 |
|
Please Whitelist This Site?
I know everyone hates ads. But please understand that I am providing premium content for free that takes hundreds of hours of time to research and write. I don't want to go to a pay-only model like some sites, but when more and more people block ads, I end up working for free. And I have a family to support, just like you. :)
If you like The TCP/IP Guide, please consider the download version. It's priced very economically and you can read all of it in a convenient format without ads.
If you want to use this site for free, I'd be grateful if you could add the site to the whitelist for Adblock. To do so, just open the Adblock menu and select "Disable on tcpipguide.com". Or go to the Tools menu and select "Adblock Plus Preferences...". Then click "Add Filter..." at the bottom, and add this string: "@@||tcpipguide.com^$document". Then just click OK.
Thanks for your understanding!
Sincerely, Charles Kozierok
Author and Publisher, The TCP/IP Guide
|
|
|
Custom Search
|
|
IPSec Security Associations and the Security Association Database (SAD); Security Policies and the Security Policy Database (SPD); Selectors; the Security Parameter Index (SPI)
(Page 2 of 2)
Selectors
One issue we haven't covered yet is how a device determines what policies or SAs to use for a specific datagram. Again here, IPSec defines a very flexible system that lets each security association define a set of rules for choosing datagrams that the SA applies to. Each of these rule sets is called a selector. For example, a selector might be defined that says that a particular range of values in the Source Address of a datagram, combined with another value in the Destination Address, means a specific SA must be used for the datagram.
Let's now come back to security associations, which are a very important concept in IPSec. Each secure communication that a device makes to another requires that an SA be established. SAs are unidirectional, so each one only handles either inbound or outbound traffic for a particular device. This allows different levels of security to be implemented for a flow from device A to device B, than for traffic coming from device B to device A. In a bidirectional communication of this sort, both A and B would have two SAs; A would have SAs we could call "SAdeviceBin" and "SAdeviceBout". Device B would have SAs "SAdeviceAin" and "SAdeviceAout".
Security associations don't actually have names, however. They are instead defined by a set of three parameters, called a triple:
- Security Parameter Index (SPI): A 32-bit
number that is chosen to uniquely identify a particular SA for any connected
device. The SPI is placed in AH or ESP datagrams and thus links each
secure datagram to the security association. It is used by the recipient
of a transmission so it knows what SA governs the datagram.
- IP Destination Address: The address of
the device for whom the SA is established.
- Security Protocol Identifier: Specifies whether this association is for AH or ESP. If both are in use with this device they have separate SAs.
As you can see, the two security protocols AH and ESP are dependent on security associations and policies and the various databases that control their operation. Management of these databases is important, but another whole complex subject. Generally, SAs can either be set up manually (which is of course extra work) or an automated system can be deployed using a protocol like IKE.
Confused? I don't blame you, despite my best efforts, and remember that this is all highly simplified. Welcome to the wonderful world of networking security. If you are ever besieged by insomnia, I highly recommend RFC 2401. J
|
| |||||||||||||||||||
Home - Table Of Contents - Contact Us
The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005
© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.