Announcement: ICX FastIron 08.0.30t is now available on Support

  • 1
  • Announcement
  • Updated 10 months ago
  • (Edited)
     Our ICX FastIron developers and QAhave a new maintenance release with bug fixes.

This firmware runs on FCX, FSX, ICX – 6610, 6430/6450, 6650, 7250, 7450, 7750 models.

 

FastIron 08.0.30t Release Notes:

https://support.ruckuswireless.com/documents/2657-fastiron-08-0-30t-release-notes

 

Ruckus ICX FastIron 08.0.30t Software Release (.zip):

https://support.ruckuswireless.com/software/1994-ruckus-icx-fastiron-08-0-30t-software-release-zip

 

MD5:  480cea85722d2c138c4df7cbb8d4b175

 

   Thanks and best regards,
Photo of Michael Brado

Michael Brado, Official Rep

  • 3073 Posts
  • 442 Reply Likes

Posted 10 months ago

  • 1
Photo of Eric Markow

Eric Markow

  • 5 Posts
  • 1 Reply Like
Thank you. According to the release notes, this release "contains defect fixes. There are no enhancements in this release." 

Is there going to be a future release adding the capability of an ICX6450-C12P to have a diffie-hellman-group14-sha1 SSH key exchange? The current key exchange capability of an ICX6450-C12-PD is not supported by modern SSH clients, as it has known security flaws. I am currently running version 80.0.30saT311

Thank you!
Photo of Michael Brado

Michael Brado, Official Rep

  • 2990 Posts
  • 415 Reply Likes
I forwarded your question to the FastIron development team...
Photo of Jijo Panangat

Jijo Panangat, Employee

  • 27 Posts
  • 9 Reply Likes
Hello Eric,

You are correct!  diffie-hellman-group14-sha1 isnt supported on 8030t. This is supported on 8070 and higher releases but limited to ICX 7000 series platforms. Adding this capability on 8030 branch is very unlikely will get you a confirmation shortly.


Here is excerpt from 8030t release notes- “Brocade Fast Iron Release 08.0.30f introduces new enhancements”

 •Key exchange method -By default, diffie-hellman-group1-sha1 is the key-exchange method used to establish an SSH connection. You can change the default key-exchange method and configure diffie-hellman-group14-sha1 as the key-exchange method using the ip ssh key-exchange-method dh-group14-sha1 command. The diffie-hellman-group14-sha1 method provides enhanced encryption of shared secrets between two devices. This is supported only on FCX devices

 Could you let us know who is end customer here.


Photo of Eric Markow

Eric Markow

  • 5 Posts
  • 1 Reply Like
We are an MSP and the end customer.

The issue is that my router is running a version of FreeBSD that dropped support for less secure SSH methods (Ruckus RIOT partner RG Nets rXg). When I try to SSH into my ICX6450-C12P, I get the following error: 

[[email protected] ~]$ ssh [email protected]
Unable to negotiate with 10.10.2.3 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I tried configuring the switch (via telnet) with the following:
[email protected](config)#crypto key gen rsa modulus 2048

The command "ip ssh key-exchange-method" is not recognized, as I'm guessing this is not a "FCX device". 

Again, I'm running 80.0.30saT311 on this switch.

The other switches on this network are ICX 7250's running 08.0.80dT211. I am able to use SSH to communicate with them after running the "ip ssh key-exchange-method dh-group14-sha1" command.
Photo of Andrew Giancola

Andrew Giancola

  • 99 Posts
  • 27 Reply Likes
This is a problem with my MacBook Pro connecting to  Cisco IOS 12.2 and below. I simply modified `/etc/ssh/ssh_config`. I assume it'll be just as easy for you to do that too.
Photo of Sarma Kuppa

Sarma Kuppa, Employee

  • 1 Post
  • 0 Reply Likes
Eric, as Jijo said it is highly unlikely to get the feature into 8030 patches unless there is a strong business case.
Photo of NETWizz

NETWizz

  • 182 Posts
  • 58 Reply Likes

That said, you can use RSA 2048 bit for ssh authentication algorithm.

Separate topic.... you can and disable AES-CBC encryption, which meets the standard of the Joint Interoperability Test Command (JITC).  JITC is a United States military organization that tests technology pertaining to multiple branches of the armed services and the government.

ip ssh  encryption disable-aes-cbc


I am a bit surprised no option is available for a larger RSA modulus, either.  Many devices support 4096 bit RSA modulus.

Either way, RSA is slow to generate but faster than DSA to authenticate once configured.