Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.
IPSec Security Associations and the Security Association Database (SAD); Security Policies and the Security Policy Database (SPD); Selectors; the Security Parameter Index (SPI)
(Page 1 of 2)
Woah, there sure is a lot of "security"
stuff in that topic title. Those items are all closely related, and
important to understand before we proceed to looking at the core IPSec
protocols themselves. These constructs are used to guide the operation
of IPSec in a general way and also in particular exchanges between devices.
They control how IPSec works and ensure that each datagram coming into
or leaving an IPSec-capable device is properly treated.
Where to start
where to start.
J Let's begin
by considering the problem of how to apply security in a device that
may be handling many different exchanges of datagrams with others. There
is overhead involved in providing security, so we do not want to do
it for every message that comes in or out. Some types of messages may
need more security, others less. Also, exchanges with certain devices
may require different processing than others.
Security Policies, Security Associations and Associated Databases
To manage all of this complexity,
IPSec is equipped with a flexible, powerful way of specifying how different
types of datagrams should be handled. To understand how this works,
we must first define two important logical concepts:
- Security Policies: A security policy
is a rule that is programmed into the IPSec implementation that tells
it how to process different datagrams received by the device. For example,
security policies are used to decide if a particular packet needs to
be processed by IPSec or not; those that do not bypass AH and ESP entirely.
If security is required, the security policy provides general guidelines
for how it should be provided, and if necessary, links to more specific
Security policies for a device are stored in the device's Security
Policy Database (SPD).
- Security Associations: A Security Association
(SA) is a set of security information that describes a particular
kind of secure connection between one device and another. You can consider
it a "contract", if you will, that specifies the particular security
mechanisms that are used for secure communications between the two.
A device's security associations are contained in its Security Association
It's often hard to distinguish the
SPD and the SAD, since they are similar in concept. The main difference
between them is that security policies are general while security associations
are more specific. To determine what to do with a particular datagram,
a device first checks the SPD. The security policies in the SPD may
reference a particular security association in the SAD. If so, the device
will look up that security association and use it for processing the
|If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!|
Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.