Based on my understanding, when PFS is used, the session keys derived in
ISAKMP phase 1 is not used for encryption rather another set of session keys
is derived in ISAKMP phase 2 using the DH group defined for PFS. Even, if
the attacker knows the session keys that was used in ISAKMP phase 1, he/she
can't crack the IPSec session.


With regards
Kings

On Wed, May 18, 2011 at 9:32 AM, Vybhav Ramachandran <[email protected]>wrote:

> Hello All,
>
> Damn! It feels good to be back :). So here goes.
>
> I was studying about PFS yesterday. I couldn't get hold of any good
> documentation on this so , based on bits and pieces of information gathered
> from various sites, here's how i think it works. Please let me know if my
> understand is correct or flawed.
>
>
> *Without* PFS, what happens is, after the IKE Phase 2 lifetime expires, if
> there is any traffic which has to go through the VPN, then the IKE Phase 2
> SA is renegotiated. The IKE Phase 1 SAs which are derived from the first IKE
> Phase 1 negotiation are kept as they are and they are not renegotiated. This
> could lead to a possible case where the attacker, if he/she got hold of the
> IKE Phase 1 keys, could derive and decrypt the information being passed
> between the VPN peers. This attack would last untill the IKE Phase 1
> lifetime expired.
>
> *With *PFS, after the IKE Phase 2 lifetime expires, if there is any
> traffic which has to go through the VPN, then BOTH the IKE Phase 1 and IKE
> Phase 2 tunnels are renegotiated. This ensures better security.
>
>
> Cheers,
> TacACK
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to