Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
6264
Views
10
Helpful
5
Comments

IOS-XR SSHv2 CTR ciphers support

Dinesh Pullat
Cisco Employee
Cisco Employee
‎02-22-2017 11:17 PM

Up until 6.1.2, IOS-XR sshv2 supports only CBC ciphers (aes128-cbc,aes192-cbc,aes256-cbc,3des-cbcaes128-cbc,aes192-cbc,aes256-cbc,3des-cbc). That is, if a client were to request a CTR cipher (for e.g.: ssh -c aes128-ctr -l dpullat 1.1.1.2), IOS-XR will close the connection with:

RP/0/RSP0/CPU0:Feb 21 14:37:24.551 : SSHD_[65823]: %SECURITY-SSHD-6-INFO_GENERAL : Enc name is NULL: client aes128-ctr server aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc

CBC ciphers have been well known for their security vulnerability:

SSH CBC vulnerability

As part of this effort to disable CBC ciphers and enable only CTR ciphers for SSHv2 on IOS-XR, from release 6.1.2 onwards, all CBC ciphers are disabled or not supported on IOS-XR. Only CTR ciphers are supported from 6.1.2 and up. This change was brought in by CSCvb53125.

Next, IOS-XR will have the capability to configure a specific CTR cipher to use, for customers who wish to strictly enforce a particular one. This is targeted for an upcoming release.

5 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents