On Tue, 15 Feb 2005, Hannigan, Martin wrote:
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working.
Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot.
I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
Traditionally, tftp has been used by networks as a configuration/boot mechanism of their local equipment, with customers rarely using it (at least, thats been my experience).
.
Hence, most people writing the acls are concerned with protecting their own equipment, and getting the most out of their routers. Having acls that block all tftp except from your management IPs is a lot easier than acls that block all tftp to your tftpable devices except from your management IPs.
.
Introducing new devices that are intended to trust that big, bad, easily spoofable internet using non-secured protocols such as tftp in order to get their configuration from a non-local server shows a degree of trust not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly books on writing internet protocols.
:) mh
--==-- Bruce.