 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
PFS is an optional feature that causes every newly refreshed key to be completely unrelated to the previous key. PFS provides added security, but requires extra processing for a new Diffie-Hellmann key exchange on every key refresh.
If PFS is enabled, the router mandates PFS during SA negotiation. The remote security gateway must accept PFS to successfully negotiate the SA. However, if PFS is disabled, PFS might still be negotiated if the remote security gateway requests PFS.
PFS supports three Diffie-Hellmann prime modulus groups:
SA negotiation favors the highest request. For example, if group 2 is requested locally, the remote security gateway must support group 2 for the SA negotiation to be successful. If group 1 is requested locally, either groups 1 or 2 can be accepted, depending on requests from the remote security gateway.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |