Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Ted Lemon <> Sat, 05 December 2020 18:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EFE4E3A0B16 for <>; Sat, 5 Dec 2020 10:32:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id alVIXSLrL892 for <>; Sat, 5 Dec 2020 10:32:27 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6FF043A0B18 for <>; Sat, 5 Dec 2020 10:32:27 -0800 (PST)
Received: by with SMTP id 7so6498075qtp.1 for <>; Sat, 05 Dec 2020 10:32:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=tIq14bohZFtwHfwNywzg9gaytwGrJXTDRNGbbKi9HHE=; b=vbGlZpOSI6xtP10+U0/z0rEDKQWHlVZkwc4a2plikqIGbtY+q/nri5Y6stj+A81/1u CRMv6NXLiesh+MZ8htTy6tkKDMNVXNz7QMsMlghbK+3q3Tzo/EnZS3+mHfcipXhLIlBX FZMmIZH1DLUSZAtxdcJKoVIRAbqFTWZG8oF5ABkKww71gpiQjYESyAK3/3F1g07+mhe5 kFoEhssaXA458aiEXI8GHN7rr1XLiT+NF3Q3htHDME7VHTJOzVsCjJdIGEIkWy8IiQrS hpNeDChJaxWnHja2BqAPD8PqqOKmEz6r/nhmYrxJIquD6f1hk6577kjxdcMkzjR7pWCe ewEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=tIq14bohZFtwHfwNywzg9gaytwGrJXTDRNGbbKi9HHE=; b=N1BgT53f/Ye4bVRTec/e6nK5rN6bZlCggjuHGquY6pen39qv6i/DaZDeOWJs7nw40x 9JIPQ/efRB/DEKyf4i7NRTllctpbMUCv+5gq16oweUr6R3goCp1EFDgneThZlMjBqthH uviDn6+5SRzHBZ2B5OfmO4gUCEqbXK2HJQBGvtwyoPxE6mPvyLIreMPtOep/UmT8iuL+ WW+OH5Iq3fSkZt/2ILcm5s3cMjmdooQfFHnrAQh17hYCzLJh9N5dWqjmsgEReFLoZHww N5oqHzfuQ5bzy9KB3RWfG5s2lOMJiwVAGBWVIn6q1ZIeQzrbJ03zzlenma8suPXzuvhv NCig==
X-Gm-Message-State: AOAM532tAJLA/RrD7BUDiWHbIRfQH6BoBimkmEmf6g1Vd+5kBpURGGpD oVTsbThzMzhSthz3kZGetL5vuQ==
X-Google-Smtp-Source: ABdhPJxpvwhJ8hVY1sjWQJ/IQ2CAkMS6KHtbxQbVXeNmAAVim1ZD0PAPaq63d1w0kjqQBRnhjZ3R8g==
X-Received: by 2002:ac8:44c7:: with SMTP id b7mr2027515qto.351.1607193146085; Sat, 05 Dec 2020 10:32:26 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id j124sm9297217qkf.113.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 Dec 2020 10:32:25 -0800 (PST)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_16AECF83-304B-4CDE-AF66-5E036E6B4E36"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Sat, 05 Dec 2020 13:32:23 -0500
In-Reply-To: <>
Cc: Eliot Lear <>, "Ackermann, Michael" <>,,
To: Randy Bush <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Iotops] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 05 Dec 2020 18:32:29 -0000

On Dec 5, 2020, at 1:27 PM, Randy Bush <> wrote:
> and open source is notoriously secure, inspected, formally verified, and
> well updated.  can you spell "m i r a i?"  how many kernel upgrades have
> you had to do over the last month; and what percentage of ops did them?

I think you misunderstand. I’m not saying there’s not a problem. I’m saying that solving it maybe isn’t quite as hard as you’re suggesting. Most of these products, the manufacturer has already moved on after a year. They have no interest in maintaining the software, but they can dump it on github. They don’t because they don’t have to, not because they strongly care not to. If you bought a thousand units, it’s probably worth hiring someone to update it to TLS 1.3.

Getting Cisco to dump IOS on github is probably a bigger ask, but if the enterprise that’s buying the equipment is required for regulatory compliance to subscribe to updates, that creates a cash flow that can then be used to pay to do them. If the regulatory environment similarly requires that Cisco either do the updates, or allow someone to do them, then that problem is solved too.

Yes, this costs more than disposable technology, iff you don’t count the externalized costs.