Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
6608
Views
10
Helpful
5
Comments

IOS-XR SSHv2 CTR ciphers support

Dinesh Pullat
Cisco Employee
Cisco Employee
‎02-22-2017 11:17 PM

Up until 6.1.2, IOS-XR sshv2 supports only CBC ciphers (aes128-cbc,aes192-cbc,aes256-cbc,3des-cbcaes128-cbc,aes192-cbc,aes256-cbc,3des-cbc). That is, if a client were to request a CTR cipher (for e.g.: ssh -c aes128-ctr -l dpullat 1.1.1.2), IOS-XR will close the connection with:

RP/0/RSP0/CPU0:Feb 21 14:37:24.551 : SSHD_[65823]: %SECURITY-SSHD-6-INFO_GENERAL : Enc name is NULL: client aes128-ctr server aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc

CBC ciphers have been well known for their security vulnerability:

SSH CBC vulnerability

As part of this effort to disable CBC ciphers and enable only CTR ciphers for SSHv2 on IOS-XR, from release 6.1.2 onwards, all CBC ciphers are disabled or not supported on IOS-XR. Only CTR ciphers are supported from 6.1.2 and up. This change was brought in by CSCvb53125.

Next, IOS-XR will have the capability to configure a specific CTR cipher to use, for customers who wish to strictly enforce a particular one. This is targeted for an upcoming release.

5 Comments
miqbal
Cisco Employee
Cisco Employee
‎04-10-2018 09:15 AM
‎04-10-2018 09:15 AM

RP/0/RSP1/CPU0:CSS2#sh ssh session details
Tue Apr 10 11:21:15.950 GMT
SSH version : Cisco-2.0

id   key-exchange  pubkey  incipher  outcipher  inmac   outmac
-------------------------------------------------------------------
Incoming Session
0   diffie-hellman ssh-dss aes256-ctr aes256-ctr hmac-sha1  hmac-sha1

Outgoing connection
RP/0/RSP1/CPU0:CSS2#sh ssh                 
Tue Apr 10 11:22:27.863 GMT
SSH version : Cisco-2.0

id  chan pty     location        state           userid    host                  ver authentication connection type
--------------------------------------------------------------------------------------------------------------------------
Incoming sessions
0   1    vty1    0/RSP1/CPU0     SESSION_OPEN    vin       10.122.96.182         v2  password       Command-Line-Interface

Outgoing sessions

RP/0/RSP1/CPU0:CSS2#

0 Helpful
Mike Botha
Level 1
Level 1
‎04-19-2018 04:46 AM
‎04-19-2018 04:46 AM

Is there a SMU available to enable the SSH client CBR ciphers on releases prior to 6.1.2?

We have a situation where one ASR9K at a remote location is running 6.1.2 and we need to SSH from an ASR9K running  6.0.1 to the ASR9K running 6.1.2.

 

The ASR9K running 6.0.1 SSH client only supports CBC and the ASR9K running 6.1.2 only supports CBR.

 

0 Helpful
miqbal
Cisco Employee
Cisco Employee
‎04-19-2018 06:34 AM
‎04-19-2018 06:34 AM

I believe most desktop software clients support both type of ciphers.  In worst case, customer can keep both old and new clients software versions.

0 Helpful
Mike Botha
Level 1
Level 1
‎04-19-2018 07:48 AM
‎04-19-2018 07:48 AM

I believe you do not understand my question.

The only way for me to access this ASR9K with 6.1.2 currently is to hop from a ASR9K that has 6.0.1.

 

If I could access the ASR9K with 6.1.2 from a desktop SSH client this would probably work fine. The point is that I only have direct access to the ASR9K with 6.0.1 from the desktop SSH client.

0 Helpful
miqbal
Cisco Employee
Cisco Employee
‎04-19-2018 08:17 AM
‎04-19-2018 08:17 AM

Agree. I noticed the same between 5.1.2 and 6.1.4. Let's see what BU gurus say.

 

As a workaround try telnet, if it works

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents