SA is a one way relationship between a sender and a receiver. This means that it only defines one communication link between a source and a destination over an application. If multiple applications or #p2p secure communications are needed, there needs to be multiple SA correspondingly. It is identified by three parameters: Security Parameter Index (SPI) (a bit string to enable the receiver to select the SA under which a received packet will be processed), IP Destination address (allows only unicast address), and Security Protocol Identifier (either AH or ESP, see more in #IP Security (IPsec)).
There is a minimal database that includes information attached to each SA, for instance:
- AH information including authentication algorithm, key, key lifetime etc.
- ESP information including encryption and authentication algorithm, keys, initialisation values, key lifetimes etc.
- Sequence number counter, which is used to generate the sequence number field in AH nad ESP
- Sequence counter overflow flag, which defines the operation when encounter a counter overflows (usually close the SA)
- Anti-replay window
- Lifetime of the SA
- #IPsec protocol mode (tunnel or transport mode)
- Path Maximum Transmission Unit (MTU)
- IP Addresses# including source and destination
- Timestamp
- Traffic Type (TCP# or UDP#)