Home > Articles > Cisco Network Technology > General Networking > Security in Tcl Scripts for Cisco IOS

Security in Tcl Scripts for Cisco IOS

Chapter Description

This chapter provides an introduction to PKI infrastructure and goes on to cover the use of digital signatures to sign a Tcl script, a scenario for Tcl script-failure, and scaling Tcl script distribution.

From the Book

TcL Scripting for Cisco IOS

TcL Scripting for Cisco IOS

$54.39 (Save 20%)

Tcl Script-Failure Scenario

In the event the script has been modified, the signature will detect that there was a change and prevent it from executing.

The following example shows that the script was modified and consequently forbidden from being executed.

The first line of the script has been changed from "puts hello" to "puts hellox," and the file has been copied to the IOS device as myscript-changed1char.tcl. Attempting to run the script elicits the following response:

PE11#tclsh disk0:myscript-changed1char.tcl
Invalid Signature
PE11#
*May 28 19:45:28.115: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE: tcl
  signing validation failed on script signed with trustpoint name TCLSecurity,
  cannot run the signed TCL script.

As you can see from the preceding output, the Tcl script security is a valuable feature for protecting the contents of a Tcl script. If any portion of the contents of the Tcl script has been modified by anyone, from the time the script was initially written to the time it is run on the router, the change will be detected and the script will be forbidden from executing.

For smaller company networks, it might be acceptable to have a network administrator manually install the certificate in all routers that need to run the script. The certificate is copied to a local storage such as slot0: or disk0: or any other valid file system attached to the router. In addition, copies of the Tcl script can also copied to these local storage devices attached to the router.

To deploy scripts in a larger network, take advantage of the capability of IOS software to use a TFTP server as a repository and allow all IOS devices to download Tcl scripts from the TFTP server.

4. Scaling Tcl Script Distribution | Next Section Previous Section