Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guardian Rebel Alliance
      last edited by

      I followed a setup guide for setting up a remote access VPN, and it recommended enabling:
      Enable NCP - Enable Negotiable Cryptographic Parameters with the following choices:
      AES-256-GCM/AES-128-GCM

      If I have complete control of the system/clients is there any reason not to just set the Encryption Algorithm to AES-256-GCM and turn off NCP?

      I can understand why one might want to do this to support a wide range of clients, but if it is my client and my server why would I want to give an attacker the chance to downgrade my security.

      I would likely be using the VPN while traveling, so I may have a poor quality ( any or all of high latency/low bandwidth/high packet loss) Internet connection. Is AES-128-GCM going to be a significant advantage over AES-256-GCM, and would OpenVPN likely switch under these conditions?

      If you find my post useful, please give it a thumbs up!
      pfSense 2.7.2-RELEASE

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @guardian said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:

        why would I want to give an attacker the chance to downgrade my security.

        So don't offer any NCP options you deem to be insecure...

        Speaking for myself, I see zero reason not to trust AES-128. But most things that support AES-128 support AES-256 so why not? All up to you.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        G 1 Reply Last reply Reply Quote 0
        • G
          guardian Rebel Alliance @Derelict
          last edited by

          @derelict said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:

          @guardian said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:

          why would I want to give an attacker the chance to downgrade my security.

          So don't offer any NCP options you deem to be insecure...

          Speaking for myself, I see zero reason not to trust AES-128. But most things that support AES-128 support AES-256 so why not? All up to you.

          Thanks for the response @derelict. Any idea if AES-128 performs significantly better than AES-256 under low bandwith/high latency/high packet loss conditions?

          If you find my post useful, please give it a thumbs up!
          pfSense 2.7.2-RELEASE

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            No. You likely will not see any difference.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            G 1 Reply Last reply Reply Quote 1
            • K
              kpa
              last edited by

              Bandwidth/latency/packet loss have no correlation to cipher performance, it's all about brute processing power of the system handling the ciphers.

              1 Reply Last reply Reply Quote 1
              • G
                guardian Rebel Alliance @Derelict
                last edited by

                @derelict said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:

                No. You likely will not see any difference.

                @kpa said in Do I need to use Enable NCP - Enable Negotiable Cryptographic Parameters?:

                Bandwidth/latency/packet loss have no correlation to cipher performance, it's all about brute processing power of the system handling the ciphers.

                So then am I correct in assuming that AES-256 doesn't significantly increase the amount of data that needs to be sent for a given payload size over AES-128?

                If you find my post useful, please give it a thumbs up!
                pfSense 2.7.2-RELEASE

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Yes, you are correct.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 2
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.