Perfect Forward Secrecy (PFS)

Also known as: PFS Forward Secrecy FS

Perfect Forward Secrecy is about reducing the risk of a private key being compromised. If a private key used for an IPsec connection is compromised, the attacker can potentially now decrypt other sessions. With PFS, a unique session key is generated for every session a user initiates. So in the case that session’s private key is compromised, it will not affect any other session. The only data compromised will be that of the specific session for which the key was generated.

If using PFS with IPsec, you specific a Diffie Helman Group for Phase 2 of the connection. Now a diffie helman exchange will occur each time a new SA is negotiated.