Perfect forward secrecy [pfs, Ipsec sa lifetime [lifetime_secs, Ipsec sa volume lifetime [lifetime_kbytes – Nortel Networks 608(WL) User Manual

Chapter 4

Configuration via the Command Line Interface

E-DOC-CTC-20051017-0169 v0.1

130

Perfect Forward

Secrecy [pfs]

Enables or disables the use of Perfect Forward Secrecy. A lot of vendors have
Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In
order to configure this on the SpeedTouch™, the use of PFS must be enabled in the
Connection Security Descriptor.

IPSec SA lifetime

[lifetime_secs]

The lifetime of a Security Association is specified in seconds:

IPSec SA volume

lifetime [lifetime_kbytes]

The data volume limit of a Security Association before re-keying, expressed in
kilobytes:

Encapsulation mode

[encapsulation]

The following table describes the encapsulation modes and their keywords:

Tunnel mode is used in all applications where the SpeedTouch™ is the IPSec
Security Gateway for the connected hosts.

Transport mode can be used only for information streams generated or terminated
by the SpeedTouch™ itself. For example, remote management applications may
use this setting.

PFS provides better security, but increases the key calculation overhead.
With PFS enabled, the independence of Phase 2 keying material is
guaranteed. Each time the Phase 2 tunnel is rekeyed, a Diffie-Hellman
exchange is performed.

Not enabling PFS means that the new Phase 2 key is derived from keying
material present in the SpeedTouch™ as a result of the Diffie-Hellman
exchange during the Phase 1 negotiation.

lifetime measured in:

Minimum value

Maximum value

seconds

240 (=4 minutes)

31536000 (=1 year)

lifetime measured in:

Minimum value

Maximum value

kilobytes

1

2

30

= 1 073 741 824

Encapsulation mode

Keyword

Transport mode

transport

Tunnel mode

tunnel