Perfect Forward Secrecy; Lifetime - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

JunosE 11.3.x IP Services Configuration Guide
128

Perfect Forward Secrecy

PFS is an optional feature that causes every newly refreshed key to be completely
unrelated to the previous key. PFS provides added security, but requires extra processing
for a new Diffie-Hellmann key exchange on every key refresh.
If PFS is enabled, the router mandates PFS during SA negotiation. The remote security
gateway must accept PFS to successfully negotiate the SA. However, if PFS is disabled,
PFS might still be negotiated if the remote security gateway requests PFS.
PFS supports three Diffie-Hellmann prime modulus groups:
Group 1—A 768-bit Diffie-Hellmann prime modulus group
Group 2—A 1024-bit Diffie-Hellmann prime modulus group
Group 5—A 1536-bit Diffie-Hellmann prime modulus group
SA negotiation favors the highest request. For example, if group 2 is requested locally,
the remote security gateway must support group 2 for the SA negotiation to be successful.
If group 1 is requested locally, either groups 1 or 2 can be accepted, depending on requests
from the remote security gateway.

Lifetime

You can set a lifetime for user SAs and IKE SAs. For information about setting the IKE SA
lifetime, see "Lifetime" on page 137.
For signaled IPSec interfaces, both the inbound and outbound SA must be assigned a
lifetime. The lifetime parameter controls the duration for which the SA is valid. When a
user SA is established, both a timer and a traffic volume counter are set. When either
counter reaches the limit specified by the SA lifetime, a new SA is negotiated and the
expired SA is deleted. The renegotiations refresh several SA parameters, including keys.
Note the following about how the lifetime parameters work:
To avoid delays in the data flow, a new user SA is actually renegotiated before the
expiration. If the SA expires in the middle of processing a packet, the router finishes
processing that packet.
The actual user SA lifetime may not equal the value configured in the router.
There are both global and tunnel-specific lifetime parameters. If there is no
tunnel-specific lifetime configured, the router uses the global lifetime. The global
lifetime parameters have the following default settings:
8 hours for the time-based lifetime
100 MB for the traffic-based lifetime
Lifetime parameters are valid only for user SAs established via IKE. Manually configured
user SAs ignore this parameter.
You can set a lifetime for all SAs on a specific tunnel, and you can set a global lifetime.
To set the tunnel lifetime, use the tunnel lifetime command.
Copyright © 2010, Juniper Networks, Inc.