On Tue, 15 Feb 2005 16:18:01 -0500 Daniel Golding <dgolding@burtongroup.com> wrote:
Why block TFTP at your borders? To keep people from loading new versions of IOS on your routers? ;)
Fear.
Not trying to be flippant, but what's the basis for this?
In addition to what others have said. The T in TFTP and the use of UDP is a clue as to why you'd want to use TFTP. It's relatively light weight and relatively simple to implemented in a small platform with limited resources. It is not required to run TCP after all. It could be possible to build a relatively trustworthy TFTP process without having to expose the device to TCP-based processes that typically get used for SSH or HTTPS, Since the TCP-based methods tend to contain more code and thus more complex, vulnerabilities may be more likely. I'll also point that implementations will use port 69 in a single packet, the one from the client initially the write or read. That means if you really must filter, you might be able to get away with filtering the destination port in a particular direction that is most dangerous for you. John