[use telnet+ACL instead of SSH]
while this protects the router such that it allows packets in only from known addresses, it does not allow packets in only from known MACHINES. Addresses can be spoofed. Vendor C (at least in recent history) did/does not allow binding of the host stack only to specific interfaces. Thus it is (if you are determined) not impossible to spoof a telnet session especially if the first thing you do is inject a return route. This is why we were all good chaps and secured our BGP sessions, remember? Of course SSH should ALSO be secured so it only comes from known source addresses, mainly for administrative reasons (I'd like to know just WHICH NOC member of staff logged in from where and when).
There are still possible man in the middle attacks that cannot be protected against by SSH. Consider the case of a staff member lounging in the backyard on a lazy Saturday afternoon with their iBook. They have an 802.11 wireless LAN at home so they telnet to their Linux box in the kitchen and run SSH to the router. Ooops!
Umm, I get seriously worried when people suggest they allow people with router access to telnet from box A to box B, then SSH to a router. Firstly, they should be logging into a secure set of machines first in all sensible security models I've seen (even if an ACL doesn't force them to do that, they should do it as good practice). Before you say "that requires them to have connectivity to those machines in the case of network meltdown", in all sensible authentication schemes the router is going to challenge some remote box(es) anyway, and you can provide multiple such boxes - anything beyond that is failover. But the major point is: what kind of people do you (a) give enable access on your router, and (b) do not appreciate that telnet, then ssh, is a seriously bad idea in terms of security (and can't instead install ssh on whatever box it is). Are engineers really that dumb these days? Doing that sort of thing was a disciplinary offence last time I ran a large network - not something to try and work around with security policy. Note we even had this degree of protection (no passwords in the clear over wires not controlled by us) when IOS did not even have an ssh build. Alex