[77984] in North American Network Operators' Group
RE: Vonage complains about VoIP-blocking
daemon@ATHENA.MIT.EDU (Michael Hallgren)
Tue Feb 15 17:52:24 2005
From: "Michael Hallgren" <m.hallgren@free.fr>
To: "'Bruce Campbell'" <bc-nanog@vicious.dropbear.id.au>,
<nanog@merit.edu>
Date: Tue, 15 Feb 2005 23:50:36 +0100
In-Reply-To: <20050216082438.S94606@zinarktei.zerlargal.org>
Errors-To: owner-nanog-outgoing@merit.edu
>
> On Tue, 15 Feb 2005, Hannigan, Martin wrote:
>
> > > On Tue, 15 Feb 2005, Hannigan, Martin wrote:
> > >
> > > > > Something else to consider. We block TFTP at our border for
> > > > > security reasons and we've found that this prevents
> Vonage from
> > > > > working.
> >
> > > Vonage devices initiate an outbound TFTP connection back
> to Vonage
> > > to snarf their configs on initial connection and also
> > > (presumably) on reboot.
> >
> > I tested the reboot. I didn't see it. I agree in general and think
> > that providers shouldn't block tftp, IMHO.
>
> Traditionally, tftp has been used by networks as a
> configuration/boot mechanism of their local equipment, with
> customers rarely using it (at least, thats been my experience).
.
>
> Hence, most people writing the acls are concerned with
> protecting their own equipment, and getting the most out of
> their routers. Having acls that block all tftp except from
> your management IPs is a lot easier than acls that block all
> tftp to your tftpable devices except from your management IPs.
.
>
> Introducing new devices that are intended to trust that big,
> bad, easily spoofable internet using non-secured protocols
> such as tftp in order to get their configuration from a
> non-local server shows a degree of trust not seen since the
> Famous Five, the BabySitters Club and pre '96 O'Reilly books
> on writing internet protocols.
:)
mh
>
> --==--
> Bruce.
>
>
