[strongSwan] seeking advice: pfs on creating a child_sa?
ValdikSS
iam at valdikss.org.ru
Thu Mar 3 19:42:36 CET 2016
I'd also like someone to clarify this question. From what I understand currently, using EDH for IKE_SA is a PFS as it is in "usual" SSL/TLS (e.g. in HTTPS) —
you'll get new EDH key for every new IKE_SA negotiation.
But EDH in CHILD_SA is what you would call "key rotation". If you use EDH in CHILD_CA, you'll get new EDH key every rekey, i.e. every hour or so.
Is this correct?
On 03/01/2016 02:55 PM, John Brown wrote:
> Hi,
>
> I can give you two links with some small amount information about your question:
>
> http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
>
> and
>
> https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Perfect-Forward-Secrecy-PFS
>
>
> Regards,
>
> John
>
> 2016-03-01 11:23 GMT+01:00 Harald Dunkel <harald.dunkel-N2c6Q/boOuSzQB+pC5nmwQ at public.gmane.org <mailto:harald.dunkel-N2c6Q/boOuSzQB+pC5nmwQ at public.gmane.org>>:
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160303/2c2e469f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 856 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160303/2c2e469f/attachment.pgp>
More information about the Users
mailing list