IPSec Security Associations
The concept of a security association (SA) is fundamental to IPSec. An SA is a relationship between two or more entities that describes how the entities will use security services to communicate securely. IPSec provides many options for performing network encryption and authentication. Each IPSec connection can provide encryption, integrity, authenticity, or all three services. When the security service is determined, the two IPSec peers must determine exactly which algorithms to use (for example, DES or 3DES for encryption; MD5 or SHA-1 for integrity). After deciding on the algorithms, the two devices must share session keys. As you can see, there is quite a bit of information to manage. The security association is the method that IPSec uses to track all the particulars concerning a given IPSec communication session. You will need to configure SA parameters and monitor SAs on Cisco routers and the PIX Firewall.
NOTE
The nomenclature gets a little confusing at times, because SAs are used for more than just IPSec. For example, IKE SAs describe the security parameters between two IKE devices.
A separate pair of IPSec SAs is set up for AH and ESP transform. Each IPSec peer agrees to set up SAs consisting of policy parameters to be used during the IPSec session. The SAs are unidirectional for IPSec, so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will send that policy back to peer 1. This establishes two one-way SAs between the peers. Two-way communication consists of two SAs, one for each direction.
Each SA consists of values such as destination address, a security parameter index (SPI), the IPSec transforms used for that session, security keys, and additional attributes such as IPSec lifetime. The SAs in each peer have unique SPI values that will be recorded in the security parameter database on each device. The security parameter database is set up in dynamic random access memory (DRAM), and contains parameter values for each SA. An example of these values is shown in Figure 1.
){kind=link}
Figure 1 IPSec security association (SA).
An IPSec transform in Cisco IOS specifies either an AH or an ESP protocol and its corresponding algorithms and mode (transport or tunnel). The Cisco Secure VPN Client uses the concept of security policies to specify the same parameters.
Figure 2 contains an actual example of SA parameters for two IPSec peers: R1 and R2. Remember that each IPSec SA is unidirectional, and the SA parameters must match on each IPSec peer. The SA parameters are configured by the system administrator and stored in the SA database.
){kind=link}
Figure 2 SA parameter example on a Cisco router.
The following table describes the parameters shown in Figure 2.
|
Item |
Description |
|
outbound esp sas: spi: 0x1B781456(460854358) |
Security parameter index that matches the inbound SPI for that SA |
|
transform: esp-des |
IPSec transform |
|
in use settings ={Tunnel, } |
IPSec transform mode (tunnel or transport) |
|
slot: 0, conn id: 18 crypto map:mymap |
Cryptographic engine and cryptographic map information |
|
sa timing: (k/sec) |
SA lifetime in KB and seconds |
|
replay detection support: N |
Replay detection either on or off |
The SAs between IPSec peers enable the configured IPSec policy. When a system sends a packet that requires IPSec protection, it looks up the SA in its database, applies the specified processing, and then inserts the SPI from the SA into the IPSec header. When the IPSec peer receives the packet, it looks up the SA in its database by destination address and SPI, and then processes the packet as required. In summary, the SA is a statement of the negotiated security policy between two devices. Figure 3 shows an example of differing policies between peers.
){kind=link}
Figure 3 SAs enable your chosen policy.