To cut back the danger of service issues, Cisco is making it tougher for organizations to make use of weak cryptographic algorithms when organising authentication for OSPF packets on sure Catalyst Edge Platforms and Built-in Companies Routers (ISR).
Newer variations of Cisco’s IOS XE software program (Launch 17.11.1 and later) not help these algorithms—DES, 3DES, and MD5—by default, Cisco acknowledged in a subject Discover.
Particularly, the algorithms are not default choices for the open shortest path first v 3 (OSPFv3) protocol, which makes use of the IPsec safe socket API so as to add authentication to OSPFv3 packets that distribute routing data.
“With the intention to proceed to make use of such weak cryptographic encryption algorithms, express configuration is required,” Cisco acknowledged in a subject Discover. “In any other case, OSPF neighborship will fail to determine and trigger service disruption because of this.”
These algorithms ought to be changed with stronger algorithms, particularly Superior Encryption Commonplace—Cipher Block Chaining (AES-CBC) for encryption and Service Hash Algorithm (SHA1 or SHA2) for authentication, Cisco acknowledged.
Cisco says there’s a workaround to the difficulty, however recommends in opposition to it.
“Earlier than prospects improve the software program to Cisco IOS XE Launch 17.11.1 or later, replace the OSPFv3 IPsec configuration to make use of sturdy cryptographic algorithms. Nevertheless this command is just obtainable in Cisco IOS XE Launch 17.7.1 and later, and can solely take impact after a reboot.”
“Cisco does NOT [emphasis Cisco’s] suggest this selection as these weak cryptographic algorithms are insecure and don’t present sufficient safety from trendy threats. This command ought to solely be used as a final resort,” the seller acknowledged.
Cisco recommends submitting a Service Request if in case you have issues or questions.
IOS XE software program runs on all kinds of Cisco gear, however the discover applies solely to the 1100 ISR, Catalyst 8000V Edge Software program, and the Catalyst 8300, 9500, and 8500L Edge Platforms.
Copyright © 2023 IDG Communications, Inc.
