Security Associations (SAs)

An IPsec tunnel consists of a pair of unidirectional security associations (SAs)—one at each end of the tunnel—that specify the security parameter index (SPI), destination IP address, and security protocol (Authentication Header or Encapsulating Security Payload) employed.

Through the SA, an IPsec tunnel can provide the following security functions:

• Privacy (thourgh encryption)
• Content integrity (thourgh data authentication)
• Sender authentication and—if using certificates—nonrepudiation (thourgh data origin authentication)

The security functions you employ depend on your needs. If you only need to authenticate the IP packet source and content integrity, you can authenticate the packet without applying any encryption. On the other hand, if you are only concerned with preserving privacy, you can encrypt the packet without applying any authentication mechanisms. Optionally, you can both encrypt and authenticate the packet. Most network security designers choose to encrypt, authenticate, and replay-protect their VPN traffic.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.