[Ach] DH Groups in VPN section

christian mock cm at coretec.at
Tue Dec 17 17:15:41 CET 2013

On Tue, Dec 17, 2013 at 01:22:09PM +0100, Aaron Zauner wrote:
> The table now states:
> Group 14–18, 19–21
> and
> Group 14–21
> This includes (NIST) EC groups. 

It originally had a footnote stating so, but that didn't show up in
the table/tabular environment, so I dropped it.

> Do we want that in a VPN? Probably not.

I think we'd rather have the reader chose and warn them.

> I’d rather put Group 14, 21 there explicitly. I’ll change that. 

Note that it said "14-18" and not "14,18":

14: 2048-bit MODP Group
15: 3072-bit MODP Group
16: 4096-bit MODP Group
17: 6144-bit MODP Group
18: 8192-bit MODP Group

So I suggest we either put in one group that fits the config A/B
(which group would that be? do we go into detail WRT DH parameter
sizes in the configs?), or all of them.


Christian Mock                          Wiedner Hauptstr. 15
Senior Security Engineer                1040 Wien
CoreTEC IT Security Solutions GmbH      +43-1-5037273
FN 214709 z

CoreTEC: Web Application Audit - Damit so etwas nicht passiert!



More information about the Ach mailing list