Vonage complains about VoIP-blocking
Eric Gauthier
eric at roxanne.org
Wed Feb 16 03:50:39 UTC 2005
> Why block TFTP at your borders? To keep people from loading new versions of
> IOS on your routers? ;)
>
> Not trying to be flippant, but what's the basis for this?
This is a really good question :)
In our particular case, it was not to protect the network as others suggested.
We do ACL our equipment, keep updated code, use private IPs were necessary,
etc. We're a University network, but we're not completely insane ;) Of course
we don't let random hosts TFTP to our gear...
A while ago (18 months maybe?) our security team argued that filtering
TFTP connections between subnets on our campus would slow down the spread of
computer worms/viruses as many were using TFTP as part of their propogation
vector. The decision was made that the trade off between the end-to-end
principle (we didn't have a good counter at the time citing a particular
application that was used and would break) and helping contain virus outbreaks
was worth filtering, so the filter was put into place. No one has complained
yet, so the filter has stayed in place.
Eric :)
More information about the NANOG
mailing list