Benjamin Kaduk <ka...@mit.edu> wrote:
>> The last time I have seen 3DES configured was for site-to-site VPNs
between
>> different (medical!) enterprises because neither side could be sure what
the
>> other side had, and equipment was old. They didn't dare change the
configuration, or
>> replace the hardware. (Cargo culting...) This was maybe 6 years ago.
> Funnily enough, we see a similar thing in the Kerberos world, with 3DES
> cross-realm keys set up decades ago that everyone is afraid to touch :)
> (It turns out that most of the time you don't actually need to get both
> administrators in the same room to update things, and it can be done
> asynchronously and asymmetrically, by one administrator at a time.)
That requires clue that the current operators (no longer/don't) have.
If it breaks, they don't how to fix or debug it either.
In short: as Tero has pointed out it's already SHOULD NOT, and making it MUST
NOT makes existing deployed products out of spec. I guess we don't have to
rush.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
