Skip to main content
IBM 
ShopSupportDownloads
IBM HomeProductsConsultingIndustriesNewsAbout IBM
IBM : developerWorks : Security : Education - online courses
Virtual private networks, Part 2		Download tutorial zip fileView letter-sized PDF fileView A4-sized PDF fileE-mail this tutorial to a friend
Main menuSection menuGive feedback on this tutorialPreviousNext
4. Key exchange
  


Perfect Forward Secrecy page 9 of 11


The Perfect Forward Secrecy protocol masks identities of both the ISAKMP negotiating peer and, if applicable, the identities for whom the peers are negotiating. This protects the IP addresses of an intranet, for example.

To provide Perfect Forward Secrecy of both keys and all identities, the two parties involved have the following exchanges:

  • A Main Mode Exchange to protect the identities of the ISAKMP peers. This establishes an ISAKMP SA.
  • A Quick Mode Exchange to negotiate other security protocol protection. This will establish an SA on each end for PFS.
  • Delete the ISAKMP SA and its associated state.

To provide Perfect Forward Secrecy of just the keys of a non-ISAKMP security association, it in not necessary to do a phase 1 exchange if an ISAKMP SA exists between the two peers. A single Quick Mode in which the optional KE payload is passed and an additional Diffie-Hellman exchange is performed, is all that is required. At this point, the state derived from this Quick Mode must be deleted from the ISAKMP SA.


Main menuSection menuGive feedback on this tutorialPreviousNext
PrivacyLegalContact