Can you _please_ trim the quoted text? There's absolutely no reason to quote the entire post you're replying to, signature lines and all... +2 points for bottom-posting though. :-)
package says " TFTP provides very little security, and should not beI still think HTTP is a better option.. There is far more control available in terms of securing it especially when the description of the
enabled unless it is expressly needed."..
Who in their right mind is putting these phones on the open Internet, and if they're not, then why is TFTP that big a problem? TFTP's actually quite a standard option in most networking equipment for pulling down new configurations and firmware. HTTP doesn't offer much in the way of helping with that.
What would be nice is perhaps a little DIP switch on the phone to enable LAN reconfigure/flash for better security... but for me anyway being able to pull the TFTP server and config filenames (global and per-phone) from standard DHCP extensions would be awesome.
Regards, Andrew
Anybody running an IPCSP is in their "right mind", and that's completely over the "open" Internet.
The argument here is not necessarily one of ease of use, but of security. John Brown said in a later post that TFTP's problem was not security, but authentication. Close, but not quite.
The problem with TFTP is that it is neither authenticated NOR encryptable by nature. I have no issue with the lack of authentication if the files moved can be encrypted. This is a critically important point: sending out cleartext TFTP (or HTTP, for that matter) files across ANY network is ill-advised.
Grandstream can stick with TFTP, or use HTTP, I don't care which. Anyone who has enough of these phones that they're dynamically re-configuring them with a file transfer mode will figure out one or the other. The issue is that there MUST (MUST, MUST, MUST) be a way to encrypt the files so that someone grabbing them from some non-GS client or intercepting the communications on the wire cannot get passwords or any useful data from the file. Otherwise, no IPCSP in their "right mind" would ever implement the Grandstream phones, ever, in any way, period. And, while enterprise users are a decent market share, I don't think Grandstream would say that IPCSPs (who will be ordering 1000's of these at a time) can be ignored.
See the Cisco ATA-186 for a well thought-out implementation of this method using TFTP.
JT _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users