Hi Harrii,
I can give you only an opinion of strongswan user but this is not an
opinion of cryptographic expert.
I think that using pfs for child_sa is not critical issue but it is better
to use it if you can. If you do not use pfs for phase 2 crypto keys for
this phase are derived from other keys
Hi John,
On 03/01/2016 12:55 PM, John Brown wrote:
> Hi,
>
> I can give you two links with some small amount information about your
> question:
>
> http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
>
> and
>
> https
I'd also like someone to clarify this question. From what I understand
currently, using EDH for IKE_SA is a PFS as it is in "usual" SSL/TLS (e.g. in
HTTPS) —
you'll get new EDH key for every new IKE_SA negotiation.
But EDH in CHILD_SA is what you would call "key rotation". If you use EDH in
CHIL
Hi,
I can give you two links with some small amount information about your
question:
http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/vpn-security-phase-2-ipsec-proposal-understanding.html
and
https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Pe
Hi folks,
looking for some advice: Would you suggest to use pfs for esp?
Apparently pfs is a must-have to establish an ike_sa today, but
is this reasonable for the child_sas as well?
Every helpful comment is highly appreciated
Harri
___
Users mailing li