Re: [nsp] 3DES SSH IOS

From: Jared Mauch (jared@puck.nether.net)
Date: Tue Jul 16 2002 - 18:35:12 EDT


        One thing to keep in mind is that if you
go from running the SSH-3DES images to a non-ssh3DES image and
issue the "wr" command then later revert to a ssh-3des
image you will be required to regenerate the host key.

        This means you can easily lose your secure private
key on the router by the lack of ssh-3des availablity due to
a bug you are suffering, etc.

        It would be nice if the non-ssh-3des images would play nice(r)
with the ssh-3des images IMHO.

        Just a word of warning until cisco thinks this is a priority.

        - jared

On Tue, Jul 16, 2002 at 04:25:42PM -0600, Pete Kruckenberg wrote:
> Hi Sean.
>
> We have been running 3DES on 7500 and 12000 with general
> success. What we have found is that if you can get it to
> boot, it generally works. We have had some problems just
> getting some versions to boot, but that hasn't been
> restricted to just 3DES versions. We have tested 12.0S, and
> 12.1 and 12.2 main-line releases.
>
> The CPU load doesn't seem to be impacted noticeably by 3DES
> (we're just using it for SSH, no encrypted tunnel
> terminations).
>
> It is reassuring (to us and our customers) to know that
> passwords, enable secrets and configurations can't be
> sniffed (as easily).
>
> We have tested SSH authentication with TACACS+ (normal and
> SecureID-enabled systems), works perfectly. We did some
> limited testing with RADIUS-authenticated SSH but the
> results aren't very scientific.
>
> Pete.
>
> On Tue, 16 Jul 2002, Me wrote:
>
> > Date: Tue, 16 Jul 2002 14:33:42 -0600 (MDT)
> > From: Me <smentzer@mentzer.org>
> > To: cisco-nsp@puck.nether.net
> > Subject: [nsp] 3DES SSH IOS
> > Resent-Date: Tue, 16 Jul 2002 16:36:29 -0400
> > Resent-From: cisco-nsp@puck.nether.net
> >
> > Does anyone have anything good/bad to say about the 3DES SSH images for
> > Cisco routers? I am interested in experiences with 7500/10000/12000
> > images particularly.
> >
> > Thanks.
> >
> > -sean
> > Spoon!
> >

-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:05 EDT