Security Associations
Security associations (SA) specify security properties from one host to another. Two communicating systems need at least two SAs to communicate securely, unless they use multicast, in which case they can use the same multicast SA. The pf_key(7P) interface manages Security Associations. IPsec does not currently support automatic SA management, but you can use ipseckey(1M) as a command-line front-end. The AH or ESP, destination IP address, and security parameters index (SPI) identifies an IPsec SA. The security parameters index, an arbitrary 32-bit value, is transmitted with an AH or ESP packet. See ipsecah(7P) or ipsecesp(7P) man pages for an explanation about where the SPI resides in a protected packet.
Key Management
A security association contains keying information, algorithm choices, endpoint identities, and other parameters. Managing SAs is called key management. Currently, you must manually do key management.
- © 2010, Oracle Corporation and/or its affiliates