Optimizing utilization of security parameter index (SPI) space

We claim: 1. A method for providing a security parameter index (SPI) value for use in establishing a security association between a source tunnel endpoint and a destination tunnel endpoint, comprising: receiving, at a server, a request from the source tunnel endpoint for a SPI value for use by the source tunnel endpoint in establishing the security association with the destination tunnel endpoint for securing an exchange of one or more data packets between a source endpoint and a destination endpoint; deriving, at the server, the SPI value using a SPI derivation formula based on a key policy assigned to the source tunnel endpoint and the destination tunnel endpoint, wherein most bits from the SPI value are associated with the key policy; and transmitting, at the server, the SPI value to the source tunnel endpoint for use by the source tunnel endpoint in establishing the security association, wherein the established security association is used by the source tunnel endpoint to encapsulate and encrypt at least a data packet from the one or more data packets received from the source endpoint and destined for the destination endpoint, the encapsulated encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of the source tunnel endpoint, a destination IP address of the destination tunnel endpoint, and the SPI value, the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint, and wherein the encapsulated encrypted data packet is transmitted by the source tunnel endpoint to the destination tunnel endpoint, wherein the key policy defines one or more properties of an encryption key of the established security association, and wherein the encryption key is used for encrypting the data packet. 2. The method of claim 1 , wherein the SPI value comprises a bank index value corresponding to a bank index associated with the key policy, a hash of a tunnel endpoint value of the source tunnel endpoint, and a shift factor, wherein the hash of the tunnel endpoint value comprises fewer bits than the tunnel endpoint value. 3. The method of claim 2 , wherein deriving the SPI value comprises deriving the bank index value based on a second hash of the tunnel endpoint value of the source tunnel endpoint value. 4. The method of claim 3 , wherein deriving the SPI value further comprises utilizing the second hash to select the bank index value from a set of bank index values associated with the key policy. 5. The method of claim 1 , wherein the SPI derivation formula comprises: SPI( K,V,S _ V )=( K*V _Bank+Hash( V ))<<2+ S _ V &0 x 03; and wherein SPI represents a binary value corresponding to the SPI value, KP corresponds to the key policy, V corresponds to a tunnel endpoint value of the source tunnel endpoint, S_V corresponds to a shift factor, K corresponds to a bank index value corresponding to a bank index associated with the key policy, V_Bank corresponds to a size of a bank of tunnel endpoint values, and HO corresponds to a hash function for hashing the tunnel endpoint value of the source tunnel endpoint to generate a hash of the tunnel endpoint value. 6. The method of claim 1 , wherein the SPI derivation formula comprises: SPI( KP,V,S _ V )=( K _Set[Hash′( V ) % Card( K -Set)]* V _Bank+Hash( V ))<<2+ S _ V &0 x 03 wherein SPI represents a binary value corresponding to the SPI value, KP corresponds to the key policy, V corresponds to a tunnel endpoint value of the source tunnel endpoint, S_V corresponds to a shift factor, K_Set corresponds to a set of bank indices allocated to the key policy, Hash′( ) corresponds to a hash function configured to identify a bank index of a certain tunnel endpoint value from among the set of bank indices, Card (K-Set) corresponds to a cardinality of K_Set, V_Bank corresponds to a size of a bank of tunnel endpoint values, and HO corresponds to a hash function for hashing the tunnel endpoint value of the source tunnel endpoint to generate a hash of the tunnel endpoint value. 7. The method of claim 1 , wherein the deriving the SPI value further comprises hashing a tunnel endpoint value of the source tunnel endpoint to a hash of the tunnel endpoint value using a hash function configured to resolve hash collisions. 8. The method of claim 1 , further comprising: selecting the SPI derivation formula based on a number of tunnel endpoints the key policy is assigned to prior to the deriving. 9. A non-transitory computer readable medium comprising instructions to be executed in a computer system, wherein the instructions when executed in the computer system perform a method for providing a security parameter index (SPI) value for use in establishing a security association between a source tunnel endpoint and a destination tunnel endpoint, the method comprising: deriving the SPI value using a SPI derivation formula based on a key policy assigned to the source tunnel endpoint and the destination tunnel endpoint, wherein most bits from the SPI value are associated with the key policy; and transmitting the SPI value to the source tunnel endpoint for use by the source tunnel endpoint in establishing the security association, wherein the established security association is used by the source tunnel endpoint to encapsulate and encrypt at least a data packet from the one or more data packets received from the source endpoint and destined for the destination endpoint, the encapsulated encrypted data packet comprising a first header and an encrypted payload, the first header comprising a source IP address of the source tunnel endpoint, a destination IP address of the destination tunnel endpoint, and the SPI value, the encrypted payload comprising a second header comprising a source IP address of the source endpoint and a destination IP address of the destination endpoint, and wherein the encapsulated encrypted data packet is transmitted by the source tunnel endpoint to the destination tunnel endpoint, wherein the key policy defines one or more properties of an encryption key of the established security association, and wherein the encryption key is used for encrypting the data packet. 10. The non-transitory computer readable medium of claim 9 , wherein the SPI value comprises a bank index value corresponding to a bank index associated with the key policy, a hash of a tunnel endpoint value of the source tunnel endpoint, and a shift factor, wherein the hash of the tunnel endpoint value comprises fewer bits than the tunnel endpoint value. 11. The non-transitory computer readable medium of claim 10 , wherein deriving the SPI value comprises deriving the bank index value based on a second hash of the tunnel endpoint value of the source tunnel endpoint value. 12. The non-transitory computer readable medium of claim 11 , wherein deriving the SPI value further comprises utilizing the second hash to select the bank index value from a set of bank index values associated with the key policy. 13. The non-transitory computer readable medium of claim 9 , wherein the SPI derivation formula comprises: SPI( K,V,S _ V )=( K*V _Bank+Hash( V ))<<2+ S _ V &0 x 03; and wherein SPI represents a binary value corresponding to the SPI value, KP corresponds to the key policy, V corresponds to a tunnel endpoint value of the source tunnel endpoint, S_V corresponds to a shift factor, K corresponds to a bank index value corresponding to a bank index associated with the key policy, V_Bank corresponds to a size of a bank of tunnel endpoint values, and HO corresponds to a hash function for hashing the tunnel endpoint value of the sourc