The Security Parameter Index (SPI) is a very important element in the SA. An SPI is a 32-bit number that is used to uniquely identify a particular SA for any connected device.
A Security Association (SA) is an agreement between two devices about how to protect information during communication. It also indicates the parameters, such as keys and algorithms. SPI provides a mechanism for the destination to identify which SA to use to check the security of the received packet. The SPI is provided to map the incoming packet to an SA at the destination
The SPI is a 32-bit random number generated by the sender to identify the SA to the recipient.
It is worth knowing two other terms related with IPSec.
Security Policy Database (SPD)
IPSec Policies are maintained in the Security Policy Database (SPD). IPSec Policies deﬁne which traffic to be protected, how it is to be protected, and with whom to protect it. The sending host determines what policy is appropriate for the packet, depending on various "Selectors" by checking in the Security Policy Database (SPD). "Selectors" can include Source and Destination IP Addresses, Name (User ID ir a System Name), Transport Layer Protocols (TCP or UDP) or Source and Destination Ports. The Security Policy Database (SPD) indicates what the policy is for a particular packet. If the packet requires IPsec processing, it will be it is passed to the IPsec module for the required processing.
Security Association Database (SAD)
IPSec Security Associations are stored in the Security Association Database (SAD). Each Security Association has an entry in the Security Association Database (SAD). The Security Association entries in the Security Association Database (SAD) are indexed by the three Security Association properties.
1) Destination IP address 2) IPSec protocol 3) Security Parameter Index (SPI).