RE: Vonage complains about VoIP-blocking

Jason_L_Schwab · February 15, 2005, 10:22pm

Hi;

I unplugged and reset my vonage Motorola MTA device, and it did tftp to
home to get its configs.

-Jason

Dan_Golding · February 15, 2005, 10:38pm

Is there any move on the part of providers/manufacturers to use more secure
protocols for this?

- Dan

Michael_Hallgren1 · February 15, 2005, 10:45pm

ssh, or other schemes of enhanced security...?

mh

Nathan_A_Stratton · February 15, 2005, 10:55pm

ssh, or other schemes of enhanced security...?

We have some that use https, but that is as about as secure as it gets. We
also encrypt config files, so that helps.

<>

Nathan Stratton BroadVoice, Inc.
nathan at robotics.net Talk IS Cheap
http://www.robotics.net http://www.broadvoice.com

Michael_Hallgren1 · February 15, 2005, 11:01pm

> ssh, or other schemes of enhanced security...?

We have some that use https, but that is as about as secure
as it gets. We also encrypt config files, so that helps.

Likely (at least for the time being better than nothing (or of
course use of naked protocols). My (inherited) point is that these
kind of things belong to edge rather than network security
enforcement/considerations.

mh

Chris_Parker · February 15, 2005, 11:14pm

How about encrypted config files loaded via tftp?

( Which is what the Motorola unit actually does ).

-Chris

C_Hagel · February 16, 2005, 2:20pm

Or even sftp. This could enhance the security and still allow the "tftp"
style of getting the conigs. I know it's not widely used (if at all in
this scenario) but it could be a fix.

Stephen_Sprunk3 · February 16, 2005, 4:36pm

Thus spake "C. Hagel" <nanog@lordkron.net>

Or even sftp. This could enhance the security and still allow the "tftp"
style of getting the conigs. I know it's not widely used (if at all in
this scenario) but it could be a fix.

I would think that HTTPS is both closer to the TFTP model (ask for a file,
slurp it down over the same socket) than either FTP/SSL or FTP/SSH and also
easier to implement. If all one is doing is checking if a file is changed
and then grabbing a new copy if needed, HTTP is pretty darn simple, and
there are several HTTPS libraries with BSD licenses one can easily
incorporate into commercial products.

HTTPS also has the benefit that any potential customer can be expected to
already have a server available or would be willing to put one up. I've run
into a lot of resistance from operators with FTP -- they actually prefer
TFTP if those are the only choices -- and wouldn't want to teach them how to
properly install FTP/SSL or FTP/SSH.

We live in a port 80/443 world.

S

Stephen Sprunk "Stupid people surround themselves with smart
CCIE #3723 people. Smart people surround themselves with
K5SSS smart people who disagree with them." --Aaron Sorkin