Security Association

Why Trust Techopedia

What Does Security Association Mean?

A security association (SA) is a logical connection involving two devices that transfer data. With the help of the defined IPsec protocols, SAs offer data protection for unidirectional traffic. Generally, an IPsec tunnel features two unidirectional SAs, which offer a secure, full-duplex channel for data.

Advertisements

A security association consists of features like traffic encryption key, cryptographic algorithm and mode, and also parameters required for the network data.

Techopedia Explains Security Association

The Internet Security Association and Key Management Protocol (ISAKMP) provides the framework for establishing SAs, whereas the authenticated keying material is offered by protocols like Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK).

With SAs, enterprises can manage specifically which resources can securely communicate as per the security policy. In order to execute this, enterprises can put together several SAs to facilitate various secure VPNs in addition to defining the SAs inside the VPN for supporting many different units as well as business partners.

Security associations use modes for their operation. A mode is a method wherein the IPsec protocol is applied to the packet. IPsec is used in transport or tunnel mode. In general, the transport mode is employed to protect the host-to-host IPsec tunnel, whereas the tunnel mode is implemented to protect the gateway-to-gateway IPsec tunnel.

In transport mode the payload of the packet is encapsulated by the transport-mode IPsec implementation; however, the IP header remains unchanged. The new IP packet includes the processed packet payload as well as the old IP header once the packet is processed with IPsec. The transport mode does not have the capability to shield the information carried in the IP header, which lets an attacker identify the source and destination of the packet.

In tunnel mode the IPsec implementation encapsulates the whole IP packet. The whole packet turns into the packet’s payload that is processed using IPsec. The newly created IP header contains two IPsec gateway addresses. Use of the tunnel mode prevents an attacker from inspecting the information and decoding it, and it also hides the source and destination of the packet.

Advertisements

Related Terms

Margaret Rouse
Editor

Margaret jest nagradzaną technical writerką, nauczycielką i wykładowczynią. Jest znana z tego, że potrafi w prostych słowach pzybliżyć złożone pojęcia techniczne słuchaczom ze świata biznesu. Od dwudziestu lat jej definicje pojęć z dziedziny IT są publikowane przez Que w encyklopedii terminów technologicznych, a także cytowane w artykułach ukazujących się w New York Times, w magazynie Time, USA Today, ZDNet, a także w magazynach PC i Discovery. Margaret dołączyła do zespołu Techopedii w roku 2011. Margaret lubi pomagać znaleźć wspólny język specjalistom ze świata biznesu i IT. W swojej pracy, jak sama mówi, buduje mosty między tymi dwiema domenami, w ten…