IPsec security protocols are widely used to protect packets communicated between endpoints (EPs), such as over the Internet, between gateways, between data centers (e.g., on premises data centers, cloud data centers) within data centers, etc. For example, with respect to IPsec encryption/tunnel protocols, security associations (SAs) may be established by tunnel endpoints (“TEPs”) that are part of the communication path between the EPs. Each security association is a one-way or simplex connection, and therefore at least two security associations, one for each direction, are established between two IPsec peers (e.g., endpoints or tunnel endpoints, as described below). These security associations are a form of contract between the IPsec peers detailing how to exchange and protect information among each other. In some embodiments, each security association is comprised of a mutually agreed-upon key, one or more security protocols, and/or a security parameter index (SPI) value. After security associations have been established between two IPsec peers, an IPsec protocol may be used to protect data packets for transmission.
For IPsec in the Encapsulating Security Payload (ESP) tunnel mode, security associations are established between TEPs for applying IPsec protocols to encrypt and encapsulate egress packets from a source EP and decrypt and decapsulate ingress packets for a destination EP to secure communication between the EPs. For example, a source EP may be configured to generate and route egress IP packets to a source TEP associated with the source EP. In particular, the source EP may generate an IP packet including a header with the IP address of the source EP set as the source IP address and the IP address of the destination EP set as the destination IP address. A MAC address of the source TEP may further be set as a next-hop MAC address of the IP packet in the header.
The source TEP receives the IP packet and encrypts the original IP packet including the header of the original IP packet based on a security association established between the source TEP and the destination TEP for data transfer between the source EP and destination EP. For example, the source TEP encrypts the original IP packet with a mutually agreed-upon key of the security association between the source TEP and the destination TEP. The source TEP further encapsulates the encrypted packet by adding a new IP header and an ESP header (e.g., including an SPI value corresponding to the security association used to encrypt the packet) to the encrypted packet to generate an encapsulated ESP encrypted data packet. In the new IP header, the source TEP includes a source IP address of the source TEP and a destination IP address of the destination TEP. The new IP header is used to forward the encapsulated ESP encrypted data packet through a network from the source TEP to the destination TEP.
The destination TEP may then decapsulate and decrypt the encapsulated ESP encrypted data packet to extract the original IP packet. For example, the destination tunnel endpoint may determine the security association (e.g., mutually agreed-upon key) to use to decrypt the encapsulated ESP encrypted data packet based on the SPI value included in the ESP header. Based on the destination IP address in the header of the original IP packet, the destination tunnel endpoint forwards the original IP packet to the destination endpoint.
In some cases, SPI values used in security associations established between TEPs are 32-bit binary values. The 32-bit SPI values include 17-bit TEP labels that are generated and assigned to TEPs for identification. The 32-bit SPI values also include 2-bit shift factors used for altering the SPI values. However, only 13 bits of the 32-bit SPI values remain for identifying key policies assigned to the TEPs in the network. Accordingly, only 8,192 (213) key policies may be generated and assigned by network administrators to the TEPs in the network because only that many key policies are identifiable by SPI values. In some cases, this may limit the scaling out of key policies when such scaling is advantageous or necessary.