This post is the third of a series of articles on the new security features of IOS 15.0 code. The topic of our discussion here is Flexible Packet Matching (FPM). Some specific enhancements of this feature which debuted in the IOS release 12.4(4)T Advanced Security image will be discussed in this article, namely the use of encrypted Traffic Classification Definition Files (eTCDFs) and Packaging Support.
Let’s explore the fundamental operation of FPM before delving into the enhancements. First of all, FPM requires the use of Packet Header Definition Files (PHDFs). These are XML-formatted files which contain the fields appropriate to the protocol; each field consists of a field id, description, offset, and length in bits.
In the initial implementation of this feature, the router administrator would first specify a load protocol statement in the running configuration, next define the class-map, policy-map, and service policy statements to describe which field(s) must be present, and finally to define the exact pattern to match at a predefined offset into the packet.
IOS release 12.4(6)T introduced the concept of TCDFs (Traffic Classification Definition Files). With this addition, the modular policy commands (class-map and policy-map) can now be defined in the XML schema. To properly implement this added feature, an additional load classification statement is needed. Since the two modular policy commands just defined are now in the XML file, the administrator merely has to specify the interface to which the service-policy will be applied.
With the use of a TCDF, the capability exists for public distribution of mitigation of known attacks; however, the use of standard XML presents a security risk with the up-date process. To solve this problem, Cisco added encryption support – the use of eTCDF files. With the advent of this feature, for IOS15.0 Cisco also has announced Packaging Support for FPM, a capability which allows for the periodic updating of all IOS Routers from a centralized server containing the eTCDF files. All the administrator needs to do is specify the IP address of the server, the package name, the path, the periodic time interval in which to check for updates, the auto-load option, and whether or not to log any FPM update events.
Author: Doug McKillip