The Security Parameter Index (SPI) is used, in conjuction with the security protocol and destination IP address, to uniquely identify each Security Association. (SAs with different security protocols and/or destinations may use the same SPI, but the three-way combination must be unique on a host.)

Values from 1 to 255 are reserved, and the value 0 may only be used for local implementation-specific purposes. Consequently, only values over 255 may be used in IPSec tunnels.