Thanks all for the responses; this helps me get a better picture of the state of things and our future direction!
On Wed, Apr 15, 2020 at 11:03:49AM -0400, Michael Richardson wrote: > > Benjamin Kaduk <ka...@mit.edu> wrote: > > I see in > > > https://datatracker.ietf.org/meeting/104/materials/minutes-104-ipsecme-00 > > that we didn't want to get rid of 3DES at that time. Do we have a sense > > for how quickly that will change, the scope of existing deployments, > > etc.? > > > In particular, would a general-purpose OS's implementation cause > problems > > for its consumers if the next release dropped support? (Noting that > > consumers could stay on an old OS release to match the old algorithms, > at > > least for a while.) > > 1) They all have AES128, and have had it for at least a decade. > > 2) general-purpose OS implementations are (sadly) *not* being used by the > majority > of "VPN" users, whether that's site-to-site or remote-access. > Except on iOS and Android, where OS-provided IKEv2/IPsec is winning, > and I'll bet they could drop 3DES tomorrow. > > The last time I have seen 3DES configured was for site-to-site VPNs between > different (medical!) enterprises because neither side could be sure what the > other side had, and equipment was old. They didn't dare change the > configuration, or > replace the hardware. (Cargo culting...) This was maybe 6 years ago. Funnily enough, we see a similar thing in the Kerberos world, with 3DES cross-realm keys set up decades ago that everyone is afraid to touch :) (It turns out that most of the time you don't actually need to get both administrators in the same room to update things, and it can be done asynchronously and asymmetrically, by one administrator at a time.) -Ben _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
