IPsec Security Associations
An IPsec security association (SA) specifies security properties that are recognized by communicating hosts.
A single SA protects data in one direction. The protection is either to
a single host or to a group (multicast) address. Because most communication is
either peer-to-peer or client-server, two SAs must be present to secure traffic in
The following three elements uniquely identify an IPsec SA:
The SPI, an arbitrary 32-bit value, is transmitted with an AH or
ESP packet. The ipsecah(7P) and ipsecesp(7P) man pages explain the extent of protection that
is provided by AH and ESP. An integrity checksum value is used to
authenticate a packet. If the authentication fails, the packet is dropped.
Security associations are stored in a security associations database (SADB). A socket-based administration engine,
the pf_key interface, enables privileged applications to manage the database.
Key Management in IPsec
Security associations (SAs) require material to create the keys for authentication and for
encryption. The managing of this keying material is called key management. The Internet Key Exchange
(IKE) protocol handles key management automatically. You can also manage keys manually with
the ipseckey command.
SAs on IPv4 and IPv6 packets can use either method of key
management. Unless you have an overriding reason to use manual key management, automatic key
management is preferred. For example, to interoperate with systems other than Solaris systems
might require manual key management.