[Ach] DH Groups in VPN section

Aaron Zauner azet at azet.org
Tue Dec 17 19:43:43 CET 2013

On 17 Dec 2013, at 17:15, christian mock <cm at coretec.at> wrote:
> I think we'd rather have the reader chose and warn them.
I’ve excluded them explicitly in my ASA and OpenSSH configurations. We can discuss the matter of course. If we do include them, we should warn the user properly. Then again - we have ECDH ciphers in our Configuration B. So, hmm,.. not quite sure what to include. If we do so, I’d need to check the SSH and ASA configurations again (which is not a problem). We should stay consistent, although I’m not entirely covinced that we should include EC in critical stuff like SSH and IPsec. Hmmm,..

> Note that it said "14-18" and not "14,18":
> 14: 2048-bit MODP Group
> 15: 3072-bit MODP Group
> 16: 4096-bit MODP Group
> 17: 6144-bit MODP Group
> 18: 8192-bit MODP Group
> So I suggest we either put in one group that fits the config A/B
> (which group would that be? do we go into detail WRT DH parameter
> sizes in the configs?), or all of them.
Does CheckPoint even support those Groups? The ASA does not, and I’m not aware of softwware implementations that do. [0] [1]

Usually 2,5,14 and 21 are supported everywhere. With group 2 far below our security recommendations and group 5 "slightly" below.


[0] - http://linux.die.net/man/5/ipsec.conf
     - "If openswan was compiled with USE_MODP_RFC5114 support, then Diffie-Hellman groups 22, 23 and 24 are also implemented as per RFC-5114. Instead of the modp key syntax, use the "dh" keyword, for example ike=3des-sha1;dh23” 
     - http://tools.ietf.org/html/rfc5114
[1] - http://www.kame.net/racoon/racoon.conf.5

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131217/1860c688/attachment.sig>

More information about the Ach mailing list