The IPsec RFCs define a number of terms that are useful to recognize when implementing IPsec on your systems. The following table lists IPsec terms, provides their commonly used acronyms, and defines each term. For a list of terminology used in key negotiation, see Table 21–1.
Table 18–1 IPsec Terms, Acronyms, and Uses
IPsec Term |
Acronym |
Definition |
---|---|---|
Security association |
SA |
A unique connection between two nodes on a network. The connection is defined by a triplet: a security protocol, a security parameter index, and an IP destination. The IP destination can be an IP address or a socket. |
Security associations database |
SADB |
Database that contains all active security associations. |
Security parameter index |
SPI |
The indexing value for a security association. An SPI is a 32-bit value that distinguishes among SAs that have the same IP destination and security protocol. |
SPD |
Database that determines if outbound packets and inbound packets have the specified level of protection. |
|
Key exchange |
|
The process of generating keys for asymmetric cryptographic algorithms. The two main methods are RSA protocols and the Diffie-Hellman protocol. |
Diffie-Hellman protocol |
DH |
A key exchange protocol that involves key generation and key authentication. Often called authenticated key exchange. |
RSA protocol |
RSA |
A key exchange protocol that involves key generation and key distribution. The protocol is named for its three creators, Rivest, Shamir, and Adleman. |
Internet Security Association and Key Management Protocol |
ISAKMP |
The common framework for establishing the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP is the IETF standard for handling IPsec SAs. |