Security Associations Database for IPsec

Information on keying material for IPsec security services is maintained in a security association database (SADB). Security associations protect both inbound packets and outbound packets. A user process, or possibly multiple cooperating processes, maintains SADBs by sending messages over a special kind of socket. This method of maintaining SADBs is analogous to the method that is described in the route(7P) man page. Only a superuser or someone who has assumed an equivalent role can access an SADB.

The operating system might spontaneously emit messages in response to external events. For example, the system might request for a new SA for an outbound datagram, or the system might report the expiration of an existing SA. You open the channel for passing SADB control messages by using the socket call that is mentioned in the previous section. More than one key socket can be open per system.

Messages include a small base header, followed by a number of extension messages. The number of messages might be zero or more. Some messages require additional data. The base message and all extensions must be 8-byte aligned. The GET message serves as an example. This message requires the base header, the SA extension, and the ADDRESS_DST extension. See the pf_key(7P) man page for details.