[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Inbound
and Outbound SAs
SA parameters are the actual session parameters
used to secure a specific data flow associated with a specific secure
IP interface. How SA parameters are set depends on how the IP interfaces
are secured:
- For manual secure IP interfaces, the system administrator
sets SA parameters. Manually setting SA parameters allows provisioning
of IP security to destinations that do not support SA negotiation
via IKE.
- For signaled secure IP interfaces, the two security gateway
peers negotiate SA parameters; the system administrator is not allowed
to set any of the parameters. In fact, for some of these parameters,
such as session keys, the system administrator is not even granted
read access.
Similarly to IPSec SAs, SA parameters are unidirectional.
Therefore, for a two-way data flow, two SAs need to be established—one
for inbound traffic and another for outbound traffic. For each direction,
SA parameters must be set for each transform associated with a secure
IP interface. Therefore, two sets of SA parameters exist for each
secure IP interface, one being the inbound SA parameters and the other
the outbound SA parameters.
The following parameters form each set of SA parameters:
- SPI—The SPI is a unique identifier that is applied
to the SA when securing a flow. An SPI is unique for a given destination
IP address and protocol tuple. The destination IP address is either
the remote secure IP interface endpoint for the outbound direction
or the local secure IP interface endpoint for the inbound direction.
- Encapsulation—The encapsulation options include
both an encapsulating protocol and an encapsulating mode. The protocol
can be either ESP or AH. The mode is tunnel mode.
- Transforms—The allowed transforms for given SA parameters
depend on the encapsulation protocol. See Transform Sets for more information.
- Keys—The session key is used for the respective
SA transform. The key length depends on the SA transform to which
it applies, and is as follows:
- DES—8 bytes
- 3DES—24 bytes
- MD5—16 bytes
- SHA—20 bytes
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
