What is a Security Association used for in IPsec?
A quick refresher on this critical part of ipsec.
We covered this briefly in a prior article but I think a deeper dive would be helpful: let's discuss Security Associations and why they're important for IPsec.
I've said it before and I'll say it again: modern networking is highly dependent on trust and agreement. In order for two parties to successfully communicate with one another, they basically need to agree on some ground rules. This mindset is also true for IPsec architecture. Before an IPsec tunnel can be established, the two connecting devices (e.g. routers/firewalls/etc) need to agree on connection details. This includes things like: how the data will be protected, what protocols will be used, etc.
This leads into a critical part of IPSec: The Security Association (commonly abbreviated as SA). Think of a SA as basically a "contract". It dictates the overall terms of agreement between the two sides and defines all the necessary parameters for securing a particular flow/direction of IP packets through a tunnel. These details include stuff like:
- Security Protocol - Necessary for things like data integrity and authentication.
- Algorithms - The specific cryptographic algorithms to be used for encryption and hashing/authentication.
- Keys - Shared secret keys that the algorithms will use for encryption and authentication.
- Mode - The operational mode for IPsec (tunnel mode vs transport mode)
- Security Parameter Index (SPI) - A unique 32-bit value that, combined with some other stuff, uniquely identifies a specific SA at the receiving end.
- Sequence Numbers - Data that's used to prevent replay attacks ensuring that each packet is unique and processed only once.
- Lifetime - How long the SA is valid (either based on time or amount of data transmitted) before it needs to be renegotiated.
Phew! That's a lot of factors to keep track of. For the purpose of brevity, I'll stop here and refrain from going much deeper. I do want to mention one more important detail though: under normal circumstances, an IPSec tunnel will require two Security Associations (one for each direction flow... A --> B and B --> A). Both SAs have to be accepted and agreed upon, otherwise the tunnel won't be established.
Want more info? Check out the following resources:


