[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE



Andrew,

You've been using sloppy terminology again ;-)

IKE always provides PFS in phase 1 with a "scope" of that PFS being
the IKE SA and all IPsec SA's derived from it; you get the benefit of
PFS for old keys once the IKE SA's shared secret is destroyed *and*
all the IPsec SA's derived from it are destroyed.

IKE optionally *also* provides PFS in phase 2 with per-IPsec-SA scope.

The value of phase-2 PFS is extremely low in typical IKE
configurations where the IPsec SA's live as long as or longer than the
IKE SA.

					- Bill


Follow-Ups: References: