[78013] in North American Network Operators' Group
Re: Vonage complains about VoIP-blocking
daemon@ATHENA.MIT.EDU (Eric Gauthier)
Tue Feb 15 22:52:59 2005
Date: Tue, 15 Feb 2005 22:50:39 -0500
From: Eric Gauthier <eric@roxanne.org>
To: Daniel Golding <dgolding@burtongroup.com>
Cc: nanog@merit.edu
In-Reply-To: <BE37D139.7E56%dgolding@burtongroup.com>
Errors-To: owner-nanog-outgoing@merit.edu
> Why block TFTP at your borders? To keep people from loading new versions of
> IOS on your routers? ;)
>
> Not trying to be flippant, but what's the basis for this?
This is a really good question :)
In our particular case, it was not to protect the network as others suggested.
We do ACL our equipment, keep updated code, use private IPs were necessary,
etc. We're a University network, but we're not completely insane ;) Of course
we don't let random hosts TFTP to our gear...
A while ago (18 months maybe?) our security team argued that filtering
TFTP connections between subnets on our campus would slow down the spread of
computer worms/viruses as many were using TFTP as part of their propogation
vector. The decision was made that the trade off between the end-to-end
principle (we didn't have a good counter at the time citing a particular
application that was used and would break) and helping contain virus outbreaks
was worth filtering, so the filter was put into place. No one has complained
yet, so the filter has stayed in place.
Eric :)
