An IPsec security association SA defines the security properties that will be applied to an IP packet that matches the IP parameters that are also stored in the SA. Each SA is unidirectional. Because most communications are bidirectional, two SAs are required for a single connection.
Together, the following three elements uniquely identify an IPsec SA:
The security protocol (AH or ESP)
The destination IP address
The SPI of the SA provides additional protection and is transmitted in the AH or ESP header of an IPsec-protected packet. The ipsecah(7P) and ipsecesp(7P) man pages explain the extent of protection that is provided by AH and ESP. An integrity checksum value is used to authenticate a packet. If the authentication fails, the packet is dropped.
Security associations are stored in a security associations database (SADB). A socket-based administrative interface, PF_KEY enables privileged applications to manage the database programmatically. For example, the IKE daemon and the ipseckey command use the PF_KEY socket interface.
For a more complete description of the IPsec SADB, see Security Associations Database for IPsec.