RE: set pfs groupx command

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Wed Mar 08 2006 - 00:46:13 GMT-3

• Next message: Brian Dennis: "RE: set pfs groupx command"
• Previous message: support@ccie2be.com: "Re: OT: Remote power up CCIE rack"
• Maybe in reply to: ccieim@comcast.net: "set pfs groupx command"
• Next in thread: Brian Dennis: "RE: set pfs groupx command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This should help:

Perfect Forward Secrecy (PFS): PFS ensures that a given IPSec SA key was not derived from any other secret (like some other keys). In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone can potentially break the IKE SA secret key, copy all the IPSec protected data, and then use knowledge of the IKE SA secret in order to compromise the IPSec SAs setup by this IKE SA. With PFS, breaking IKE does not give an attacker immediate access to IPSec. The attacker needs to break each IPSec SA individually. The Cisco IOS IPSec implementation uses PFS group 1 (D-H 768 bit) by default.

http://www.cisco.com/warp/public/105/IPSECpart1.html#glossary

HTH,

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
 
________________________________________
From: ccieim@comcast.net [mailto:ccieim@comcast.net]
Sent: Tuesday, March 07, 2006 6:25 PM
To: Brian Dennis; ccielab@groupstudy.com
Subject: RE: set pfs groupx command

Hi Brian,
Yes, I do not know what it is and what is it for? What is the difference b/t using the pfs and not using it?
Regards,
Don
 
-------------- Original message --------------
From: "Brian Dennis" <bdennis@internetworkexpert.com>

> Don,
> Are you asking what PFS (Perfect Forward Secrecy) is or how the
> particular PFS groups differ?
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccieim@comcast.net
> Sent: Tuesday, March 07, 2006 12:22 PM
> To: ccielab@groupstudy.com
> Subject: set pfs groupx command
>
> Hi group,
> Can anyone out there explain for me what set pfs groupx command do? I
> search the cisco site but the doc only show how to use it but does not
> mention what is it for?
> Thanks,
> Don
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian Dennis: "RE: set pfs groupx command"
• Previous message: support@ccie2be.com: "Re: OT: Remote power up CCIE rack"
• Maybe in reply to: ccieim@comcast.net: "set pfs groupx command"
• Next in thread: Brian Dennis: "RE: set pfs groupx command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:38 GMT-3