[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
Andrew,
You've been using sloppy terminology again ;-)
IKE always provides PFS in phase 1 with a "scope" of that PFS being
the IKE SA and all IPsec SA's derived from it; you get the benefit of
PFS for old keys once the IKE SA's shared secret is destroyed *and*
all the IPsec SA's derived from it are destroyed.
IKE optionally *also* provides PFS in phase 2 with per-IPsec-SA scope.
The value of phase-2 PFS is extremely low in typical IKE
configurations where the IPsec SA's live as long as or longer than the
IKE SA.
- Bill
Follow-Ups:
References: