cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

559
Views
5
Helpful
4
Replies
fdharmawan
Participant

TFTP Alternative Protocol for SIP Phone Registration to CUCM

Hi Guys,

I recently read this article https://community.cisco.com/t5/collaboration-voice-and-video/ip-phone-sccp-amp-sip-phone-registration-process-with-cucm/ta-p/3109183 on how the IP phone registers to CUCM. Based on the article SIP phones are using TFTP to communicate with CUCM when registration process occurs.

I manage a few IP phone and recently our security team said that TFTP is not allowed since it is not secure. Is there a more secure protocol than TFTP to register IP phone to CUCM? I read some other articles stating that right now there is no alternative to TFTP. Is that true?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Gregory Brunn
Collaborator

Newer phones actually use http instead of TFTP.

TFTP config files can be encrypted during download. 

Also CUCM has a ITL file that is used to verify the source of where the config file comes from after the first config file is received.

 

Since you security team is bugging you make sure you tell them that you updated your phone firmware to version 12.7 to remove the CDPWN problem.

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

View solution in original post

4 REPLIES 4
Gregory Brunn
Collaborator

Newer phones actually use http instead of TFTP.

TFTP config files can be encrypted during download. 

Also CUCM has a ITL file that is used to verify the source of where the config file comes from after the first config file is received.

 

Since you security team is bugging you make sure you tell them that you updated your phone firmware to version 12.7 to remove the CDPWN problem.

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

View solution in original post

HTTP Download

Enhances the file download process to the phone to use HTTP by default. If the HTTP download fails, the phone reverts to using the TFTP download.

Can you elaborate on the definition of newer phones? I have 3905, 7821, 7861, and 8832 on my deployment. I can see 12.7 update for 821, 7861, and 8832. But not on 3905, it's stuck on version 9 and last update on 2018. So I guess 3905 is not categorized as newer phones?

Do you have any documentation on encrypted TFTP? Is it this one? https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1_SU1/secgd/cucm_b_security-guide-1151su1/cucm_b_security-guide-1151su1_chapter_01011.html

And regarding HTTP download, does it require any changes on the settings? Do you have any experience with this? Thanks!

You can find the similar guide like the one I sent if there is no mention of http then nope it doesn’t do it. Newer phones would be like 7800 and 8800 series. Not sure exactly when it was introduced.
Content for Community-Ad