Cisco urges users to stop using weak crypto algorithms with OSPF
To reduce the risk of service problems, Cisco is making it harder for organisations to use weak cryptographic algorithms when setting up authentication for OSPF packets on certain Catalyst Edge Platforms and Integrated Services Routers (ISR).
Newer versions of Cisco’s IOS XE software (Release 17.11.1 and later) no longer support those algorithms—DES, 3DES, and MD5—by default, Cisco stated in a field Notice.
Specifically, the algorithms are no longer default options for the open shortest path first v 3 (OSPFv3) protocol, which uses the IPsec secure socket API to add authentication to OSPFv3 packets that distribute routing information. “In order to continue to use such weak cryptographic encryption algorithms, explicit configuration is required,” Cisco stated in a field Notice. “Otherwise, OSPF neighborship will fail to establish and cause service disruption as a result.”