North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Vonage complains about VoIP-blocking

  • From: John Kristoff
  • Date: Tue Feb 15 19:23:39 2005

On Tue, 15 Feb 2005 16:18:01 -0500
Daniel Golding <dgolding@burtongroup.com> wrote:

> Why block TFTP at your borders? To keep people from loading new versions of
> IOS on your routers? ;)

Fear.

> Not trying to be flippant, but what's the basis for this?

In addition to what others have said.  The T in TFTP and the use of UDP
is a clue as to why you'd want to use TFTP.  It's relatively light weight
and relatively simple to implemented in a small platform with limited
resources.  It is not required to run TCP after all.  It could be possible
to build a relatively trustworthy TFTP process without having to expose
the device to TCP-based processes that typically get used for SSH or HTTPS,
Since the TCP-based methods tend to contain more code and thus more complex,
vulnerabilities may be more likely.

I'll also point that implementations will use port 69 in a single packet,
the one from the client initially the write or read.  That means if you
really must filter, you might be able to get away with filtering the
destination port in a particular direction that is most dangerous for you.

John