North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Vonage complains about VoIP-blocking

  • From: Eric Gauthier
  • Date: Tue Feb 15 22:53:43 2005

> Why block TFTP at your borders? To keep people from loading new versions of
> IOS on your routers? ;)
> Not trying to be flippant, but what's the basis for this?

This is a really good question :)

In our particular case, it was not to protect the network as others suggested.
We do ACL our equipment, keep updated code, use private IPs were necessary,
etc.  We're a University network, but we're not completely insane ;)  Of course
we don't let random hosts TFTP to our gear...

A while ago (18 months maybe?) our security team argued that filtering 
TFTP connections between subnets on our campus would slow down the spread of
computer worms/viruses as many were using TFTP as part of their propogation 
vector.  The decision was made that the trade off between the end-to-end 
principle (we didn't have a good counter at the time citing a particular
application that was used and would break) and helping contain virus outbreaks 
was worth filtering, so the filter was put into place.  No one has complained
yet, so the filter has stayed in place.

Eric :)