Robert Wilton via Datatracker <[email protected]> wrote: > I do wonder exactly how well understood "deprecated" is in the wider community.
In the end, nobody really knows.
The customers that read RFCs already knew IKEv1 was dead and replaced.
The end customers that don't know, are still using their 2003 era equipment
(maybe with 3DES). Often they have newer equipment (or firmware), but they
lack the expertise to have enough confidence to adjust their configuration to
do IKEv2.
This document means that some more security auditors will now flag them for
non-compliance, and that might free up resources to upgrade.
> (i) the definition of deprecated in YANG (RFC 7950) is:
> o "deprecated" indicates an obsolete definition, but it permits
> new/continued implementation in order to foster interoperability
> with older/existing implementations.
IKEv1 had this definition as soon as IKEv2 was published.
Will this document move us beyond this definition yet? No. Devices will
still ship with IKEv1 available (but maybe not default) because they still
need to interop. But, at least we will get some more pressure to remove
support from vendors. They can point at this document in their EOL
announcements.
> (ii) the definition in Java is:
> A program element annotated @Deprecated is one that programmers are
> discouraged from using, typically because it is dangerous, or because a
> better alternative exists. Compilers warn when a deprecated program
element
> is used or overridden in non-deprecated code.
> I think that the definition that security uses is presumably much closer
to
> (ii), or not even stronger in sentiment to move away from it?
Yes, (ii) is way more about what we mean, but not having available protocol
police, I don't think it really matters that much.
> I tried to search and find a definition in IANA of exactly what deprecated
> means, but with no luck.
> Perhaps there is already a security definition of deprecated that could be
> referenced, or if not, it might be helpful to:
> - in Section 5, unambiguously specify what is meant by deprecated.
> - in Section 7, bind the definition of the Status column back to Section
5.
I'm not sure that a more precise definition will really help.
Section 3 is also pretty clear: upgrade to IKEv2.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
