Skip to main content

4.4.3. Peer Authorization Database (PAD)

The Peer Authorization Database (PAD) provides the link between the SPD and a security association management protocol such as IKE. It embodies several critical functions:

PAD Critical Functions

  • Identifies authorized peers: Identifies the peers or groups of peers that are authorized to communicate with this IPsec entity

  • Specifies authentication protocol: Specifies the protocol and method used to authenticate each peer

  • Provides authentication data: Provides the authentication data for each peer

  • Constrains asserted IDs: Constrains the types and values of IDs that can be asserted by a peer with regard to child SA creation, to ensure that the peer does not assert identities for lookup in the SPD that it is not authorized to represent, when child SAs are created

  • Peer gateway location info: IP address(es) or DNS names MAY be included for peers that are known to be "behind" a security gateway

The PAD provides these functions for an IKE peer when the peer acts as either the initiator or the responder.

PAD Entry Structure

To perform these functions, the PAD contains an entry for each peer or group of peers with which the IPsec entity will communicate. An entry names an individual peer (a user, end system or security gateway) or specifies a group of peers (using ID matching rules defined below).

The entry specifies:

  • The authentication protocol (e.g., IKEv1, IKEv2, KINK)
  • Method used (e.g., certificates or pre-shared secrets)
  • The authentication data (e.g., the pre-shared secret or the trust anchor relative to which the peer's certificate will be validated)

Certificate-Based Authentication

For certificate-based authentication, the entry also may provide information to assist in verifying the revocation status of the peer, e.g.:

  • A pointer to a CRL repository
  • The name of an Online Certificate Status Protocol (OCSP) server associated with the peer or with the trust anchor associated with the peer

SPD Lookup Configuration

Each entry also specifies whether:

  • The IKE ID payload will be used as a symbolic name for SPD lookup, OR
  • The remote IP address provided in traffic selector payloads will be used for SPD lookups when child SAs are created

Note: The PAD information MAY be used to support creation of more than one tunnel mode SA at a time between two peers, e.g., two tunnels to protect the same addresses/hosts, but with different tunnel endpoints.

Last updated on