Benjamin Kaduk <[email protected]> wrote: >> The last time I have seen 3DES configured was for site-to-site VPNs between >> different (medical!) enterprises because neither side could be sure what the >> other side had, and equipment was old. They didn't dare change the configuration, or >> replace the hardware. (Cargo culting...) This was maybe 6 years ago.
> Funnily enough, we see a similar thing in the Kerberos world, with 3DES
> cross-realm keys set up decades ago that everyone is afraid to touch :)
> (It turns out that most of the time you don't actually need to get both
> administrators in the same room to update things, and it can be done
> asynchronously and asymmetrically, by one administrator at a time.)
That requires clue that the current operators (no longer/don't) have.
If it breaks, they don't how to fix or debug it either.
In short: as Tero has pointed out it's already SHOULD NOT, and making it MUST
NOT makes existing deployed products out of spec. I guess we don't have to
rush.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
