Security Association Database (SAD)
A Security Association can be very complex. This is particularly true if Alice wants to
send messages to many people and Bob needs to receive messages from many people.
In addition, each site needs to have both inbound and outbound SAs to allow bidirectional
communication. In other words, we need a set of SAs that can be collected into a
database. This database is called the Security Association Database (SAD). The database
can be thought of as a two-dimensional table with each row defining a single SA.
Normally, there are two SADs, one inbound and one outbound. Figure 30.9 shows the
concept of outbound or inbound SADs for one entity.
When a host needs to send a packet that must carry an IPSec header, the host needs
to find the corresponding entry in the outbound SAD to find the information for applying
security to the packet. Similarly, when a host receives a packet that carries an IPSec
header, the host needs to find the corresponding entry in the inbound SAD to find the
information for checking the security of the packet. This searching must be specific in
the sense that the receiving host needs to be sure that correct information is used for