[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 2.2 Perfect forward secrecy (PFS)
Let's be careful to distinguish between:
1) the forward-secrecy properties of IPsec key management
2) the optional second DH exchange done in IKEv1 phase 2, which is
what many people think of when they hear "PFS".
I don't believe that there's a need for every SA to have a separate DH
exchange; what is important is for the spec to allow a user of the
protocol to know what the forward-secrecy properties are, and that
requires protocol-visible lifetimes for keying material.
- Bill