05-04-2023 09:31 AM
Hello,
In recent vulnerabilities related to SSH Cipher suites, Cisco recommended to update the Encryption & MAC Algorithms. I want to know the impact when i issue the below commands on ASR 1002-X Routers.
Command to add the Encryption Algorithms
ip ssh server algorithm encryption aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
Command to Remove the Encryption Algorithms
no ip ssh server algorithm encryption aes256-cbc,aes192-cbc,aes128-cbc
Command to remove ancient MAC Algorithm
no ip ssh server algorithm mac hmac-sha1
Command to update KEX Algorithm
ip ssh server algorithm kex ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
As i am applying on the production routers, i want to know the impact caused due to this changes.
Thanks
Ravi
05-04-2023 11:53 AM
Hello @Ravi D,
By adding additional encryption algorithms to the SSH server, you can improve the security of SSH sessions. However, using stronger encryption algorithms may increase CPU and memory usage on the router, which could impact the overall performance of the device, especially during periods of high traffic.
Removing weaker encryption algorithms can improve the security of SSH sessions. However, if any clients are using the removed algorithms, they will no longer be able to connect to the SSH server. Before making this change, ensure that all SSH clients support the remaining encryption algorithms.
Removing HMAC-SHA1 can improve security by preventing attackers from exploiting known vulnerabilities in this algorithm. However, if any SSH clients rely on HMAC-SHA1, they will no longer be able to connect to the SSH server. Again, make sure all SSH clients support the remaining MAC algorithms before making this change.
Updating the key exchange algorithm can improve security by replacing weaker algorithms with stronger ones. However, some older SSH clients may not support the new KEX algorithms, which could prevent them from connecting to the SSH server.
It's essential to thoroughly test these changes in a non-production environment to ensure they work as intended and do not cause any issues.
05-04-2023 01:41 PM
Do we have any command in specific to check the SSH Client sessions connected or Live on a Cisco ASR 1002X ?
We are changing this parameters on our Disaster Recovery site Routers which should not have any live traffic.
Will there be any kind of Reboot or any outages expected due to this changes apart from the CPU & memory usage ?
05-05-2023 10:08 AM - edited 05-05-2023 10:08 AM
Hello @Ravi D,
Yes, you can use the "show ssh sessions" command to display information about the currently active SSH sessions. This command will show you the source IP address, username, and session ID of each active session.
As for your second question, changing the SSH cipher suite parameters should not cause any reboots or outages on the router. However, as you mentioned, it may cause increased CPU and memory usage during the change process. It's always a good idea to schedule such changes during a maintenance window to minimize any potential impact on network operations.
05-05-2023 10:38 AM
Thank you for all the information.
Command on ASR 1002-X Router was show ssh.
Yes definitely will perform this changes in Maintenance Window.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide