Thursday, January 8, 2015

DH-groups sizes and reccommendations for ipsec

In this  below table I place the weakest to strongest DHgroup options. You should strive to avoid Diffie-Hellman group  1 or 2.


If you use PFS remember to set the DHgroup options in your  ipsec phase2 proposals


Keep in mind the  DHgroup proposal is used during the key-exchange,  and determine the strength of the key used in the key exchange process. The higher DHgroup#s are more secure, but require additional time to compute the key during the key exchange.

Which DHgroup you use will be determine by  numerous factors such as;

  •  the far end device compatibility
  •  your company defined security policy ( various banks and gov  business like to set minimal support levels  & hows committees when they need exemptions )
  • and how paranoid  you are !

William S. Burroughs



Elliptic curve DiffieHellman is always better not support in a lot of devices


During the IKE key-exchange the Diffiehellman  is used to secure the key over the unsecured network suchs as the internet.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

No comments:

Post a Comment