IPSec SA being Unidirectional

Question

From what I’ve read, IKE SAs are Birectional and IPSec SAs are unidirectional.

But if the same proposals are to be agreed by both the ends, say protocol esp, Authentication algorithm as hmac-sha1-256 and encryption algorithm 3des, then why is it called as Unidirectional and must have 2 separate SAs?

Cant a single SA define both inbound and outbound as they have to agree upon the same protocols/algorithms.

Please help me out here if I’m missing something.

I'm not sure what you're asking here. The RFC 4301 defines how it works. SA's are unidirectional. — Ron Trunk, Feb 28 '19 at 18:27
Whomever might be down-voting this question -- please provide some details as to why the question warrants a down-vote? — Eddie, Mar 01 '19 at 14:29
@Eddie, it wasn't me that cast any down votes on the question or answer, but votes are anonymous, and putting in a reason defeats that. Also, if you hover the mouse over the down arrows, it give you the reason to vote down, although anyone can vote, up or down, as the voter wants. There is no requirement to give a reason. — Ron Maupin, Mar 03 '19 at 19:04

score 2 · Accepted Answer · answered Feb 28 '19 at 21:45

I think your confusion stems from misunderstanding a few terms. For what its worth, there is a lot of confusion around these terms.

A Policy Suite is a grouping of specific algorithms for the sake of providing specific security services.

For example, an IPsec Policy Suite specifies 3 services:

Confidentiality - which requires a Symmetric Encryption protocol
Integrity - which requires a Hashing algorithm for use inside an HMAC
An IPsec Protocol - which requires selecting ESP or AH.

Which means you could specify these three protocols and have everything you need for an IPsec Policy Suite: AES, SHA1-HMAC, ESP

The issue is, Symmetric Encryption requires a Secret Key. HMAC, also requires a secret key. Both of these keys need to be stored somewhere. The construct which stores both the Policy Suite and all necessary keys, is known as a Security Association.

So in short, a Policy Suite is something like AES, SHA1-HMAC, ESP, and a Security Association is a Policy Suite and all necessary keys. When two peers have identical SA's, they have everything they need to speak securely to one another -- an agreement on which protocols to use (Policy Suite) and identical secret keys.

IPsec creates two, unidirectional Security Associations, based upon a single Policy Suite (i.e, set of protocols). The only thing that makes one IPsec SA different from the next, are the secret keys used within the specific protocols.

This is by design. This way, if someone successfully brute forces one set of keys, they can only decrypt the data in one direction.

ISAKMP, for instance, creates a single security association (ie, set of keys within a matching policy suite) that is used to protect data in both directions (bidirectional).

For more information about how the keys are generated in IPsec and ISAKMP, see this answer.

Disclaimer: Some of the links above include links to my personal blog. My blog is not monetized. There are no ads. There is no mandatory e-mail capture. The links are provided purely because I think the content will help you understand more thoroughly the answer provided.

Thanks a lot for the answer. But Im unable to open the hyperlinks provided which leads to your blog http://www.practicalnetworking.net. Could you please look into it. — RRHS, Mar 01 '19 at 04:36
@RRHS The links work for me. Can you describe what happens when you click them? — Eddie, Mar 01 '19 at 13:16
@Eddie The link works fine. Actually it was the VPN which caused the issue. My bad. Thanks again. — RRHS, Mar 02 '19 at 16:12

IPSec SA being Unidirectional

1 Answers1