Wednesday, May 5, 2010

Perfect Forward Secrecy (PFS)

PFS ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.

Commands:

R2(config)#crypto map map1 10
R2(config-crypto-map)#set pfs ?
group1 D-H Group1 (768-bit modp)
group2 D-H Group2 (1024-bit modp)
group5 D-H Group5 (1536-bit modp)

R2(config-crypto-map)#set pfs group2

Packet captures shows that PFS consists of a quick mode exchange after the SA times out (which is what happens anyway without PFS). I didn't notice anything different about the "debug crypto ipsec" output when PFS was enabled or disabled.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)