IP Security (IPSEC) was created by the IETF to provide a collection of protocols that allow for safe and secure transmission of data over the public internet. IPSEC is basically a grouping of authentication and encryption algorithms. The IPSEC concept for instance was not created with a specific encryption algorithm to be used, instead the decision of how security measures should be used is up to the network operator(s). When setting up an IPSEC site to site tunnel, the term Security Association (SA) is very important. The SA is the security scheme or collection of security mechanisms each peer has agreed upon and will use when transmitting data over the tunnel.
There are two types of SAs when building an IPSEC tunnel, the IKE SA and the IPSEC SA. As most operators know there are two phases that need to be completed before an IPSEC tunnel is fully operational, and the IKE SA is phase 1, IPSEC SA is phase 2.
In IPSEC phase 1 the items typically configured are authentication, encryption, Diffie Hellman group number, SA lifetime, and pre-shared key. Both IKE peers with IKEv1 need to have identical configurations for phase 1 to complete. Once phase 1 has completed the IKE SA has been established between the two peers. This SA allows for a secure communication between the two endpoints, allowing them to establish the needed phase 2 IPSEC SAs. The IKE SA in my point of view is almost like a management SA – a secure channel for the peers to negotiate the actual tunnel (phase 2). This SA is bidirectional, allowing communication back and forth.
As stated above, in phase 2 of building an IPSEC tunnel we run into IPSEC SAs. Some IPSEC SA configuration examples below:
- Destination Address – IPv4 typically internal RFC 1918
- IPSEC Transforms – Encryption and Authentication
- IPSEC SA Lifetime – Typically seconds
- Replay Detection – Replay Attack Detection
- Perfect Forward Secrecy – DF Group – Optional
A large difference between the IKE SA and the IPSEC SA is that the IKE SA is a single SA for bidirectional communication between the two peers. IPSEC SA consists of two separate SAs which are each unidirectional. Each IPSEC SA consists of a group of security policies to be agreed upon and used, but there’s one SA for inbound traffic and one SA for outbound traffic. Another way of looking at it is there’s one SA for decrypt (inbound) and one SA for encrypt (outbound). The phase 2 portion of an IPSEC tunnel/SA is what’s actually moving and securing user datagrams.
A portion of the IPSEC SA is the Security Parameter Index (SPI). The SPI is actually a unique key value created by an IPSEC peer that is applied to each SA. When a datagram is transferred over an IPSEC tunnel, the SPI value is passed along in the IPSEC header. Once the datagram is received the peer looks up the SPI value and destination address. With these two pieces of information the receiver knows how to process the packet along.
Although not always needed, its very helpful to have an understanding of what a Security Association is when troubleshooting problems that have to do with IPSEC tunnels.