Paul Wouters <p...@nohats.ca> wrote:
>> IKEv1 is done, it's over, it's dead. It's been like that for more than
>> a decade.
> I think there is a big difference between "done developing it" and
> "done running it". A decade ago almost everything was IKEv1. Today,
> with the exception of Android and ten year old gear, everything is
> IKEv2. And Android is scheduled to fix that this summer. So the move to
> Historic does seem valid now, and was not 10 years ago.
+1
>> We already made a statement that we won't touch IKEv1 anymore and we
>> made that statement fifteen years ago. And we're still doing "die die
>> die" stuff that's now been refashioned into a "graveyard" effort in
>> order to address the sensitive sensibilities of the new IETF, but it's
>> still the same thing. It's trying add an underscore and an exclamation
>> point to a statement that was already made. Because we're really
>> serious this time-- it's in the graveyard!
> I agree, it is kind of a symbolic gesture. But I think it will help
> (and not harm), so I think we should just publish it for those who can
> use it as a lever to migrate more older setups to new. To be honest,
> the biggest gain will be that people stop using DH1024, DH1536 and SHA1
> that are defacto the only DH groups used with IKEv1.
It will gain more than symbolism if it becomes an audit checkpoint, and will
actually push people to upgrade.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
