Skip to main content
IBM 
ShopSupportDownloads
IBM HomeProductsConsultingIndustriesNewsAbout IBM
IBM : developerWorks : Security : Education - online courses
Virtual private networks, Part 1		Download tutorial zip fileView letter-sized PDF fileView A4-sized PDF fileE-mail this tutorial to a friend
Main menuSection menuGive feedback on this tutorialNext
4. IPSec basics
  


IPSec structures page 1 of 4


In this section, we will examine in detail the IPSec structures that have been previously introduced.

Security Association (SA)
Simply put, an SA is a one-way, logical connection between two IPSec systems. It consists of the following elements:

  • Security Parameter Index
  • IP Destination Address
  • Security Protocol

Security Parameter Index (SPI): This is a 32-bit value that identifies different SAs with the same destination address and security protocols. It's carried in the security protocol header, and is usually selected by the destination system.

IP Destination Address (IPDA): This is unicast address. SAs are simplex, thus unidirectional.

Security Protocol (SP): This is either AH or ESP.

For bidirectional data flow, two SAs (one for each direction) must be defined. Because an SA can only handle one protocol, use of both will require two SAs for each direction, grouped into an SA bundle.


Main menuSection menuGive feedback on this tutorialNext
PrivacyLegalContact