[77981] in North American Network Operators' Group
RE: Vonage complains about VoIP-blocking
daemon@ATHENA.MIT.EDU (Bruce Campbell)
Tue Feb 15 17:41:45 2005
Date: Wed, 16 Feb 2005 08:41:16 +1000 (EST)
From: Bruce Campbell <bc-nanog@vicious.dropbear.id.au>
To: nanog@merit.edu
In-Reply-To: <A206819EF47CBE4F84B5CB4A303CEB7A24237D@dul1wnexmb01.vcorp.ad.vrsn.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
> > On Tue, 15 Feb 2005, Hannigan, Martin wrote:
> >
> > > > Something else to consider. We block TFTP at our border for
> > > > security reasons
> > > > and we've found that this prevents Vonage from working.
>
> > Vonage devices initiate an outbound TFTP connection back to Vonage to
> > snarf their configs on initial connection and also
> > (presumably) on reboot.
>
> I tested the reboot. I didn't see it. I agree in general
> and think that providers shouldn't block tftp, IMHO.
Traditionally, tftp has been used by networks as a configuration/boot
mechanism of their local equipment, with customers rarely using it (at
least, thats been my experience).
Hence, most people writing the acls are concerned with protecting their
own equipment, and getting the most out of their routers. Having acls
that block all tftp except from your management IPs is a lot easier than
acls that block all tftp to your tftpable devices except from your
management IPs.
Introducing new devices that are intended to trust that big, bad, easily
spoofable internet using non-secured protocols such as tftp in order to
get their configuration from a non-local server shows a degree of trust
not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly
books on writing internet protocols.
--==--
Bruce.
