Databases used by IPsec
IPsec uses three databases, described below.
Security Policy Database (SPD)
This database of security policies is established and maintained by a user or system administrator. The SPD contains rules that determine whether or not a packet is subject to IPsec processing. It specifies the services offered to IP datagrams. It has two types of entry:
- SPD-O – used for all outbound traffic that is to be bypassed, protected, or discarded.
- SPD-I – used for all inbound traffic that is to be bypassed or discarded.A security policy entry contains the policy's traffic selector as well as other properties.
The entry also contains a pointer to the corresponding entry in the Security Association Database (SAD).The user specifies most of the fields in the policy entry when the policy is added to the SPD. Each policy is identified by a security identity (ID). This ID can either be generated by IPsec or specified by the user.Each policy entry that is used for securing traffic has a corresponding session entry. The session entry contains all information related to a single IPsec session and includes SAs for all protocols (AH and ESP) for both inbound and outbound directions. Policies for bypassing IPsec or dropping packets do not need a session entry.The SPD uses structures to: