Security Associations (SA) & Security Policy Database (SPD)

#The IPsec Contract: SAs and SPDs#link

We've seen how IPsec wraps packets using AH or ESP. But how does a server know *which* key to use for a specific packet? If a server has VPN tunnels to ten different offices, it can't use the same key for all of them. This is managed by the Security Association (SA) and the Security Policy Database (SPD).

The Security Policy Database (SPD)

The SPD is the 'Rule Book'. Before a packet is even processed by the IPsec engine, the OS checks the SPD to decide what to do. The SPD contains rules based on source/destination IP, port, and protocol. It can tell the OS to: 1. Bypass (send in cleartext), 2. Discard (block), or 3. Protect (apply IPsec).

# Conceptual SPD Entry
Rule 1: Src 10.0.1.0/24, Dst 10.0.2.0/24 -> ACTION: PROTECT
Rule 2: Src 10.0.1.0/24, Dst 8.8.8.8 -> ACTION: BYPASS
Rule 3: Any -> Any -> ACTION: DISCARD

Once the SPD decides a packet must be 'Protected', it hands the packet over to the SA manager to find the actual cryptographic keys.

The Security Association (SA)

The SA is the 'Actual Contract'. It is a one-way (unidirectional) agreement between two parties that defines the specific algorithms and keys used for a session. Because an SA is unidirectional, a bidirectional conversation requires **two SAs**: one for inbound traffic and one for outbound traffic.

SA Lifetimes and Rekeying

SAs are not permanent. To prevent an attacker from collecting enough ciphertext to crack a key, SAs have a 'Lifetime' (e.g., 8 hours or 10GB of data). When the lifetime expires, the two endpoints must negotiate a new SA through a process called 'Rekeying'.

• ▪Define strict SPD rules to avoid 'Leaky' VPNs
• ▪Monitor SA lifetimes to prevent connection drops
• ▪Use a unique SPI for every tunnel
• ▪Ensure the SPD prioritizes 'Protect' over 'Bypass' for sensitive zones