[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)

To: ipsec@lists.tislabs.com
Subject: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
From: Jean-Jacques Puig <jean-jacques.puig@int-evry.fr>
Date: Thu, 20 Jun 2002 09:18:20 +0200 (MET DST)
In-Reply-To: <p05111a07b936748879dd@[165.227.249.18]>
Organization: =?UTF-8?B?RA==?=
References: <E17KRHm-0001IX-00@think.thunk.org><p05111a07b936748879dd@[165.227.249.18]>
Sender: owner-ipsec@lists.tislabs.com

Hi,

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> wrote:

> In the typical VPN scenario (either gateway-to-gateway or remote-access WAN):
> 
> - PFS is a real requirement for some but not all user scenarios

 I agree. PFS support is, IMO, a requirement for scenarios involving gateways, especially in VPNs.
But not everybody will need PFS, and we can expect (in some scenarios) the SA lifetime to be big enough for their use and no key derivation required.

	Should'nt PFS / Imperfect PFS / No PFS be negotiated in the exchanges of IKEv2 ?

If not, I stand for PFS as a requirement.

--
Jean-Jacques Puig

References:
- SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
  - From: "Theodore Ts'o" <tytso@mit.edu>
- Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: SOI QUESTIONS: 2.1 Identity protection questions?
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Next by thread: Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Index(es):
- Date
- Thread