DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group.
Topic
Diffie-Hellman groups
Applicable to
all
History
Priority
recommended
Mar 2022
DH or ECDH is used for key establishment of IPsec connections, preferably 384-bit random ECP group, 3072-bit MODP Group or 4096-bit MODP Group.
The Internet Key Exchange version 1 (IKEv1) protocol was obsoleted by the IKE version 2 (IKEv2) protocol in December 2005. Since IKEv2 has now been widely adopted, and in doing so addresses various problems with IKEv1, approval for the use of IKEv1 as part of Internet Protocol security implementations has been rescinded.
2015
Agencies should use the largest modulus size possible for all relevant components in thenetwork when conducting a key exchange.
2010
It is recommended agencies use the largest modulus size available for the DH exchange.