IBM Support

What is a Security Parameter Index (SPI)?

Question & Answer


Question

What is a Security Parameter Index (SPI) and what is it used for?

Answer

The Security Parameter Index (SPI) is an identifier used to uniquely identify both manually and dynamically established IPSec Security Associations. For manual Security Associations, the SPI is configured by the customer. For dynamic Security Associations, the SPI is generated by IKED.

A single IPSec connection can require up to four SPI values, depending on the type of IPSec protection required:

  • AuthOutboundSpi, for authentication traffic transmitted outbound to the remote security endpoint

  • AuthInboundSpi, for authentication traffic received inbound from the remote security endpoint.

  • EncryptOutboundSpi, for encryption traffic transmitted outbound to the remote security endpoint.

  • EncryptInboundSpi, for encryption traffic received inbound from the remote security endpoint.

In a manual IPSec configuration, the Security Parameter Index (SPI) values are determined by the administrator and configured beforehand on both the local and remote hosts. An SPI is specified on the following parameters of the IpManVpnAction statement:

  • AuthOutboundSa: the spi specified on this parameter is the AuthOutboundSpi

  • AuthInboundSa: the spi specified on this parameter is the AuthInboundSpi

  • EncryptOutboundSa: the spi specified on this parameter is the EncryptOutboundSpi

  • EncryptInboundSa: the spi specified on this parameter is the EncryptInboundSpi

For manual tunnels, SPI values should be chosen from the range 256 - 4096. These values are reserved by TCP/IP for use by manual tunnels and do not conflict with any dynamic tunnels.

Manual tunnel SPI values are displayed using the ipsec -p stackname -m display command.

Dynamic tunnel SPI values are displayed using the ipsec -p stackname -y display command.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
26 May 2017

UID

dwa1377750