RE: Vonage complains about VoIP-blocking
-----Original Message----- From: Jay Hennigan [mailto:jay@west.net] Sent: Tuesday, February 15, 2005 5:10 PM To: Hannigan, Martin Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working. Would this mean that LEC's can't block TFTP?
Was that a device trying to phone home and get it's configs? Cisco, Nortel, etc. phone home and get configs via tftp.
Vonage doesn't need to phone home for config. The device is programmed (router) and it registers with the call manager. If you analyze the transactions it's about 89% SIP and 11% SDP.
Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot.
I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working.
Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot.
I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
Traditionally, tftp has been used by networks as a configuration/boot mechanism of their local equipment, with customers rarely using it (at least, thats been my experience). Hence, most people writing the acls are concerned with protecting their own equipment, and getting the most out of their routers. Having acls that block all tftp except from your management IPs is a lot easier than acls that block all tftp to your tftpable devices except from your management IPs. Introducing new devices that are intended to trust that big, bad, easily spoofable internet using non-secured protocols such as tftp in order to get their configuration from a non-local server shows a degree of trust not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly books on writing internet protocols. --==-- Bruce.
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
On Tue, 15 Feb 2005, Hannigan, Martin wrote:
Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working.
Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot.
I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
Traditionally, tftp has been used by networks as a configuration/boot mechanism of their local equipment, with customers rarely using it (at least, thats been my experience).
.
Hence, most people writing the acls are concerned with protecting their own equipment, and getting the most out of their routers. Having acls that block all tftp except from your management IPs is a lot easier than acls that block all tftp to your tftpable devices except from your management IPs.
.
Introducing new devices that are intended to trust that big, bad, easily spoofable internet using non-secured protocols such as tftp in order to get their configuration from a non-local server shows a degree of trust not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly books on writing internet protocols.
:) mh
--==-- Bruce.
Thus spake Bruce Campbell" <bc-nanog@vicious.dropbear.id.au>
Introducing new devices that are intended to trust that big, bad, easily spoofable internet using non-secured protocols such as tftp in order to get their configuration from a non-local server shows a degree of trust not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly books on writing internet protocols.
Unfortunately, TFTP is the only protocol that many phone vendors implement -- and VoIP operators aren't happy about it. Some vendors have started implementing HTTP(S), but it's far from common at this point. S Stephen Sprunk "Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
On Tue, 15 Feb 2005, Stephen Sprunk wrote:
Thus spake Bruce Campbell" <bc-nanog@vicious.dropbear.id.au>
Introducing new devices that are intended to trust that big, bad, easily spoofable internet using non-secured protocols such as tftp in order to get their configuration from a non-local server shows a degree of trust not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly books on writing internet protocols.
Unfortunately, TFTP is the only protocol that many phone vendors implement -- and VoIP operators aren't happy about it. Some vendors have started implementing HTTP(S), but it's far from common at this point.
Odd, we have over 100 different user agents on our network today and I would say that most of the devices we are working with today support someting other then tftp. -Nathan
participants (5)
-
Bruce Campbell -
Hannigan, Martin -
Michael Hallgren -
Nathan Allen Stratton -
Stephen Sprunk