Thursday, January 8, 2015

DH-groups sizes and reccommendations for ipsec

In this  below table I place the weakest to strongest DHgroup options. You should strive to avoid Diffie-Hellman group  1 or 2.

If you use PFS remember to set the DHgroup options in your  ipsec phase2 proposals

Keep in mind the  DHgroup proposal is used during the key-exchange,  and determine the strength of the key used in the key exchange process. The higher DHgroup#s are more secure, but require additional time to compute the key during the key exchange.

Which DHgroup you use will be determine by  numerous factors such as;

  •  the far end device compatibility
  •  your company defined security policy ( various banks and gov  business like to set minimal support levels  & hows committees when they need exemptions )
  • and how paranoid  you are !

William S. Burroughs

Elliptic curve DiffieHellman is always better not support in a lot of devices

During the IKE key-exchange the Diffiehellman  is used to secure the key over the unsecured network suchs as the internet.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
       /  \

No comments:

Post a Comment