> On 18 Jul 2018, at 19:08, Graham Bartlett (grbartle) > <[email protected]> wrote: > > Hi Tero > > I've no issues per se with this, but as per our chat in London, most VPN > consumers pick the group with the highest number (of course group24 is more > secure than group21, 24 is bigger than 21 ...!)..
Hasn’t been my experience. Most customers stay with the default. Sophisticated customers compare number of bits. So again 2048-bit group 24 is much better than 521-bit group 21, but nowhere near as good as 8192-bit group 18. > Maybe some words of warning around potential performance impact. I’m sure > someone somewhere in the world will want this.. They only need 16384-bit DH if they use 16384-bit RSA, no? > I feel for the poor vendors support desk "dear customer, I know you enabled > group38 (RSA 16384) and now your 5000 device full mesh solution is not > converging as quickly as it did before..”.. Publish it and they will come. I once had to tackle a customer request to filter by the RFC 3514 security flag. As it turns out, this was totally possible with my employer’s firewall product. It just wasn’t a good idea. Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
