Cisco urges stop using weak crypto algorithms with OSPF

To reduce the risk of service problems, Cisco is making it harder for organizations to use weak cryptographic algorithms when setting up authentication for OSPF packets on certain Catalyst Edge Platforms and Integrated Services Routers (ISR).

Newer versions of Cisco’s IOS XE software (Release 17.11.1 and later) no longer support those algorithms—DES, 3DES, and MD5—by default, Cisco stated in a field Notice.

Specifically, the algorithms are no longer default options for the open shortest path first v 3 (OSPFv3) protocol, which uses the IPsec secure socket API to add authentication to OSPFv3 packets that distribute routing information.

“In order to continue to use such weak cryptographic encryption algorithms, explicit configuration is required,” Cisco stated in a field Notice. “Otherwise, OSPF neighborship will fail to establish and cause service disruption as a result.”

These algorithms should be replaced with stronger algorithms, specifically Advanced Encryption Standard—Cipher Block Chaining (AES-CBC) for encryption and Service Hash Algorithm (SHA1 or SHA2) for authentication, Cisco stated.

Cisco says there is a workaround to the issue, but recommends against it.

“Before customers upgrade the software to Cisco IOS XE Release 17.11.1 or later, update the OSPFv3 IPsec configuration to use strong cryptographic algorithms. However this command is only available in Cisco IOS XE Release 17.7.1 and later, and will only take effect after a reboot.”

“Cisco does NOT [emphasis Cisco’s] recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort,” the vendor stated.

Cisco recommends filing a Service Request if you have problems or questions.

IOS XE software runs on a wide variety of Cisco gear, but the notice applies only to the 1100 ISR, Catalyst 8000V Edge Software, and the Catalyst 8300, 9500, and 8500L Edge Platforms.