Cisco urges quit applying weak crypto algorithms with OSPF

To lower the possibility of company problems, Cisco is creating it harder for organizations to use weak cryptographic algorithms when placing up authentication for OSPF packets on selected Catalyst Edge Platforms and Integrated Products and services Routers (ISR).

Newer versions of Cisco’s IOS XE software package (Release 17.11.1 and later) no longer assistance people algorithms—DES, 3DES, and MD5—by default, Cisco said in a field Notice.

Especially, the algorithms are no longer default options for the open up shortest path to start with v 3 (OSPFv3) protocol, which employs the IPsec safe socket API to include authentication to OSPFv3 packets that distribute routing information and facts.

“In buy to go on to use this sort of weak cryptographic encryption algorithms, express configuration is essential,” Cisco mentioned in a field Notice. “Otherwise, OSPF neighborship will fail to set up and bring about services disruption as a consequence.”

These algorithms should really be replaced with more powerful algorithms, exclusively Advanced Encryption Standard—Cipher Block Chaining (AES-CBC) for encryption and Services Hash Algorithm (SHA1 or SHA2) for authentication, Cisco mentioned.

Cisco claims there is a workaround to the concern, but recommends versus it.

“Before buyers update the software program to Cisco IOS XE Launch 17.11.1 or later, update the OSPFv3 IPsec configuration to use powerful cryptographic algorithms. Even so this command is only obtainable in Cisco IOS XE Release 17.7.1 and afterwards, and will only consider result immediately after a reboot.”

“Cisco does NOT [emphasis Cisco’s] suggest this possibility as these weak cryptographic algorithms are insecure and do not supply satisfactory defense from modern-day threats. This command ought to only be utilised as a very last vacation resort,” the vendor stated.

Cisco recommends submitting a Service Request if you have difficulties or concerns.

IOS XE software program runs on a vast selection of Cisco gear, but the notice applies only to the 1100 ISR, Catalyst 8000V Edge Computer software, and the Catalyst 8300, 9500, and 8500L Edge Platforms.