SA
Click on the red underlined text to get to the source
... IPsec and assumptions made by this
document for successful IPsec Security Association (SA)
establishment. Section 5 gives the details of Internet Key Exchange
...
... Authentication Header (AH) security association (SA) is established
to protect the traffic defined by (IPv4 ...
... Security Parameter Index (SPI) and the inbound selectors
associated with the SA to verify that the packet is appropriate for
the SA via which it was received. A successful verification ...
... associated with the SA to verify that the packet is appropriate for
the SA via which it was received. A successful verification implies
that the packet came from the right IPv4 ...
... that the packet came from the right IPv4 endpoint, because the SA is
bound to the IPv4 source address ...
... ESP) and then matches the packet against the SPI and the inbound
selectors associated with the SA to verify that the packet is
appropriate for the SA via which it was received. The successful
...
... selectors associated with the SA to verify that the packet is
appropriate for the SA via which it was received. The successful
verification implies that the packet came from the right endpoint ...
... binding
IPv6 addresses to be used to the SA is not generally feasible. IPv6
ingress filtering ...
...
In this case, an IPsec tunnel mode SA could be bound to the prefix
that was allocated to the router ...
... destination IPv6 addresses are known
a priori. A tunnel mode SA could be bound to these specific
addresses. Address ...
... in traffic selectors when an IPsec SA is negotiated. In
contrast, [RFC4301] requires supporting IP ...
... possible only with IKEv2. If IKEv1 is used, then multiple SAs
need to be set up, one for each traffic selector.
...
... tunnel mode as implementations may
or may not model the IPsec tunnel mode SA as an interface as
described in Appendix A.1.
...
...
If IPsec tunnel mode SA is not modeled as an interface (e.g., as of
this writing, popular in many open source implementations), the SPD ...
... it interoperates with a larger number of implementations.
o The child SA authorization data should contain the IPv4 address of
the peer.
...
... IKEv2 must be used for
establishing the IPsec SAs. IKEv2 should be used where supported and
available; if not, IKEv1 ...
...
1. "Generic SPDs": some implementations model the tunnel mode SA as
an IP interface. In this case, an IPsec ...
... traffic selectors while setting up the SA. Though this allows
all traffic between the two nodes ...
...
2. "Specific SPDs": some implementations do not model the tunnel
mode SA as an IP interface. Traffic selection is based on
...
... setting up
the IPsec tunnel mode SA. The details of these procedures are out of
scope for this memo.
...
... NAT traversal allows the outer address to change without
having to renegotiate the SAs. This could be beneficial for a
crude form of mobility and in scenarios where the NAT changes the
...