IPsec Packet Processing

After an IPsec SA is established, IPsec can encrypt or decrypt IP packets. Concepts related to IPsec packet forwarding are as follows:
  • Security Policy Database (SPDB): It defines security services that can be used for IP packets and how to obtain these services. The SPDB determines the SA scope and relevant attributes and is the basis of SA establishment.

  • Security Association Database (SADB): It saves the storage structure of data in all states associated with the SAs. Because a network entity can create multiple pairs of SAs, a database is required to store and manage the SAs.

  • Security Parameter Index (SPI): It is a 32-bit number carried in an AH or ESP header. The receiver determines the SA in the SADB used to protect the received data flow based on the SPI.

Figure 1 shows the IPsec packet sending process.
Figure 1 IPsec packet sending process
Figure 2 shows the IPsec packet receiving process.
Figure 2 IPsec packet receiving process
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >