- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- 최형광 칼럼 | 2025 CES @혁신기술 리터러시
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
Cisco urges stop using weak crypto algorithms with OSPF
To reduce the risk of service problems, Cisco is making it harder for organizations to use weak cryptographic algorithms when setting up authentication for OSPF packets on certain Catalyst Edge Platforms and Integrated Services Routers (ISR).
Newer versions of Cisco’s IOS XE software (Release 17.11.1 and later) no longer support those algorithms—DES, 3DES, and MD5—by default, Cisco stated in a field Notice.
Specifically, the algorithms are no longer default options for the open shortest path first v 3 (OSPFv3) protocol, which uses the IPsec secure socket API to add authentication to OSPFv3 packets that distribute routing information.
“In order to continue to use such weak cryptographic encryption algorithms, explicit configuration is required,” Cisco stated in a field Notice. “Otherwise, OSPF neighborship will fail to establish and cause service disruption as a result.”
These algorithms should be replaced with stronger algorithms, specifically Advanced Encryption Standard—Cipher Block Chaining (AES-CBC) for encryption and Service Hash Algorithm (SHA1 or SHA2) for authentication, Cisco stated.
Cisco says there is a workaround to the issue, but recommends against it.
“Before customers upgrade the software to Cisco IOS XE Release 17.11.1 or later, update the OSPFv3 IPsec configuration to use strong cryptographic algorithms. However this command is only available in Cisco IOS XE Release 17.7.1 and later, and will only take effect after a reboot.”
“Cisco does NOT [emphasis Cisco’s] recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort,” the vendor stated.
Cisco recommends filing a Service Request if you have problems or questions.
IOS XE software runs on a wide variety of Cisco gear, but the notice applies only to the 1100 ISR, Catalyst 8000V Edge Software, and the Catalyst 8300, 9500, and 8500L Edge Platforms.
Copyright © 2023 IDG Communications, Inc.