Benjamin Kaduk <ka...@mit.edu> wrote:
> I see in
> https://datatracker.ietf.org/meeting/104/materials/minutes-104-ipsecme-00
> that we didn't want to get rid of 3DES at that time. Do we have a sense
> for how quickly that will change, the scope of existing deployments,
> etc.?
> In particular, would a general-purpose OS's implementation cause problems
> for its consumers if the next release dropped support? (Noting that
> consumers could stay on an old OS release to match the old algorithms, at
> least for a while.)
1) They all have AES128, and have had it for at least a decade.
2) general-purpose OS implementations are (sadly) *not* being used by the
majority
of "VPN" users, whether that's site-to-site or remote-access.
Except on iOS and Android, where OS-provided IKEv2/IPsec is winning,
and I'll bet they could drop 3DES tomorrow.
The last time I have seen 3DES configured was for site-to-site VPNs between
different (medical!) enterprises because neither side could be sure what the
other side had, and equipment was old. They didn't dare change the
configuration, or
replace the hardware. (Cargo culting...) This was maybe 6 years ago.
I believe that we could remove it.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
