Home > Articles > Cisco Network Technology > General Networking > Security in Tcl Scripts for Cisco IOS

Security in Tcl Scripts for Cisco IOS

Chapter Description

This chapter provides an introduction to PKI infrastructure and goes on to cover the use of digital signatures to sign a Tcl script, a scenario for Tcl script-failure, and scaling Tcl script distribution.

From the Book

TcL Scripting for Cisco IOS

TcL Scripting for Cisco IOS

$54.39 (Save 20%)

Scaling Tcl Script Distribution

In the next example, a central TFTP server has been deployed in the network using an IP address of 192.168.1.81. In this case, the IOS device downloads the Tcl script across the network using TFTP. The signature checking is still performed, thus retaining a high level of security while using an unsecure transfer protocol:

PE11#tclsh tftp://192.168.1.81/myscript.tcl
Loading myscript.tcl from 192.168.1.81 (via Serial2/0.111): !
[OK - 4046 bytes]
hello
argc = 0
argv =
argv0 = tftp://192.168.1.81/myscript.tcl
tcl_interactive = 0

If the script has been modified, we receive the same results as before:

PE11#tclsh tftp://192.168.1.81/myscript-changed1char.tcl
Loading myscript-changed1char.tcl from 192.168.1.81 (via Serial2/0.111): !
[OK - 4047 bytes]
Invalid Signature
*Mar 27 23:40:35.543: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE: tcl
 signing validation failed on script signed with trustpoint name TCLSecurity,
 cannot run the signed TCL script.

The public certificate is stored locally in the router's NVRAM and consequently is taking up valuable memory space. You may find yourself in a situation where the IOS device is running out of memory. To minimize the impact on NVRAM, you can use the service compress-config command to reduce the certificate's overhead on NVRAM:

PE11(config)#service compress-config
PE11(config)#end
PE11#write
Warning: Attempting to overwrite an NVRAM configuration previously written
by a different version of the system image.
Overwrite the previous NVRAM configuration?[confirm]
*Mar 27 23:47:45.323: %SYS-5-CONFIG_I: Configured from console by console
[confirm]
Building configuration...
Compressed configuration from 5689 bytes to 3535 bytes[OK]

Instead of using a central TFTP server as a repository for Tcl scripts, you can use other protocols to transmit the Tcl Scripts from a central server, including FTP, RCP, SCP, HTTP, and HTTPS.