Cisco recommends using AES-CBC for encryption and SHA1 for authentication to protect against performance risks to some of its Catalyst and ASR gear. To reduce the risk of service problems, Cisco is making it harder for organizations to use weak cryptographic algorithms when setting up authentication for OSPF packets on certain Catalyst Edge Platforms and Integrated Services Routers (ISR). Newer versions of Cisco’s IOS XE software (Release 17.11.1 and later) no longer support those algorithms—DES, 3DES, and MD5—by default, Cisco stated in a field Notice. Specifically, the algorithms are no longer default options for the open shortest path first v 3 (OSPFv3) protocol, which uses the IPsec secure socket API to add authentication to OSPFv3 packets that distribute routing information. “In order to continue to use such weak cryptographic encryption algorithms, explicit configuration is required,” Cisco stated in a field Notice. “Otherwise, OSPF neighborship will fail to establish and cause service disruption as a result.” These algorithms should be replaced with stronger algorithms, specifically Advanced Encryption Standard—Cipher Block Chaining (AES-CBC) for encryption and Service Hash Algorithm (SHA1 or SHA2) for authentication, Cisco stated. Cisco says there is a workaround to the issue, but recommends against it. “Before customers upgrade the software to Cisco IOS XE Release 17.11.1 or later, update the OSPFv3 IPsec configuration to use strong cryptographic algorithms. However this command is only available in Cisco IOS XE Release 17.7.1 and later, and will only take effect after a reboot.” “Cisco does NOT [emphasis Cisco’s] recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort,” the vendor stated. Cisco recommends filing a Service Request if you have problems or questions. IOS XE software runs on a wide variety of Cisco gear, but the notice applies only to the 1100 ISR, Catalyst 8000V Edge Software, and the Catalyst 8300, 9500, and 8500L Edge Platforms. Related content news F5 looks to squelch 'ball of fire' that is application security Updates include security scanning and penetration testing capabilities for web applications, as well as a new container-based web application firewall. By Michael Cooney May 01, 2024 4 mins Firewalls Network Security Networking news Arista targets lateral security threat in campus and data center networks Arista Macro-Segmentation Service sets up microperimeters for enterprise resource protection. By Michael Cooney May 01, 2024 3 mins Remote Access Security Network Security Networking brandpost Sponsored by Zscaler Breaches galore - why a proven platform for Zero Trust is needed Organizations need a proven platform for zero trust. But before we dive into why that is the case, we must first answer two important questions. By Zscaler Apr 30, 2024 8 mins Network Security brandpost Sponsored by Zscaler 4 reasons firewalls and VPNs are exposing organizations to breaches Yesterday’s solutions are today’s problems. By Zscaler Apr 30, 2024 11 mins Network Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe