Definition - What does Security Association (SA) mean?
A security association (SA) is a logical connection involving two devices that transfer data. With the help of the defined IPsec protocols, SAs offer data protection for unidirectional traffic. Generally, an IPsec tunnel features two unidirectional SAs, which offer a secure, full-duplex channel for data.
A security association consists of features like traffic encryption key, cryptographic algorithm and mode, and also parameters required for the network data.
Techopedia explains Security Association (SA)
The Internet Security Association and Key Management Protocol (ISAKMP) provides the framework for establishing SAs, whereas the authenticated keying material is offered by protocols like Internet Key Exchange (IKE) and Kerberized Internet Negotiation of Keys (KINK).
With SAs, enterprises can manage specifically which resources can securely communicate as per the security policy. In order to execute this, enterprises can put together several SAs to facilitate various secure VPNs in addition to defining the SAs inside the VPN for supporting many different units as well as business partners.
Security associations use modes for their operation. A mode is a method wherein the IPsec protocol is applied to the packet. IPsec is used in transport or tunnel mode. In general, the transport mode is employed to protect the host-to-host IPsec tunnel, whereas the tunnel mode is implemented to protect the gateway-to-gateway IPsec tunnel.
In transport mode the payload of the packet is encapsulated by the transport-mode IPsec implementation; however, the IP header remains unchanged. The new IP packet includes the processed packet payload as well as the old IP header once the packet is processed with IPsec. The transport mode does not have the capability to shield the information carried in the IP header, which lets an attacker identify the source and destination of the packet.
In tunnel mode the IPsec implementation encapsulates the whole IP packet. The whole packet turns into the packet's payload that is processed using IPsec. The newly created IP header contains two IPsec gateway addresses. Use of the tunnel mode prevents an attacker from inspecting the information and decoding it, and it also hides the source and destination of the packet.