North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Vonage complains about VoIP-blocking

  • From: Bruce Campbell
  • Date: Tue Feb 15 17:42:53 2005

On Tue, 15 Feb 2005, Hannigan, Martin wrote:

> > On Tue, 15 Feb 2005, Hannigan, Martin wrote:
> >
> > > > Something else to consider.  We block TFTP at our border for
> > > > security reasons
> > > > and we've found that this prevents Vonage from working.
> > Vonage devices initiate an outbound TFTP connection back to Vonage to
> > snarf their configs on initial connection and also
> > (presumably) on reboot.
> I tested the reboot. I didn't see it. I agree in general
> and think that providers shouldn't block tftp, IMHO.

Traditionally, tftp has been used by networks as a configuration/boot
mechanism of their local equipment, with customers rarely using it (at
least, thats been my experience).

Hence, most people writing the acls are concerned with protecting their
own equipment, and getting the most out of their routers.  Having acls
that block all tftp except from your management IPs is a lot easier than
acls that block all tftp to your tftpable devices except from your
management IPs.

Introducing new devices that are intended to trust that big, bad, easily
spoofable internet using non-secured protocols such as tftp in order to
get their configuration from a non-local server shows a degree of trust
not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly
books on writing internet protocols.