RE: Vonage complains about VoIP-blocking
Hi; I unplugged and reset my vonage Motorola MTA device, and it did tftp to home to get its configs. -Jason -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Hannigan, Martin Sent: Tuesday, February 15, 2005 3:14 PM To: 'Jay Hennigan' Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking
-----Original Message----- From: Jay Hennigan [mailto:jay@west.net] Sent: Tuesday, February 15, 2005 5:10 PM To: Hannigan, Martin Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working. Would this mean that LEC's can't block TFTP?
Was that a device trying to phone home and get it's configs? Cisco, Nortel, etc. phone home and get configs via tftp.
Vonage doesn't need to phone home for config. The device is programmed (router) and it registers with the call manager. If you analyze the transactions it's about 89% SIP and 11% SDP.
Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot.
I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
Is there any move on the part of providers/manufacturers to use more secure protocols for this? - Dan On 2/15/05 5:22 PM, "Jason L. Schwab" <jlschwab@jlschwab.com> wrote:
Hi;
I unplugged and reset my vonage Motorola MTA device, and it did tftp to home to get its configs.
-Jason
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Hannigan, Martin Sent: Tuesday, February 15, 2005 3:14 PM To: 'Jay Hennigan' Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking
-----Original Message----- From: Jay Hennigan [mailto:jay@west.net] Sent: Tuesday, February 15, 2005 5:10 PM To: Hannigan, Martin Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working. Would this mean that LEC's can't block TFTP?
Was that a device trying to phone home and get it's configs? Cisco, Nortel, etc. phone home and get configs via tftp.
Vonage doesn't need to phone home for config. The device is programmed (router) and it registers with the call manager. If you analyze the transactions it's about 89% SIP and 11% SDP.
Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot.
I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
-- Daniel Golding Network and Telecommunications Strategies Burton Group
ssh, or other schemes of enhanced security...? mh
-----Message d'origine----- De : owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] De la part de Daniel Golding Envoyé : mardi 15 février 2005 23:39 À : Jason L. Schwab; Martin Hannigan Cc : nanog@merit.edu Objet : Re: Vonage complains about VoIP-blocking
Is there any move on the part of providers/manufacturers to use more secure protocols for this?
- Dan
On 2/15/05 5:22 PM, "Jason L. Schwab" <jlschwab@jlschwab.com> wrote:
Hi;
I unplugged and reset my vonage Motorola MTA device, and it
did tftp
to home to get its configs.
-Jason
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Hannigan, Martin Sent: Tuesday, February 15, 2005 3:14 PM To: 'Jay Hennigan' Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking
-----Original Message----- From: Jay Hennigan [mailto:jay@west.net] Sent: Tuesday, February 15, 2005 5:10 PM To: Hannigan, Martin Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working. Would this mean that LEC's can't block TFTP?
Was that a device trying to phone home and get it's configs? Cisco, Nortel, etc. phone home and get configs via tftp.
Vonage doesn't need to phone home for config. The device is programmed (router) and it registers with the call manager. If you analyze the transactions it's about 89% SIP and 11% SDP.
Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot.
I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
-- Daniel Golding Network and Telecommunications Strategies Burton Group
On Tue, 15 Feb 2005, Michael Hallgren wrote:
ssh, or other schemes of enhanced security...?
We have some that use https, but that is as about as secure as it gets. We also encrypt config files, so that helps.
<> Nathan Stratton BroadVoice, Inc. nathan at robotics.net Talk IS Cheap http://www.robotics.net http://www.broadvoice.com
ssh, or other schemes of enhanced security...?
We have some that use https, but that is as about as secure as it gets. We also encrypt config files, so that helps.
Likely (at least for the time being :) better than nothing (or of course use of naked protocols). My (inherited) point is that these kind of things belong to edge rather than network security enforcement/considerations. mh
<> Nathan Stratton BroadVoice, Inc. nathan at robotics.net Talk IS Cheap http://www.robotics.net http://www.broadvoice.com
On Feb 15, 2005, at 4:45 PM, Michael Hallgren wrote:
ssh, or other schemes of enhanced security...?
How about encrypted config files loaded via tftp? ( Which is what the Motorola unit actually does ). -Chris -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential.
Or even sftp. This could enhance the security and still allow the "tftp" style of getting the conigs. I know it's not widely used (if at all in this scenario) but it could be a fix. On Tue, 15 Feb 2005 23:45:16 +0100 "Michael Hallgren" <m.hallgren@free.fr> wrote: MH> MH> ssh, or other schemes of enhanced security...? MH> MH> mh -- -C. Hagel -JNCIP #103 -<nanog@lordkron.net> --
Thus spake "C. Hagel" <nanog@lordkron.net>
Or even sftp. This could enhance the security and still allow the "tftp" style of getting the conigs. I know it's not widely used (if at all in this scenario) but it could be a fix.
I would think that HTTPS is both closer to the TFTP model (ask for a file, slurp it down over the same socket) than either FTP/SSL or FTP/SSH and also easier to implement. If all one is doing is checking if a file is changed and then grabbing a new copy if needed, HTTP is pretty darn simple, and there are several HTTPS libraries with BSD licenses one can easily incorporate into commercial products. HTTPS also has the benefit that any potential customer can be expected to already have a server available or would be willing to put one up. I've run into a lot of resistance from operators with FTP -- they actually prefer TFTP if those are the only choices -- and wouldn't want to teach them how to properly install FTP/SSL or FTP/SSH. We live in a port 80/443 world. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
participants (7)
-
C. Hagel -
Chris Parker -
Daniel Golding -
Jason L. Schwab -
Michael Hallgren -
Nathan Allen Stratton -
Stephen Sprunk