Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?
-
I followed a setup guide for setting up a remote access VPN, and it recommended enabling:
Enable NCP - Enable Negotiable Cryptographic Parameters with the following choices:
AES-256-GCM/AES-128-GCMIf I have complete control of the system/clients is there any reason not to just set the Encryption Algorithm to AES-256-GCM and turn off NCP?
I can understand why one might want to do this to support a wide range of clients, but if it is my client and my server why would I want to give an attacker the chance to downgrade my security.
I would likely be using the VPN while traveling, so I may have a poor quality ( any or all of high latency/low bandwidth/high packet loss) Internet connection. Is AES-128-GCM going to be a significant advantage over AES-256-GCM, and would OpenVPN likely switch under these conditions?
-
@guardian said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:
why would I want to give an attacker the chance to downgrade my security.
So don't offer any NCP options you deem to be insecure...
Speaking for myself, I see zero reason not to trust AES-128. But most things that support AES-128 support AES-256 so why not? All up to you.
-
@derelict said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:
@guardian said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:
why would I want to give an attacker the chance to downgrade my security.
So don't offer any NCP options you deem to be insecure...
Speaking for myself, I see zero reason not to trust AES-128. But most things that support AES-128 support AES-256 so why not? All up to you.
Thanks for the response @derelict. Any idea if AES-128 performs significantly better than AES-256 under low bandwith/high latency/high packet loss conditions?
-
No. You likely will not see any difference.
-
Bandwidth/latency/packet loss have no correlation to cipher performance, it's all about brute processing power of the system handling the ciphers.
-
@derelict said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:
No. You likely will not see any difference.
@kpa said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:
Bandwidth/latency/packet loss have no correlation to cipher performance, it's all about brute processing power of the system handling the ciphers.
So then am I correct in assuming that AES-256 doesn't significantly increase the amount of data that needs to be sent for a given payload size over AES-128?
-
Yes, you are correct.