RE: set pfs groupx command

From: ccieim@comcast.net
Date: Thu Mar 09 2006 - 12:47:58 GMT-3

• Next message: lenny lim: "Re: CCIE 2006"
• Previous message: Loc Pham: "Re: Nice Wake up call"
• Maybe in reply to: ccieim@comcast.net: "set pfs groupx command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Brian.

-------------- Original message --------------
From: "Brian Dennis" <bdennis@internetworkexpert.com>

> This should help:
>
> Perfect Forward Secrecy (PFS): PFS ensures that a given IPSec SA key was not
> derived from any other secret (like some other keys). In other words, if someone
> breaks a key, PFS ensures that the attacker is not able to derive any other key.
> If PFS is not enabled, someone can potentially break the IKE SA secret key, copy
> all the IPSec protected data, and then use knowledge of the IKE SA secret in
> order to compromise the IPSec SAs setup by this IKE SA. With PFS, breaking IKE
> does not give an attacker immediate access to IPSec. The attacker needs to break
> each IPSec SA individually. The Cisco IOS IPSec implementation uses PFS group 1
> (D-H 768 bit) by default.
>
> http://www.cisco.com/warp/public/105/IPSECpart1.html#glossary
>
> HTH,
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> bdennis@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 775-745-6404 (Outside the US and Canada)
>
> ________________________________________
> From: ccieim@comcast.net [mailto:ccieim@comcast.net]
> Sent: Tuesday, March 07, 2006 6:25 PM
> To: Brian Dennis; ccielab@groupstudy.com
> Subject: RE: set pfs groupx command
>
> Hi Brian,
> Yes, I do not know what it is and what is it for? What is the difference b/t
> using the pfs and not using it?
> Regards,
> Don
>
> -------------- Original message --------------
> From: "Brian Dennis"
>
> > Don,
> > Are you asking what PFS (Perfect Forward Secrecy) is or how the
> > particular PFS groups differ?
> >
> > Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
> > bdennis@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Direct: 775-745-6404 (Outside the US and Canada)
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccieim@comcast.net
> > Sent: Tuesday, March 07, 2006 12:22 PM
> > To: ccielab@groupstudy.com
> > Subject: set pfs groupx command
> >
> > Hi group,
> > Can anyone out there explain for me what set pfs groupx command do? I
> > search the cisco site but the doc only show how to use it but does not
> > mention what is it for?
> > Thanks,
> > Don
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: lenny lim: "Re: CCIE 2006"
• Previous message: Loc Pham: "Re: Nice Wake up call"
• Maybe in reply to: ccieim@comcast.net: "set pfs groupx command"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:38 GMT-3