1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.0.X IP SERVICES
  6. Configuration manual

Perfect Forward Secrecy; Lifetime - Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

JUNOSe 11.0.x IP Services Configuration Guide

Perfect Forward Secrecy

PFS is an optional feature that causes every newly refreshed key to be completely
unrelated to the previous key. PFS provides added security, but requires extra
processing for a new Diffie-Hellmann key exchange on every key refresh.
If PFS is enabled, the router mandates PFS during SA negotiation. The remote security
gateway must accept PFS to successfully negotiate the SA. However, if PFS is disabled,
PFS might still be negotiated if the remote security gateway requests PFS.
PFS supports three Diffie-Hellmann prime modulus groups:
SA negotiation favors the highest request. For example, if group 2 is requested locally,
the remote security gateway must support group 2 for the SA negotiation to be
successful. If group 1 is requested locally, either groups 1 or 2 can be accepted,
depending on requests from the remote security gateway.

Lifetime

You can set a lifetime for user SAs and IKE SAs. For information about setting the
IKE SA lifetime, see "Lifetime" on page 144.
For signaled IPSec interfaces, both the inbound and outbound SA must be assigned
a lifetime. The lifetime parameter controls the duration for which the SA is valid.
When a user SA is established, both a timer and a traffic volume counter are set.
When either counter reaches the limit specified by the SA lifetime, a new SA is
negotiated and the expired SA is deleted. The renegotiations refresh several SA
parameters, including keys.
Note the following about how the lifetime parameters work:
You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime.
134
IPSec Concepts
Group 1 A 768-bit Diffie-Hellmann prime modulus group
Group 2 A 1024-bit Diffie-Hellmann prime modulus group
Group 5 A 1536-bit Diffie-Hellmann prime modulus group
To avoid delays in the data flow, a new user SA is actually renegotiated before
the expiration. If the SA expires in the middle of processing a packet, the router
finishes processing that packet.
The actual user SA lifetime may not equal the value configured in the router.
There are both global and tunnel-specific lifetime parameters. If there is no
tunnel-specific lifetime configured, the router uses the global lifetime. The global
lifetime parameters have the following default settings:
8 hours for the time-based lifetime
100 MB for the traffic-based lifetime
Lifetime parameters are valid only for user SAs established via IKE. Manually
configured user SAs ignore this parameter.

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.0.X IP SERVICES

Related Content for Juniper JUNOSE 11.0.X IP SERVICES

This manual is also suitable for:

Junose 11.0.x

Table of Contents