Re: Vonage complains about VoIP-blocking
At 11:07 AM -0500 on 2/15/05, Steven M. Bellovin wrote: http://advancedippipeline.com/60400413 The FCC is investigating -- it's not even clear if it's illegal to do that. --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb This has been an interesting thread; lots of divergence. I'll condense replies at the risk of losing some context threads. It's unclear from the linked articles if this is a "blocking the provisioning system (TFTP)" or "blocking the VoIP signalling (SIP)" question. There is speculation about both in this thread here on the list. 1) Several ISPs have been seen to be blocking SIP in my experiences, but it's been rare. None of them have been "big" providers in North America, and in these rare instances customers quickly let their dollars do the talking - they have moved to alternate providers who do not block SIP. Typically the response is outrage, and any ISP doing this type of selective interference should paint a big red target on their foreheads, to be shot at by customers, competitors, and regulators. Outside of North America, of course, the rules are significantly different, and the target often appears on the customer's forehead (see: Panama, China, perhaps India.) By saying that the FCC has jurisdiction over what packets can be carried, IP networks are treading dangerously close to the "common carrier" status. Note to the Internet community: Careful what you wish for; you might get it. Now, if the FTC should get involved, that is a different issue if the argument is phrased differently. Anyone want to venture a guess as to how Canada might deal with something like this situation? Their very confusing rulings leave me scratching my head, so I'm unclear on what this would imply for their legal viewpoint. 2) "If they modulate the shields, modulate the phasers." I'll trot out that worn out old Star Trek analogy here, since it's accurate. If devices in use support RFC 2782 (SRV) and are even halfway intelligent, then make systems run on ports other than 5060 as a failover. Or to be more targeted, look for DNS requests from netblocks inside of $foolish_provider and the DNS resolver should then hand back SRV records for ports other than 5060. (Hi, Patrick! Sounds like a speciality DNS product for Akamai targeted at the ITSP market.) Then the proxy/registrar would be configured to answer on those ports. This of course only works until $foolish_provider starts to meddle with RTP flows and degrades performance on the edge network, or intercepts/forbids DNS requests... but then one can cancel because of an SLA, and it is more clear that the "fault" lies with the IP network provider than with the remote SIP endpoint. 3) SIP as an "insecure protocol": well, that's all in the eye of the beholder. SMTP is just as insecure as SIP, if not more so. Now, if the argument is that "SMTP is blocked at the edge of most well-managed networks" that is correct, but that is because SMTP is an outgoing threat, while SIP is currently not such a threat (at least, I've yet to hear of an attack using port 5060, and even if there was, it's unclear that this would be any different than an HTTP or ssh or any other type of attack.) Using the security argument for blocking SIP is hollow. With the addition of TLS (this implies TCP) this becomes even more obviously inaccurate. Anyone know if SIP was being blocked by the nameless carrier on both TCP _and_ UDP? (if it was SIP at all that was being blocked, which is still unclear from current data) 4) Configuration protocols: Most current SIP end devices use at least TFTP, but many use http and https. There are still a handful of crippled devices (CISCO7900's) which still only use TFTP for device configuration. Most vendors have figured out that this is inadequate, because SIP devices are now appearing on the "open Internet" instead of on closed intranets where threat was minimized (though this is no excuse for using unencrypted and unverified configurations via TFTP.) The smart vendors are signing/encrypting their configuration files, with self-signed certs or simply shared secrets. Some devices come "off the shelf" with a pre-installed key. Not many vendors do this, but most of you reading this message have some contact with VoIP hardware vendors: beat them into submission if they don't support encrypted configs via https or http or _something_ other than tftp, and use encryption to protect customer username/passwords. We'll all be better off if it's not possible (or at least much more difficult) for capacity vendors to politically argue for or technically block service or provisioning, but only the device manufacturers and softphone vendors can make service delivery and configuration more robust. JT
Re: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Rob Thomas wrote: > > Hi, Dan. > > ] Why block TFTP at your borders? To keep people from loading new versions of > ] IOS on your routers? ;) > > Funny you should mention that. :) We have seen miscreants do exactly > that. They will upgrade or downgrade routers to support a feature set > of their choosing. > > A lot of malware uses TFTP to update itself as well. Didn't nachi setup a tftpd on infected systems and then use tftp to load itself onto systems it spread to? -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: Vonage complains about VoIP-blocking
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > John Levine > Sent: Tuesday, February 15, 2005 9:02 PM > To: [EMAIL PROTECTED] > Subject: Re: Vonage complains about VoIP-blocking > > > > >http://advancedippipeline.com/60400413 > > > >The FCC is investigating -- it's not even clear if it's > illegal to do > >that. > > For what it's worth, my ISP is owned by my rural ILEC, and I just > cancelled my Vonage service because it had become unusable. > > However, the problem was not TFTP, it was rotten inbound voice > quality, combined with a complete inability to contact anyone at > Vonage by e-mail or phone to do anything about it. My link is a T1, > and it has plenty of spare inbound capacity. Traceroutes suggest that > Vonage is suffering from packet loss problems at gateways between > their NSP and mine, or perhaps the packet loss within my NSP (Sprint) > was too much for it. > > I switched to Lingo which works fine. Its box uses NTP to set the > time, then http to configure. Odd regarding the Vonage connection. Their sitting on UU from where I can see and I have excellent transit to them from Comcast. I've tested Vonage, only because I had it, with the Semena NE2000 Network Test Device and introduced multiple error, path, and latency issues and it stood up very well. At one point, I jacked up the latency to 4000ms and I was still able to place, communicate, and drop calls effectively. I was very surprised at how it handled that large introduced latency. I don't know about Vonage support. Never tried it. -M<
Re: Vonage complains about VoIP-blocking
> Why block TFTP at your borders? To keep people from loading new versions of > IOS on your routers? ;) > > Not trying to be flippant, but what's the basis for this? This is a really good question :) In our particular case, it was not to protect the network as others suggested. We do ACL our equipment, keep updated code, use private IPs were necessary, etc. We're a University network, but we're not completely insane ;) Of course we don't let random hosts TFTP to our gear... A while ago (18 months maybe?) our security team argued that filtering TFTP connections between subnets on our campus would slow down the spread of computer worms/viruses as many were using TFTP as part of their propogation vector. The decision was made that the trade off between the end-to-end principle (we didn't have a good counter at the time citing a particular application that was used and would break) and helping contain virus outbreaks was worth filtering, so the filter was put into place. No one has complained yet, so the filter has stayed in place. Eric :)
Re: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Steven M. Bellovin wrote: > The really interesting question, to me, is how to let users provision > their phones to talk to the operator of their choice. The simplest > solution is probably something like a SIM; it would contain the > customer subscription data and the operator's CA certificate. > Switching providers would be as simple as switching SIMs. (Of course, > that assumes that this time we can avoid SIM-locking nonsense) Like a SIM card, you want to give the authentication information to the user in a form the user can't access themselves. Yes, Virginia the user really is the weakest link. If the user has access to it, in the real world it seems like lots of other people can get access to it. Usernames and N (pick any value for N, it doesn't matter) character static passwords, blech. So how does the user's choice of service provider securely deliver the authentication information to the user's choice of device, without knowing anything about the user or device ahead of time. Physical hardware (i.e. a SIM card) works, and we know the physics involved with its security. But its darn expensive, and people don't like waiting for the mail to deliver it. Most online methods rely on a pseudo-out-of-band authentication method, which usually turns into a version of static password. It should be easy, but it quickly turns into a hard problem to solve.
Re: Vonage complains about VoIP-blocking
>http://advancedippipeline.com/60400413 > >The FCC is investigating -- it's not even clear if it's illegal to do >that. For what it's worth, my ISP is owned by my rural ILEC, and I just cancelled my Vonage service because it had become unusable. However, the problem was not TFTP, it was rotten inbound voice quality, combined with a complete inability to contact anyone at Vonage by e-mail or phone to do anything about it. My link is a T1, and it has plenty of spare inbound capacity. Traceroutes suggest that Vonage is suffering from packet loss problems at gateways between their NSP and mine, or perhaps the packet loss within my NSP (Sprint) was too much for it. I switched to Lingo which works fine. Its box uses NTP to set the time, then http to configure. Regards, John Levine, [EMAIL PROTECTED], Taughannock Networks, Trumansburg NY http://www.taugh.com
Re: Vonage complains about VoIP-blocking
In message <[EMAIL PROTECTED]>, Sean Donela n writes: > >On Tue, 15 Feb 2005, Hannigan, Martin wrote: >> > Unfortunately, TFTP is the only protocol that many phone vendors >> > implement -- and VoIP operators aren't happy about it. Some >> > vendors have >> > started implementing HTTP(S), but it's far from common at this point. >> >> Wouldn't there be a fee to utilize https? > >Only if you like giving $995 to Verisign for fancy SSL certificates. > >Most https phones can use locally issued X.509 certificates for the >download. Some use a manufacturer issued root certificates if you >want to get fancy and use code signing, etc. > >Not the same problem as Microsoft Internet Explorer trusting every >root certificate in its cache. IP phones usually have a very short >certificate trust list in the phone. > Precisely. You not only don't need a Verisign cert for this, you don't want one. The phone should trust the authorized operator, which bears no relationship to an identity that Verisign (or whomever) attests to. The really interesting question, to me, is how to let users provision their phones to talk to the operator of their choice. The simplest solution is probably something like a SIM; it would contain the customer subscription data and the operator's CA certificate. Switching providers would be as simple as switching SIMs. (Of course, that assumes that this time we can avoid SIM-locking nonsense) --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > Unfortunately, TFTP is the only protocol that many phone vendors > > implement -- and VoIP operators aren't happy about it. Some > > vendors have > > started implementing HTTP(S), but it's far from common at this point. > > Wouldn't there be a fee to utilize https? Only if you like giving $995 to Verisign for fancy SSL certificates. Most https phones can use locally issued X.509 certificates for the download. Some use a manufacturer issued root certificates if you want to get fancy and use code signing, etc. Not the same problem as Microsoft Internet Explorer trusting every root certificate in its cache. IP phones usually have a very short certificate trust list in the phone.
Re: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005 16:18:01 -0500 Daniel Golding <[EMAIL PROTECTED]> wrote: > Why block TFTP at your borders? To keep people from loading new versions of > IOS on your routers? ;) Fear. > Not trying to be flippant, but what's the basis for this? In addition to what others have said. The T in TFTP and the use of UDP is a clue as to why you'd want to use TFTP. It's relatively light weight and relatively simple to implemented in a small platform with limited resources. It is not required to run TCP after all. It could be possible to build a relatively trustworthy TFTP process without having to expose the device to TCP-based processes that typically get used for SSH or HTTPS, Since the TCP-based methods tend to contain more code and thus more complex, vulnerabilities may be more likely. I'll also point that implementations will use port 69 in a single packet, the one from the client initially the write or read. That means if you really must filter, you might be able to get away with filtering the destination port in a particular direction that is most dangerous for you. John
Re: Vonage complains about VoIP-blocking
Thus spake "Hannigan, Martin" <[EMAIL PROTECTED]> > > Unfortunately, TFTP is the only protocol that many phone vendors > > implement -- and VoIP operators aren't happy about it. Some > > vendors have > > started implementing HTTP(S), but it's far from common at this point. > > Wouldn't there be a fee to utilize https? One needs an SSL certificate, but the operator may already have one. If not, or they don't want to reuse an existing server, they can either get one for a fee or maybe use a self-signed certificate. S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote: > Wouldn't there be a fee to utilize https? Most CPE provider will give you a cert at no cost. -Nathan
Re: Vonage complains about VoIP-blocking
On Feb 15, 2005, at 4:45 PM, Michael Hallgren wrote: ssh, or other schemes of enhanced security...? How about encrypted config files loaded via tftp? ( Which is what the Motorola unit actually does ). -Chris -- Chris Parker Director, Engineering StarNet A Service of US LEC (888)212-0099 Fax (847)963-1302 Wholesale Internet Services http://www.megapop.net VoiceEclipse, The Fresh Alternative http://www.voiceeclipse.com NOTICE: Message is sent IN CONFIDENCE to addressees. It may contain information that is privileged, proprietary or confidential.
Re: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Stephen Sprunk wrote: > Thus spake Bruce Campbell" <[EMAIL PROTECTED]> > > Introducing new devices that are intended to trust that big, bad, easily > > spoofable internet using non-secured protocols such as tftp in order to > > get their configuration from a non-local server shows a degree of trust > > not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly > > books on writing internet protocols. > > Unfortunately, TFTP is the only protocol that many phone vendors > implement -- and VoIP operators aren't happy about it. Some vendors have > started implementing HTTP(S), but it's far from common at this point. Odd, we have over 100 different user agents on our network today and I would say that most of the devices we are working with today support someting other then tftp. -Nathan
RE: Vonage complains about VoIP-blocking
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Stephen Sprunk > Sent: Tuesday, February 15, 2005 6:08 PM > To: Bruce Campbell > Cc: North American Noise and Off-topic Gripes > Subject: Re: Vonage complains about VoIP-blocking > > > > Thus spake Bruce Campbell" <[EMAIL PROTECTED]> > > Introducing new devices that are intended to trust that > big, bad, easily > > spoofable internet using non-secured protocols such as tftp > in order to > > get their configuration from a non-local server shows a > degree of trust > > not seen since the Famous Five, the BabySitters Club and > pre '96 O'Reilly > > books on writing internet protocols. > > Unfortunately, TFTP is the only protocol that many phone vendors > implement -- and VoIP operators aren't happy about it. Some > vendors have > started implementing HTTP(S), but it's far from common at this point. Wouldn't there be a fee to utilize https? -M<
Re: Vonage complains about VoIP-blocking
Thus spake Bruce Campbell" <[EMAIL PROTECTED]> > Introducing new devices that are intended to trust that big, bad, easily > spoofable internet using non-secured protocols such as tftp in order to > get their configuration from a non-local server shows a degree of trust > not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly > books on writing internet protocols. Unfortunately, TFTP is the only protocol that many phone vendors implement -- and VoIP operators aren't happy about it. Some vendors have started implementing HTTP(S), but it's far from common at this point. S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
RE: Vonage complains about VoIP-blocking
> > > ssh, or other schemes of enhanced security...? > > We have some that use https, but that is as about as secure > as it gets. We also encrypt config files, so that helps. > Likely (at least for the time being :) better than nothing (or of course use of naked protocols). My (inherited) point is that these kind of things belong to edge rather than network security enforcement/considerations. mh > > ><> > Nathan Stratton BroadVoice, Inc. > nathan at robotics.net Talk IS Cheap > http://www.robotics.net > http://www.broadvoice.com > >
RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Michael Hallgren wrote: > ssh, or other schemes of enhanced security...? We have some that use https, but that is as about as secure as it gets. We also encrypt config files, so that helps. ><> Nathan Stratton BroadVoice, Inc. nathan at robotics.net Talk IS Cheap http://www.robotics.net http://www.broadvoice.com
RE: Vonage complains about VoIP-blocking
> > On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > > > On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > > > > > > > Something else to consider. We block TFTP at our border for > > > > > security reasons and we've found that this prevents > Vonage from > > > > > working. > > > > > Vonage devices initiate an outbound TFTP connection back > to Vonage > > > to snarf their configs on initial connection and also > > > (presumably) on reboot. > > > > I tested the reboot. I didn't see it. I agree in general and think > > that providers shouldn't block tftp, IMHO. > > Traditionally, tftp has been used by networks as a > configuration/boot mechanism of their local equipment, with > customers rarely using it (at least, thats been my experience). . > > Hence, most people writing the acls are concerned with > protecting their own equipment, and getting the most out of > their routers. Having acls that block all tftp except from > your management IPs is a lot easier than acls that block all > tftp to your tftpable devices except from your management IPs. . > > Introducing new devices that are intended to trust that big, > bad, easily spoofable internet using non-secured protocols > such as tftp in order to get their configuration from a > non-local server shows a degree of trust not seen since the > Famous Five, the BabySitters Club and pre '96 O'Reilly books > on writing internet protocols. :) mh > > --==-- > Bruce. > >
RE: Vonage complains about VoIP-blocking
ssh, or other schemes of enhanced security...? mh > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De > la part de Daniel Golding > Envoyé : mardi 15 février 2005 23:39 > À : Jason L. Schwab; Martin Hannigan > Cc : nanog@merit.edu > Objet : Re: Vonage complains about VoIP-blocking > > > > Is there any move on the part of providers/manufacturers to > use more secure protocols for this? > > - Dan > > On 2/15/05 5:22 PM, "Jason L. Schwab" <[EMAIL PROTECTED]> wrote: > > > > > Hi; > > > > I unplugged and reset my vonage Motorola MTA device, and it > did tftp > > to home to get its configs. > > > > -Jason > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf > > Of Hannigan, Martin > > Sent: Tuesday, February 15, 2005 3:14 PM > > To: 'Jay Hennigan' > > Cc: Eric Gauthier; nanog@merit.edu > > Subject: RE: Vonage complains about VoIP-blocking > > > > > >> -Original Message----- > >> From: Jay Hennigan [mailto:[EMAIL PROTECTED] > >> Sent: Tuesday, February 15, 2005 5:10 PM > >> To: Hannigan, Martin > >> Cc: Eric Gauthier; nanog@merit.edu > >> Subject: RE: Vonage complains about VoIP-blocking > >> > >> > >> On Tue, 15 Feb 2005, Hannigan, Martin wrote: > >> > >>>> Something else to consider. We block TFTP at our border for > >>>> security reasons and we've found that this prevents Vonage from > >>>> working. > >>>> Would this mean that > >>>> LEC's can't block TFTP? > >>> > >>> > >>> Was that a device trying to phone home and get it's configs? > >>> Cisco, Nortel, etc. phone home and get configs via tftp. > >>> > >>> Vonage doesn't need to phone home for config. The device is > >>> programmed (router) and it registers with the call manager. > >>> If you analyze the transactions it's about 89% SIP and 11% SDP. > >> > >> Vonage devices initiate an outbound TFTP connection back > to Vonage to > >> snarf their configs on initial connection and also > >> (presumably) on reboot. > > > > I tested the reboot. I didn't see it. I agree in general and think > > that providers shouldn't block tftp, IMHO. > > > > -- > Daniel Golding > Network and Telecommunications Strategies Burton Group > > > >
RE: Vonage complains about VoIP-blocking
> > > > > > Was that a device trying to phone home and get it's configs? > > Cisco, Nortel, etc. phone home and get configs via tftp. > > > > Vonage doesn't need to phone home for config. The device is > programmed > > (router) and it registers with the call manager. > > If you analyze the transactions it's about 89% SIP and 11% SDP. > > Vonage devices initiate an outbound TFTP connection back to > Vonage to snarf their configs on initial connection and also > (presumably) on reboot. > > Many, many VoIP devices do this, including Cisco phones in > all major flavors. If an ISP is blocking TFTP originated by > its customers at the border, this will cause numerous > problems with many VoIP devices as well as numerous other > things where a customer needs to initiate a TFTP session over > the Internet. > > Filtering customer-initiated TFTP will cause problems with > many legitimate applications and devices. Consequently, should "unlikely or most likely not :)" be filtered by (I|N)SP, IMHO. Who's (still) using TFTP for fragile tasks...? Cheers, mh > > -- > Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] > WestNet: Connecting you to the planet. 805 884-6323 WB6RDV > NetLojix Communications, Inc. - http://www.netlojix.com/ > >
RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > > > > > Something else to consider. We block TFTP at our border for > > > > security reasons > > > > and we've found that this prevents Vonage from working. > > > Vonage devices initiate an outbound TFTP connection back to Vonage to > > snarf their configs on initial connection and also > > (presumably) on reboot. > > I tested the reboot. I didn't see it. I agree in general > and think that providers shouldn't block tftp, IMHO. Traditionally, tftp has been used by networks as a configuration/boot mechanism of their local equipment, with customers rarely using it (at least, thats been my experience). Hence, most people writing the acls are concerned with protecting their own equipment, and getting the most out of their routers. Having acls that block all tftp except from your management IPs is a lot easier than acls that block all tftp to your tftpable devices except from your management IPs. Introducing new devices that are intended to trust that big, bad, easily spoofable internet using non-secured protocols such as tftp in order to get their configuration from a non-local server shows a degree of trust not seen since the Famous Five, the BabySitters Club and pre '96 O'Reilly books on writing internet protocols. --==-- Bruce.
Re: Vonage complains about VoIP-blocking
Is there any move on the part of providers/manufacturers to use more secure protocols for this? - Dan On 2/15/05 5:22 PM, "Jason L. Schwab" <[EMAIL PROTECTED]> wrote: > > Hi; > > I unplugged and reset my vonage Motorola MTA device, and it did tftp to > home to get its configs. > > -Jason > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Hannigan, Martin > Sent: Tuesday, February 15, 2005 3:14 PM > To: 'Jay Hennigan' > Cc: Eric Gauthier; nanog@merit.edu > Subject: RE: Vonage complains about VoIP-blocking > > >> -Original Message- >> From: Jay Hennigan [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, February 15, 2005 5:10 PM >> To: Hannigan, Martin >> Cc: Eric Gauthier; nanog@merit.edu >> Subject: RE: Vonage complains about VoIP-blocking >> >> >> On Tue, 15 Feb 2005, Hannigan, Martin wrote: >> >>>> Something else to consider. We block TFTP at our border for >>>> security reasons >>>> and we've found that this prevents Vonage from working. >>>> Would this mean that >>>> LEC's can't block TFTP? >>> >>> >>> Was that a device trying to phone home and get it's configs? >>> Cisco, Nortel, etc. phone home and get configs via tftp. >>> >>> Vonage doesn't need to phone home for config. The device is >>> programmed (router) and it registers with the call manager. >>> If you analyze the transactions it's about 89% SIP and 11% SDP. >> >> Vonage devices initiate an outbound TFTP connection back to Vonage to >> snarf their configs on initial connection and also >> (presumably) on reboot. > > I tested the reboot. I didn't see it. I agree in general > and think that providers shouldn't block tftp, IMHO. > -- Daniel Golding Network and Telecommunications Strategies Burton Group
RE: Vonage complains about VoIP-blocking
Hi; I unplugged and reset my vonage Motorola MTA device, and it did tftp to home to get its configs. -Jason -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hannigan, Martin Sent: Tuesday, February 15, 2005 3:14 PM To: 'Jay Hennigan' Cc: Eric Gauthier; nanog@merit.edu Subject: RE: Vonage complains about VoIP-blocking > -Original Message- > From: Jay Hennigan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 15, 2005 5:10 PM > To: Hannigan, Martin > Cc: Eric Gauthier; nanog@merit.edu > Subject: RE: Vonage complains about VoIP-blocking > > > On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > > > Something else to consider. We block TFTP at our border for > > > security reasons > > > and we've found that this prevents Vonage from working. > > > Would this mean that > > > LEC's can't block TFTP? > > > > > > Was that a device trying to phone home and get it's configs? > > Cisco, Nortel, etc. phone home and get configs via tftp. > > > > Vonage doesn't need to phone home for config. The device is > > programmed (router) and it registers with the call manager. > > If you analyze the transactions it's about 89% SIP and 11% SDP. > > Vonage devices initiate an outbound TFTP connection back to Vonage to > snarf their configs on initial connection and also > (presumably) on reboot. I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Jay Hennigan wrote: > Vonage devices initiate an outbound TFTP connection back to Vonage to > snarf their configs on initial connection and also (presumably) on reboot. > > Many, many VoIP devices do this, including Cisco phones in all major > flavors. If an ISP is blocking TFTP originated by its customers at the > border, this will cause numerous problems with many VoIP devices as > well as numerous other things where a customer needs to initiate a TFTP > session over the Internet. > > Filtering customer-initiated TFTP will cause problems with many legitimate > applications and devices. Most devices have moved to http config, sipura, snom, panasonic, etc. We moved away from tftp because of a lot of NAT and blocking issues. As far as SIP, I don't see it as a major problem since you can use any port. ><> Nathan Stratton BroadVoice, Inc. nathan at robotics.net Talk IS Cheap http://www.robotics.net http://www.broadvoice.com
RE: Vonage complains about VoIP-blocking
> -Original Message- > From: Jay Hennigan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 15, 2005 5:10 PM > To: Hannigan, Martin > Cc: Eric Gauthier; nanog@merit.edu > Subject: RE: Vonage complains about VoIP-blocking > > > On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > > > Something else to consider. We block TFTP at our border for > > > security reasons > > > and we've found that this prevents Vonage from working. > > > Would this mean that > > > LEC's can't block TFTP? > > > > > > Was that a device trying to phone home and get it's configs? > > Cisco, Nortel, etc. phone home and get configs via tftp. > > > > Vonage doesn't need to phone home for config. The device is > > programmed (router) and it registers with the call manager. > > If you analyze the transactions it's about 89% SIP and 11% SDP. > > Vonage devices initiate an outbound TFTP connection back to Vonage to > snarf their configs on initial connection and also > (presumably) on reboot. I tested the reboot. I didn't see it. I agree in general and think that providers shouldn't block tftp, IMHO.
RE: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Hannigan, Martin wrote: > > Something else to consider. We block TFTP at our border for > > security reasons > > and we've found that this prevents Vonage from working. > > Would this mean that > > LEC's can't block TFTP? > > > Was that a device trying to phone home and get it's configs? > Cisco, Nortel, etc. phone home and get configs via tftp. > > Vonage doesn't need to phone home for config. The device is > programmed (router) and it registers with the call manager. > If you analyze the transactions it's about 89% SIP and 11% SDP. Vonage devices initiate an outbound TFTP connection back to Vonage to snarf their configs on initial connection and also (presumably) on reboot. Many, many VoIP devices do this, including Cisco phones in all major flavors. If an ISP is blocking TFTP originated by its customers at the border, this will cause numerous problems with many VoIP devices as well as numerous other things where a customer needs to initiate a TFTP session over the Internet. Filtering customer-initiated TFTP will cause problems with many legitimate applications and devices. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Re: Vonage complains about VoIP-blocking
I've gotten a couple emails on this. To summarize: 1) some malware uses tftp. However much malware now uses other ports, such as 80 2) There are numerous buffer overflow bugs with tftp. This would seem to be better resolved with rACLs or ACLs towards loopback/interface blocks. (and, of course, turning tftp off and using scp or sftp) It would be interesting to find out what percentage of Internet accessible routers are remotely upgradable via TFTP presently. Sadly, this would be non-zero... - Dan On 2/15/05 4:28 PM, "Rob Thomas" <[EMAIL PROTECTED]> wrote: > Hi, Dan. > > ] Why block TFTP at your borders? To keep people from loading new versions of > ] IOS on your routers? ;) > > Funny you should mention that. :) We have seen miscreants do exactly > that. They will upgrade or downgrade routers to support a feature set > of their choosing. > > A lot of malware uses TFTP to update itself as well. > > Please note that I am NOT advocating the blocking of TFTP. > > Thanks, > Rob.
RE: Vonage complains about VoIP-blocking
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Eric Gauthier > Sent: Tuesday, February 15, 2005 1:45 PM > To: nanog@merit.edu > Subject: Re: Vonage complains about VoIP-blocking > > > > > > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: > > >> How is this any different then blocking port 25 or > managing the bandwidth > > >> certain applications use. > > Something else to consider. We block TFTP at our border for > security reasons > and we've found that this prevents Vonage from working. > Would this mean that > LEC's can't block TFTP? Was that a device trying to phone home and get it's configs? Cisco, Nortel, etc. phone home and get configs via tftp. Vonage doesn't need to phone home for config. The device is programmed (router) and it registers with the call manager. If you analyze the transactions it's about 89% SIP and 11% SDP. -M<
Re: Vonage complains about VoIP-blocking
Hi, Dan. ] Why block TFTP at your borders? To keep people from loading new versions of ] IOS on your routers? ;) Funny you should mention that. :) We have seen miscreants do exactly that. They will upgrade or downgrade routers to support a feature set of their choosing. A lot of malware uses TFTP to update itself as well. Please note that I am NOT advocating the blocking of TFTP. Thanks, Rob. -- Rob Thomas http://www.cymru.com Shaving with Occam's razor since 1999.
Re: Vonage complains about VoIP-blocking
Why block TFTP at your borders? To keep people from loading new versions of IOS on your routers? ;) Not trying to be flippant, but what's the basis for this? - Dan On 2/15/05 1:45 PM, "Eric Gauthier" <[EMAIL PROTECTED]> wrote: > >>> On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: How is this any different then blocking port 25 or managing the bandwidth certain applications use. > > Something else to consider. We block TFTP at our border for security reasons > and we've found that this prevents Vonage from working. Would this mean that > LEC's can't block TFTP? > > Eric :)
RE: Vonage complains about VoIP-blocking
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > John Fraizer > Sent: Tuesday, February 15, 2005 2:31 PM > To: Samantha Fetter > Cc: nanog@merit.edu > Subject: Re: Vonage complains about VoIP-blocking > > > > > > Samantha Fetter wrote: > > Hi, just wanted to let you know that a friend recently got > Vonage, and > > they had to go through a special process to get 911 > properly associated > > with her address so that it would work right. I'm guessing > that means > > they have "REAL 911 access"? I'm not familiar with that > all, so pardon > > my lack of technical terms : > > > > Cheers, > > Samantha > > If they had to go through a "special" process, then no. That would > indicate that Vonage still doesn't have PS/ALI, at least in > your friends > market. > > That "special" process is Vonage determining the "default" > PSAP in your > area and routing your 911 call to the 7-digit number for that PSAP. > With PS/ALI, Vonage wouldn't be doing the routing. They > would hand the > call off to the 911 Selective Router which would THEN hand > the call off > to the appropriate PSAP based on a DIG to get your ALI information. And with the current state of affairs, unless the head end can determine proper call centers across boundaries (can't), it probably never will. > > For those of you unfamiliar with how E911 works, and specifically, > PS/ALI, take a look at: > http://www.xo.com/products/smallgrowing/voice/local/psali/ > > Or... Simply google for "PS/ALI". That's a TDM product. http://www.e911institute.org/Roundtable%20and%20Tours/June%2024,%202004/VoIP %20E911%20Issues.pdf Page 9 offers a better description of the current E911 issues. It's a software problem. All Vonage does is map your 911 call at the PSAP to your local EMS. This is a 6/24 doc. It's slightly outdated. -M< > > John >
Re: Vonage complains about VoIP-blocking
> > > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: > > >> How is this any different then blocking port 25 or managing the bandwidth > > >> certain applications use. > > Something else to consider. We block TFTP at our border for security reasons > and we've found that this prevents Vonage from working. Would this mean that > LEC's can't block TFTP? Exactly my point. If my network management practises impact service my customers use it is an issue between me and my customers. If I loose customers over it, I'd better be prepared to deal with the fallout. I do not think someone offering a service somewhere in the world has the right to demand that I make this service available to my customers. Adi
Re: Vonage complains about VoIP-blocking
Samantha Fetter wrote: Hi, just wanted to let you know that a friend recently got Vonage, and they had to go through a special process to get 911 properly associated with her address so that it would work right. I'm guessing that means they have "REAL 911 access"? I'm not familiar with that all, so pardon my lack of technical terms : Cheers, Samantha If they had to go through a "special" process, then no. That would indicate that Vonage still doesn't have PS/ALI, at least in your friends market. That "special" process is Vonage determining the "default" PSAP in your area and routing your 911 call to the 7-digit number for that PSAP. With PS/ALI, Vonage wouldn't be doing the routing. They would hand the call off to the 911 Selective Router which would THEN hand the call off to the appropriate PSAP based on a DIG to get your ALI information. For those of you unfamiliar with how E911 works, and specifically, PS/ALI, take a look at: http://www.xo.com/products/smallgrowing/voice/local/psali/ Or... Simply google for "PS/ALI". John
Re: Vonage complains about VoIP-blocking
Michael Kaegler wrote: At 10:07 AM -0800 2/15/05, Jim Devane wrote: I can see where it may come to a LEC being able to block a competitor's port only if they offer a comparable service. It will be an interesting ride to be sure. Imagine Verizon blocking AOL dialup numbers [since verizon also provides internet access]... Not exactly the same thing... -mKaegler Some of us remember the days when central offices would run out of PRI capacity, but the LEC owned ISP's would still be able to get new phone banks installed out of those CO's... But the "we're your friends - no really we are!" lunches that the LEC's sponsored back then more than made up for these minor inconveniences... -W
Re: Vonage complains about VoIP-blocking
I can see where it may come to a LEC being able to block a competitor's port only if they offer a comparable service. It will be an interesting ride to be sure. What if a LEC added QoS to increase priority of their own VoIP product and reduced QoS on their competitors? Packets are still getting through but the voice quality sucks. Are the VoIP providers paying to have premium service on the LEC network? -Matt
Re: Vonage complains about VoIP-blocking
On Tue, Feb 15, 2005 at 01:45:05PM -0500, Eric Gauthier wrote: > > > > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: > > >> How is this any different then blocking port 25 or managing the bandwidth > > >> certain applications use. > > Something else to consider. We block TFTP at our border for security reasons > and we've found that this prevents Vonage from working. Would this mean that > LEC's can't block TFTP? This is a significant issue. Vonage is complaining about what are purportedly deliberate actions to block their service, while at the same time trying to sweep under the rug that *they have chosen to provide their service using insecure protocols that some carriers might quite reasonably choose to filter*. If their -- centrally-provided: everything is forced through their SIP proxy anyway, resulting in a voice network architecture that really looks like a giant corporate VoIP PBX -- service were actually properly resistant to tampering and random-adversary eavesdropping, it would *also* have the property that it were opaque to intermediate networks: providers blocking SSL or ESP to Vonage's proxies would _clearly_ have no motivation to do so save interference with Vonage service. It is my general impression of Vonage that they are very, very savvy about gaming what they percieve as the regulatory trend at the Federal level in an attempt to cut technical corners and thus grow their service faster than they could if they consistently did things "right". The history of their many, many wiggles on 911 access shows this pretty obviously, I think, and here I believe we have another case: they want to try to get regulatory agencies or the courts to force intermediate networks to let their packets through (by claiming all such filtering _must_ be deliberate) rather than actually doing what, on technical grounds, they ought to do anyway, and provide real security to their customers. It is understandable, and probably a viable economic and political strategy, but that doesn't really make it right. It behooves those of us who understand the actual underlying technical issues (e.g. telco routing and human factors issues with Vonage's so-called 911 service; man-in-the-middle and eavesdropping issues with Vonage's totally unsecured TFTP boot and SIP services from each ATA) to do our best to point them out, so that, if possible, coercive regulatory decisions are not made on the basis of smoke and mirrors. Thor
Re: Vonage complains about VoIP-blocking
> > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: > >> How is this any different then blocking port 25 or managing the bandwidth > >> certain applications use. Something else to consider. We block TFTP at our border for security reasons and we've found that this prevents Vonage from working. Would this mean that LEC's can't block TFTP? Eric :)
Re: Vonage complains about VoIP-blocking
Anyone know which rural LECs might be involved? I find it interesting that it isnt an MSO or RBOC doing the blocking - perhaps the greater lawyer:engineer ratio at those organizations prevents it? The other interesting aspect is that there seems to be a bit of a persecution complex on the part of some VoIP providers. Of course, even paranoids have enemies, as they say :) -- Daniel Golding Network and Telecommunications Strategies Burton Group On 2/15/05 1:22 PM, "Majdi Abbas" <[EMAIL PROTECTED]> wrote: > > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: >> How is this any different then blocking port 25 or managing the bandwidth >> certain applications use. > > If the article is correct, and the ISP involved is also a LEC, then > it would be pretty clearly anticompetitive, and the LECs have some legal > obligations to provide access to their customers. > > I don't think any such restriction would also apply to a > normal ISP, but that could change. We'll see. > > --msa
RE: Vonage complains about VoIP-blocking
At 10:07 AM -0800 2/15/05, Jim Devane wrote: I can see where it may come to a LEC being able to block a competitor's port only if they offer a comparable service. It will be an interesting ride to be sure. Imagine Verizon blocking AOL dialup numbers [since verizon also provides internet access]... Not exactly the same thing... -mKaegler -- Michael "Porkchop" Kaegler, Network Analyst, 845 575 3061 Marist College, 3399 North Road, Poughkeepsie, NY 12601 Last week a cop stopped me in my car. He asked me if I had a police record. I said, no, but I have the new DEVO album.
Re: Vonage complains about VoIP-blocking
On Tue, Feb 15, 2005 at 10:22:56AM -0800, Majdi Abbas wrote: > > On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: > > How is this any different then blocking port 25 or managing the bandwidth > > certain applications use. > > If the article is correct, and the ISP involved is also a LEC, then > it would be pretty clearly anticompetitive, and the LECs have some legal > obligations to provide access to their customers. > > I don't think any such restriction would also apply to a > normal ISP, but that could change. We'll see. Internet stuff is unregulated still in the US last i knew. Perhaps this will be the idiotic move by a SP that causes someone to step in and impose some. At minimum, i'd like to see some sort of Universal-Service offering surrounding high speed internet access (eg: 512k dsl) in the US market. This way Ma and Pa Kettle can get their Microsoft patches at a reasonable speed. Either way, this is a provider asking to be smacked down. I wouldn't mind it if they were named so we could shame them into perserving the end-to-end nature of the internet. btw, port 25 blocks are primarily for anti-spam purposes because people can't keep their machines from getting infected. I'm all for them unless you're purchasing some more-dedicated-type service. The days of dialing up with your mail server and updating dns are over. - Jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Vonage complains about VoIP-blocking
On Tue, Feb 15, 2005 at 11:53:59AM -0600, Adi Linden wrote: > How is this any different then blocking port 25 or managing the bandwidth > certain applications use. If the article is correct, and the ISP involved is also a LEC, then it would be pretty clearly anticompetitive, and the LECs have some legal obligations to provide access to their customers. I don't think any such restriction would also apply to a normal ISP, but that could change. We'll see. --msa
Re: Vonage complains about VoIP-blocking
Christopher L. Morrow wrote: On Tue, 15 Feb 2005, Adi Linden wrote: http://advancedippipeline.com/60400413 The FCC is investigating -- it's not even clear if it's illegal to do that. How is this any different then blocking port 25 or managing the bandwidth certain applications use. could be there are some 911 access issues... perhaps that's important to someone. The last I checked, Vonage didn't have selective router access (that's fancy talk for REAL 911 access) - at least in my market. When you dial 911 from your Vonage phone, your call is sent to the 7-digit inbound number for the default PSAP. For response time, reliability, overall safety, you were better off dialing 911 from your cellphone. We have a VoIP provider living in our datacenter. It took quite some doing to get their PS-ALI set up with their PSTN carrier. Problem: Unless the ALI record is updated to reflect "voip phone customer address", when one of their customers dialed 911, the selective router sent the call to the closest PSAP for our datacenter and the dispatcher got the address of our datacenter. VoIP is nifty. I'm a huge fan but Buyer beware when it comes to 911 access. Dialing 911 and hearing "911 what is your emergency" isn't always a good enough test. You need to verify that the ALI information is correct, blah blah blah. John
RE: Vonage complains about VoIP-blocking
I can see where it may come to a LEC being able to block a competitor's port only if they offer a comparable service. It will be an interesting ride to be sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher L. Morrow Sent: Tuesday, February 15, 2005 9:58 AM To: Adi Linden Cc: [EMAIL PROTECTED] Subject: Re: Vonage complains about VoIP-blocking On Tue, 15 Feb 2005, Adi Linden wrote: > > > http://advancedippipeline.com/60400413 > > > > The FCC is investigating -- it's not even clear if it's illegal to do > > that. > > How is this any different then blocking port 25 or managing the bandwidth > certain applications use. could be there are some 911 access issues... perhaps that's important to someone.
Re: Vonage complains about VoIP-blocking
On Tue, 15 Feb 2005, Adi Linden wrote: > > > http://advancedippipeline.com/60400413 > > > > The FCC is investigating -- it's not even clear if it's illegal to do > > that. > > How is this any different then blocking port 25 or managing the bandwidth > certain applications use. could be there are some 911 access issues... perhaps that's important to someone.
Re: Vonage complains about VoIP-blocking
Consider the possibility that a VoIP customer uses ISP xyz that decides to start filtering ports/protocols for VoIP, and that customer needs to make a 911 call from their VoIP phone? Adi Linden wrote: http://advancedippipeline.com/60400413 The FCC is investigating -- it's not even clear if it's illegal to do that. How is this any different then blocking port 25 or managing the bandwidth certain applications use. Adi
Re: Vonage complains about VoIP-blocking
> http://advancedippipeline.com/60400413 > > The FCC is investigating -- it's not even clear if it's illegal to do > that. How is this any different then blocking port 25 or managing the bandwidth certain applications use. Adi