B direction |
| B → A | SA₂ (Outbound for B, Inbound for A) | Protects traffic from B to A | Keys, algorithms, SPI chosen for B→A direction |
Benefits of Unidirectional SAs:
Many newcomers assume that establishing "an IPSec connection" creates a single bidirectional SA. This is incorrect. What appears as a single secure tunnel is actually implemented using a pair of SAs—one for each direction. IKE (Internet Key Exchange) typically negotiates these as a pair, but they remain logically separate.
When an IPSec-protected packet arrives at its destination, the receiver must determine which Security Association applies to that packet. How does it know which decryption key to use? Which integrity algorithm to apply? The answer lies in the Security Parameters Index (SPI).
What is the SPI?
The SPI is a 32-bit identifier included in every AH and ESP header. When combined with the destination IP address and the security protocol (AH or ESP), it uniquely identifies the SA to be used for processing that packet.
| Component | Description | Example |
|---|---|---|
| Security Parameters Index (SPI) | 32-bit unique identifier assigned by the receiving host | 0x12345678 |
| Destination IP Address | The IP address of the SA's destination endpoint | 192.168.1.100 |
| Security Protocol | Either AH (51) or ESP (50) protocol identifier | ESP (50) |
SPI Assignment Rules:
The SPI is chosen by the receiving party during SA negotiation, not the sender. This is crucial:
Reserved SPI Values:
Certain SPI values are reserved and cannot be used for normal SAs:
The SPI only needs to be unique per (destination IP, protocol) pair, not globally unique. Host B might use SPI 0x12345678 for an ESP SA with Host A, and the same SPI 0x12345678 for a different ESP SA with Host C. The destination IP address differentiates them.
12345678910111213141516171819202122232425
// ESP Header (Encapsulating Security Payload)// RFC 4303 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Security Parameters Index (SPI) | ← 32-bit SA identifier+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Sequence Number | ← Anti-replay counter+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Payload Data (variable) |~ ~| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Integrity Check Value (ICV) |~ (variable length) ~+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // Packet Processing at Receiver:// 1. Extract SPI from ESP header: 0x12345678// 2. Get destination IP from IP header: 192.168.1.100// 3. Protocol is ESP (IP protocol 50)// 4. Lookup SA using triple: (0x12345678, 192.168.1.100, ESP)// 5. Retrieve encryption key, algorithm, and other parameters from SA// 6. Decrypt and verify packet using SA parametersA critical rule of IPSec architecture is that each SA is associated with exactly one security protocol—either AH or ESP, never both. This might seem limiting, but it provides clarity and flexibility in implementation.
Why One Protocol Per SA?
Each protocol has different header formats, different processing requirements, and different security services. Mixing them in a single SA would create complex state management and ambiguous packet processing. Instead, when both AH and ESP protection are needed, multiple SAs are used together through SA Bundling.
SA Bundling for Combined Protection:
When an application requires both AH and ESP protection (for example, encrypting the payload while also authenticating the IP header), multiple SAs are bundled together. There are two approaches:
| Approach | Description | Processing Order | Use Case |
|---|---|---|---|
| Transport Adjacency | Both AH and ESP applied independently in transport mode | ESP applied first, then AH | Host-to-host with header authentication |
| Iterated Tunneling | Nested tunnel mode SAs | Inner SA processed, then outer SA | Gateway-to-gateway with multiple security domains |
In modern deployments, ESP with authentication is the most common choice. It provides encryption, integrity, and authentication in a single SA. AH is rarely used because ESP can do everything AH does (except authenticate the outer IP header in transport mode), plus encryption. SA bundling is increasingly uncommon.
Each Security Association operates in one of two modes: Transport Mode or Tunnel Mode. The mode determines how IPSec encapsulates the original IP packet and significantly affects the SA's behavior and use cases.
Transport Mode:
In transport mode, the original IP header is preserved, and only the IP payload (transport layer and above) is protected by IPSec. The security header (AH or ESP) is inserted between the original IP header and the transport layer header.
1234567891011121314151617181920
// Original IP Packet:+-------------+-------------+------------------+| IP Header | TCP Header | TCP Data || (Src, Dst) | (Port info) | (Application) |+-------------+-------------+------------------+ // After ESP Transport Mode Processing:+-------------+------------+-------------+------------------+----------+-----+| IP Header | ESP Header | TCP Header | TCP Data | ESP Tail | ICV || (preserved) | (SPI) | (encrypted) | (encrypted) | (padding)| |+-------------+------------+-------------+------------------+----------+-----+ |<----------- Encrypted Payload ------------->| |<------------------ Authenticated ------------------>| Key characteristics:- Original IP header remains visible (source and destination IPs exposed)- Transport layer (TCP/UDP) header is encrypted- End-to-end security between two hosts- Lower overhead than tunnel mode- Cannot be used through NAT (IPSec-aware NAT traversal required)Tunnel Mode:
In tunnel mode, the entire original IP packet (header and payload) is encapsulated within a new IP packet. The security header protects the complete original packet, and a new outer IP header is added for routing.
123456789101112131415161718192021
// Original IP Packet:+-------------+-------------+------------------+| IP Header | TCP Header | TCP Data || (Src, Dst) | (Port info) | (Application) |+-------------+-------------+------------------+ // After ESP Tunnel Mode Processing:+-------------+------------+-------------+-------------+------------------+----------+-----+| New IP Hdr | ESP Header | Original | TCP Header | TCP Data | ESP Tail | ICV || (Gw to Gw) | (SPI) | IP Hdr | (encrypted) | (encrypted) | (padding)| |+-------------+------------+-------------+-------------+------------------+----------+-----+ |<------------------- Encrypted Payload ------------------->| |<----------------------- Authenticated ------------------------>| Key characteristics:- Original IP packet completely hidden (privacy protection)- New IP header for routing between tunnel endpoints- Gateway-to-gateway or host-to-gateway security- Higher overhead due to additional IP header- Works through NAT (outer header is what NAT sees)- VPN implementations typically use tunnel mode| Aspect | Transport Mode | Tunnel Mode |
|---|---|---|
| IP Header | Original header preserved | Original header encrypted, new header added |
| Typical Use | Host-to-host security | VPN, gateway-to-gateway security |
| Overhead | Lower (no extra IP header) | Higher (+20 bytes for new IP header) |
| NAT Compatibility | Problematic without NAT-T | Better (outer header is NAT-friendly) |
| Privacy | Endpoints visible | Original endpoints hidden |
| MTU Impact | Minimal | Significant (encapsulation overhead) |
The mode is a property of the SA, negotiated during SA establishment. Both endpoints must agree on the mode. Tunnel mode is mandatory for gateway-to-gateway SAs and common for remote access VPNs. Transport mode is used for host-to-host protection where gateway encapsulation isn't needed.
Security Associations are not permanent structures. They have a defined lifecycle that includes establishment, active use, and termination. Understanding this lifecycle is essential for maintaining secure communications and implementing proper key management.
SA Lifecycle Phases:
SA Lifetime Types:
Security Associations have two types of lifetimes that determine when rekeying or termination occurs:
| Lifetime Type | Measurement | Soft Limit Action | Hard Limit Action |
|---|---|---|---|
| Time-based | Seconds since establishment | Initiate rekeying | Delete SA immediately |
| Traffic-based | Bytes or packets processed | Initiate rekeying | Delete SA immediately |
The soft lifetime triggers proactive rekeying while the SA is still valid, ensuring a replacement SA is ready before expiration. The hard lifetime is the absolute maximum—when reached, the SA is deleted even if no replacement exists. Proper configuration ensures soft lifetime << hard lifetime to avoid traffic interruption.
In modern IPSec implementations using IKEv2, there are two distinct types of Security Associations with different purposes and characteristics:
IKE SA (IKEv2 SA):
The IKE SA is a bidirectional security association used to protect the IKE protocol traffic itself. It's established during the initial IKE_SA_INIT and IKE_AUTH exchanges and provides:
Child SA (IPSec SA):
Child SAs are the actual IPSec SAs (using AH or ESP) that protect user traffic. They're created under the protection of an existing IKE SA and are what we typically refer to when discussing IPSec SAs.
| Characteristic | IKE SA | Child SA |
|---|---|---|
| Direction | Bidirectional | Unidirectional (pairs for two-way) |
| Protocol | IKE (UDP 500/4500) | ESP or AH |
| Purpose | Protect IKE negotiation | Protect user traffic |
| Identification | IKE SPIs (initiator + responder) | Single SPI per direction |
| Typical Lifetime | Hours to days | Minutes to hours |
| Traffic Protected | IKE messages only | Application data |
| Count per Connection | One per peer pair | Multiple (one per policy/direction) |
The IKE SA acts as a 'parent' that can spawn multiple Child SAs. When the IKE SA is deleted, all Child SAs under it are typically deleted as well. However, Child SAs can be rekeyed independently of the IKE SA, and multiple traffic flows can each have their own Child SA pair.
We've established a solid foundation for understanding Security Associations—the architectural cornerstone of IPSec. Let's consolidate the key concepts:
What's Next:
Now that we understand what Security Associations are and how they're identified, the next page dives into SA Parameters—the specific cryptographic and operational values that each SA contains. We'll examine encryption algorithms, authentication methods, sequence numbers, and all the other parameters that make an SA functional.
You now understand the Security Association concept—the fundamental building block of IPSec security. This knowledge is essential for understanding how IPSec implementations work, how to troubleshoot VPN issues, and how to design secure network architectures.