Security Association

© 2004 Cisco Systems, Inc. All rights

© 2004 Cisco Systems, Inc. All rights

SAs are one of the most basic concepts of IPSec. They represent a policy contract between two peers or hosts, and describe how the peers will use IPSec security services to protect network traffic. SAs contain all the security parameters that are needed to securely transport packets between peers or hosts, and they practically define the security policy used in IPSec.

The figure illustrates the concept of an SA. The routers in the figure use IPSec to protect traffic between hosts A and B, and therefore need two SAs (one in each direction) to describe traffic protection in both directions. Establishment of SAs is a prerequisite for IPSec traffic protection to work. When relevant SAs are established, IPSec refers to them for all parameters that are needed to protect a particular traffic flow. For example, an SA might enforce the following policy: "For traffic between hosts A and B use ESP 3DES with keys K1, K2, and K3 for payload encryption, SHA-1 with K4 for authentication..."

IPSec SAs always contain unidirectional (one-way) specifications. They are also encapsulation protocol specific. For each given traffic flow, there is a separate SA for each encapsulation protocol, AH and ESP. If two hosts A and B are communicating securely using both AH and ESP, then each host builds separate SAs (inbound and outbound) for each protocol. VPN devices store all their active SAs in a local database called the SA database.

An SA contains these security parameters:

Authentication encryption algorithm, key length, and other encryption parameters (such as key lifetime, for example) that are used with protected packets.

Session keys for authentication (HMACs) and encryption fed to the above algorithms. Those can be entered manually or negotiated automatically with the help of the IKE protocol.

■ A specification of network traffic to which the SA will be applied (that is, all IP traffic, only TELNET sessions, and so forth).

IPSec encapsulation protocol (AH or ESP) and mode (tunnel or transport).

0 0

Post a comment