SAD

Security Association Database

Security
Introduced in Rel-4
A database maintained by a network node (e.g., gateway, firewall) that stores the parameters of active Security Associations (SA). It contains cryptographic keys, algorithms, lifetimes, and other context needed to secure IPsec or other security protocol communications.

Description

The Security Association Database (SAD), sometimes denoted SADB, is a critical component in the implementation of security protocols like IPsec (Internet Protocol Security). Within 3GPP architectures, it is maintained by network entities such as the Packet Data Network Gateway (PGW), Trusted WLAN Access Gateway (TWAG), or security gateways that apply IPsec to protect user data or control plane traffic. A Security Association (SA) is a set of parameters that define how security services are provided to a specific communication flow. The SAD is the repository where these parameter sets are stored and managed for all active SAs.

Each entry in the SAD corresponds to one SA and contains a comprehensive set of fields necessary for processing secured packets. Key components of an SAD entry include: the Security Parameters Index (SPI), a unique identifier for the SA; the destination IP address (and often source address); the cryptographic algorithms to be used (e.g., AES for encryption, SHA-256 for integrity); the specific keys for those algorithms; the mode of operation (Transport or Tunnel); the lifetime of the SA (in time or bytes processed); and anti-replay window parameters. For inbound packets, the receiving node uses the SPI and destination address to look up the correct SAD entry, retrieve the keys and algorithms, and then decrypt and validate the packet. For outbound packets, the sending node consults the SAD to determine how to encrypt and encapsulate the packet before transmission.

The SAD works in conjunction with the Security Policy Database (SPD). The SPD defines the policy rules that dictate *whether* traffic should be protected and the general requirements for that protection. When traffic matches a SPD rule requiring protection, the system either uses an existing SA (whose parameters are in the SAD) or triggers the creation of a new SA via a key management protocol like IKEv2. The newly established SA's parameters are then installed in the SAD. The SAD is dynamically updated as SAs are created, deleted, or refreshed. Management of the SAD is a core function of the IPsec implementation, ensuring that keys are available, lifetimes are monitored, and stale entries are purged.

In 3GPP networks, the SAD is essential for securing interfaces like N3 and N9 in 5G using IPsec, or for securing UE-to-network tunnels in scenarios like WLAN integration. It enables the network to maintain simultaneous secure associations for millions of devices, each with its own cryptographic context. The robustness and performance of the SAD implementation directly impact the security and scalability of the mobile core network.

Purpose & Motivation

The Security Association Database exists to solve the problem of managing the complex, stateful parameters required for cryptographic protection of communications. Early secure communications often used static, pre-shared keys for entire links, which was inflexible and insecure for large-scale, dynamic networks. As protocols like IPsec evolved to provide per-flow or per-session security with dynamic key establishment, a mechanism was needed to store and retrieve the multitude of parameters for each active security context.

The SAD was created as part of the IPsec architecture (defined in IETF RFCs) to provide this stateful storage. Without a SAD, a security gateway would have no efficient way to associate incoming secured packets with the correct decryption keys and algorithms, rendering IPsec unusable for multiple simultaneous connections. It addresses the limitation of earlier ad-hoc security implementations that could not scale. The SAD, paired with the SPD, provides a structured, database-driven approach to enforcing security policies.

Within 3GPP, the adoption of IPsec for protecting core network interfaces (e.g., between network functions) and user data tunnels became paramount with the move to all-IP architectures and later cloud-native 5G cores. The SAD concept is integral to specifications defining security for interfaces like GTP-U, N3, N9, and for UE access via untrusted networks. Its purpose in 3GPP is to enable standardized, scalable, and secure IP communications across the mobile ecosystem, ensuring each secured flow has its dedicated cryptographic state managed reliably by network elements.

Key Features

  • Stores active Security Association parameters (SPI, keys, algorithms, lifetimes)
  • Indexed by Security Parameters Index (SPI) and destination address for fast lookup
  • Used for both inbound packet processing (decryption/verification) and outbound (encryption)
  • Dynamically updated by key management protocols like IKEv2
  • Integral part of IPsec implementation in 3GPP gateways and security functions
  • Enables simultaneous management of thousands to millions of distinct security contexts

Evolution Across Releases

Rel-4 Initial

Initial incorporation of Security Association Database concepts within 3GPP security specifications, aligning with IETF IPsec standards. Defined its role in securing IP-based interfaces and tunnels in the evolving all-IP core network architecture of UMTS.

TS 21.905TS 26.253TS 26.441TS 26.442TS 26.443TS 26.444TS 26.450TS 26.451TS 26.452TS 26.952TS 29.204TS 33.204TS 33.210

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 26.253 3GPP TS 26.253
TS 26.441 3GPP TS 26.441
TS 26.442 3GPP TS 26.442
TS 26.443 3GPP TS 26.443
TS 26.444 3GPP TS 26.444
TS 26.450 3GPP TS 26.450
TS 26.451 3GPP TS 26.451
TS 26.452 3GPP TS 26.452
TS 26.952 3GPP TS 26.952
TS 29.204 3GPP TS 29.204
TS 33.204 3GPP TR 33.204
TS 33.210 3GPP TR 33.210