[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 3.4 - 4.3



Hi,

I was asking about PFS for keepalive messages - I was assuming these are 
sent as notification messages using IKE SA.

-- sankar ramamoorthi (sankarr@juniper.net) --


Andrew Krywaniuk wrote:

>>If phase1 SA is used as the control channel for keep-alive messages,
>>what are the implications with regard to PFS? That is, if PFS is used
>>to rekey the ipsec session key after an interval for
>>perfect-forward-secrecy, is it okay to continue using the phase1 SA
>>for keep alive packets with out worrying about PFS?
>>
>
>If the phase 2 is rekeyed using PFS as defined in IKEv1, where the new DH
>key is deleted immediately, then you obviously get full PFS of the second
>kind.
>
>If you were using the type of rekeying I was suggesting earlier, where the
>new DH key is reused across multiple phase 2s and then deleted after a fixed
>interval, you still get PFS of the second kind to within your PFS interval.
>
>Andrew
>-------------------------------------------
>There are no rules, only regulations. Luckily,
>history has shown that with time, hard work,
>and lots of love, anyone can be a technocrat.
>
>
>
>