I tested the reboot. I didn't see it. I agree in general
and think that providers shouldn't block tftp, IMHO.
Traditionally, tftp has been used by networks as a configuration/boot
mechanism of their local equipment, with customers rarely using it (at
least, thats been my experience).
Hence, most people writing the acls are concerned with protecting their
own equipment, and getting the most out of their routers. Having acls
that block all tftp except from your management IPs is a lot easier than
acls that block all tftp to your tftpable devices except from your
management IPs.
Introducing new devices that are intended to trust that big, bad, easily
spoofable internet using non-secured protocols such as tftp in order to
get their configuration from a non-local server shows a degree of trust
not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly
books on writing internet protocols.
> >
> > > > Something else to consider. We block TFTP at our border for
> > > > security reasons and we've found that this prevents
Vonage from
> > > > working.
>
> > Vonage devices initiate an outbound TFTP connection back
to Vonage
> > to snarf their configs on initial connection and also
> > (presumably) on reboot.
>
> I tested the reboot. I didn't see it. I agree in general and think
> that providers shouldn't block tftp, IMHO.Traditionally, tftp has been used by networks as a
configuration/boot mechanism of their local equipment, with
customers rarely using it (at least, thats been my experience).
.
Hence, most people writing the acls are concerned with
protecting their own equipment, and getting the most out of
their routers. Having acls that block all tftp except from
your management IPs is a lot easier than acls that block all
tftp to your tftpable devices except from your management IPs.
.
Introducing new devices that are intended to trust that big,
bad, easily spoofable internet using non-secured protocols
such as tftp in order to get their configuration from a
non-local server shows a degree of trust not seen since the
Famous Five, the BabySitters Club and pre '96 O'Reilly books
on writing internet protocols.
mh
Thus spake Bruce Campbell" <bc-nanog@vicious.dropbear.id.au>
Introducing new devices that are intended to trust that big, bad, easily
spoofable internet using non-secured protocols such as tftp in order to
get their configuration from a non-local server shows a degree of trust
not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly
books on writing internet protocols.
Unfortunately, TFTP is the only protocol that many phone vendors
implement -- and VoIP operators aren't happy about it. Some vendors have
started implementing HTTP(S), but it's far from common at this point.
S
Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin
Odd, we have over 100 different user agents on our network today and I
would say that most of the devices we are working with today support
someting other then tftp.
-Nathan