Hello All, Damn! It feels good to be back :). So here goes.
I was studying about PFS yesterday. I couldn't get hold of any good documentation on this so , based on bits and pieces of information gathered from various sites, here's how i think it works. Please let me know if my understand is correct or flawed. *Without* PFS, what happens is, after the IKE Phase 2 lifetime expires, if there is any traffic which has to go through the VPN, then the IKE Phase 2 SA is renegotiated. The IKE Phase 1 SAs which are derived from the first IKE Phase 1 negotiation are kept as they are and they are not renegotiated. This could lead to a possible case where the attacker, if he/she got hold of the IKE Phase 1 keys, could derive and decrypt the information being passed between the VPN peers. This attack would last untill the IKE Phase 1 lifetime expired. *With *PFS, after the IKE Phase 2 lifetime expires, if there is any traffic which has to go through the VPN, then BOTH the IKE Phase 1 and IKE Phase 2 tunnels are renegotiated. This ensures better security. Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
