amigan_99 used Ask the Experts™
In a new environment one of the projects left behind by a predecessor was to upgrade the encryption on their DMVPN from 3DES to AES 256. That's a good goal to be up to modern standards. But I see a lot of other areas of greater vulnerability. And the update and verification of hundreds of spoke sites will take considerable time. My question: how vulnerable is a 3DES encrypted DMVPN network?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Engineer
Distinguished Expert 2018
Due to mishaps in DES a 3DES "168bit" key effectivly becomes 112bit,  Which is considered to short Also you need to encrypt a stream 3 times for 3DES.

AES is optimised for speed and faster than 3DES is.   It isn;t only the Encryption, also the hashes computed as verification need upgrading to SHA256, or at least SHA1/SHA2  (with 3DES most often MD5 was used MD5 has been invalidated as a hash function about 15 years ago, as realtime collisions can be computed with current hardware. (ie a packet content can be changed without the hash being modified).

Upgrading can be done link by link. No need to do a big bang.
See here for a simple comparison between 3DES & AES: http://www.differencebetween.net/technology/difference-between-aes-and-3des/
amigan_99Network Engineer


That's really helpful. Thanks Noci. I didn't realize there could be a speed enhancement there. That would be a big bonus as they send a lot of VDI traffic over these links and we're trying to reduce some grumbles on that performance.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial