Which of the following statements are correct about IKE-based SA establishment in IPsec?

Explanation From HCIA-Security documents:

IKE-based SA establishment is designed to automate IPsec parameter negotiation and key management, which makes it especially suitable for environments where configuring many tunnels manually would be inefficient. That is why B is correct: IKE scales better for medium and large networks because it negotiates policies, authenticates peers, and builds SAs dynamically instead of relying on fixed, manually configured keys.

A is incorrect because Security Associations have lifetimes. Both IKE SAs and IPsec SAs are created with time-based and/or traffic-based lifetimes and must be refreshed or renegotiated when they expire to maintain security. Permanent SAs would increase risk because long-lived keys are more exposed to compromise.

C is correct : SPI is a 32-bit identifier used by the receiver to find the correct SA for inbound traffic, and it is typically chosen by the receiving side in a way that avoids collisions—commonly treated as randomly generated in foundational descriptions.

D is correct because IKE uses Diffie-Hellman to derive shared keying material securely over an untrusted network, and then refreshes keys by rekeying based on SA lifetime, achieving dynamic updates.