Just FYI regarding cipher and key sizes.
The computational work units needed to crack the AES block cipher strength at 128 is the same computational work units needed to crack a DH key at 3072 bits.
DH 1024 is no longer sufficient. DH 2048 is becoming insufficient.
AES128 is MORE then sufficient for a real-time stream, especially if you cipher block chain as openVPN does by default, and is out of reach for a fair while still given today's available processing power, including grid computing and Moore's Law factored in. DH3072 is out of reach for quite a while.
I love Admin's who use a weak 512 or 1024 DH key to secure an overly-strong AES256 cipher key.
Recommend you dial down the AES and dial up the periodic-event DH strengths. It'll help with your throughput.
/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Last edited by s2scott; 1st September 2009 at 04:11 AM.
|