[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Definition of PFS...

To: Michael Richardson <mcr@solidum.com>
Subject: Re: Definition of PFS...
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Thu, 12 Oct 2000 10:47:08 -0400
cc: "'IP Security List'" <ipsec@lists.tislabs.com>
In-reply-to: Your message of "Wed, 11 Oct 2000 18:51:34 EDT." <200010112251.SAA18092@solidum.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

>   It also defends against the situation where a third party compels one
> party to provide some set of keys. PFS guarantees that a simple search warant
> only catches traffic *currently* in transit, not all previous and future
> traffic.

Not quite that simple; it's a matter of what the lifetimes of the IKE
and AH/ESP SA's really are..

If your AH/ESP SA lifetimes are 12 hours, this gives someone 12 hours
of traffic even if quick mode with PFS was used to create them.

Similarly, if you don't use PFS in quick mode, but limit your IKE SA's
(and the AH/ESP SA's derived from them via quick mode) to a lifetime
of 1 hour, you get 1 hour of traffic.

					- Bill

Follow-Ups:

RE: Definition of PFS...

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

Re: Definition of PFS...

From: Michael Richardson <mcr@solidum.com>

Prev by Date: RE: Simplifying IKE (was RE: Reliable delete notifies)
Next by Date: Re: Simplifying IKE (was RE: Reliable delete notifies)
Prev by thread: Re: Definition of PFS...
Next by thread: RE: Definition of PFS...
Index(es):
- Main
- Thread