What is a Security Association used for in IPsec?

We covered this briefly in a prior article but I think a deeper dive would be helpful: let's discuss Security Associations and why they're important for IPsec.

I've said it before and I'll say it again: modern networking is highly dependent on trust and agreement. In order for two parties to successfully communicate with one another, they basically need to agree on some ground rules. This mindset is also true for IPsec architecture. Before an IPsec tunnel can be established, the two connecting devices (e.g. routers/firewalls/etc) need to agree on connection details. This includes things like: how the data will be protected, what protocols will be used, etc.

This leads into a critical part of IPSec: The Security Association (commonly abbreviated as SA). Think of a SA as basically a "contract". It dictates the overall terms of agreement between the two sides and defines all the necessary parameters for securing a particular flow/direction of IP packets through a tunnel. These details include stuff like:

• Security Protocol - Necessary for things like data integrity and authentication.
• Algorithms - The specific cryptographic algorithms to be used for encryption and hashing/authentication.
• Keys - Shared secret keys that the algorithms will use for encryption and authentication.
• Mode - The operational mode for IPsec (tunnel mode vs transport mode)
• Security Parameter Index (SPI) - A unique 32-bit value that, combined with some other stuff, uniquely identifies a specific SA at the receiving end.
• Sequence Numbers - Data that's used to prevent replay attacks ensuring that each packet is unique and processed only once.
• Lifetime - How long the SA is valid (either based on time or amount of data transmitted) before it needs to be renegotiated.

Phew! That's a lot of factors to keep track of. For the purpose of brevity, I'll stop here and refrain from going much deeper. I do want to mention one more important detail though: under normal circumstances, an IPSec tunnel will require two Security Associations (one for each direction flow... A --> B and B --> A). Both SAs have to be accepted and agreed upon, otherwise the tunnel won't be established.

Want more info? Check out the following resources:

IPsec Security Associations Overview | Junos OS | Juniper Networks

Another IPSec consideration is the type of security association (SA) that you wish to implement. An SA is a set of IPSec specifications that are negotiated between devices that are establishing an IPSec relationship. These specifications include preferences for the type of authentication, encryption, and IPSec protocol that should be used when establishing the IPSec connection. An SA can be either unidirectional or bidirectional, depending on the choices made by the network administrator. An SA is uniquely identified by a Security Parameter Index (SPI), an IPv4 or IPv6 destination address, and a security protocol (AH or ESP) identifier.

Juniper Networks

[MS-WPO]: Security Associations

IPsec relies on the concept of a security association, which consists of a shared state, primarily cryptographic keys and

Microsoft Learn

Security associations

The building block on which secure communications is built is a concept known as a security association. Security associations relate a specific set of security parameters to a type of traffic.

What is IPsec and how does it work?

An introduction to IPsec concepts.

Hack FAQsMike Berggren