cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

347
Views
5
Helpful
4
Replies
Highlighted
Participant

TFTP Alternative Protocol for SIP Phone Registration to CUCM

Hi Guys,

I recently read this article https://community.cisco.com/t5/collaboration-voice-and-video/ip-phone-sccp-amp-sip-phone-registration-process-with-cucm/ta-p/3109183 on how the IP phone registers to CUCM. Based on the article SIP phones are using TFTP to communicate with CUCM when registration process occurs.

I manage a few IP phone and recently our security team said that TFTP is not allowed since it is not secure. Is there a more secure protocol than TFTP to register IP phone to CUCM? I read some other articles stating that right now there is no alternative to TFTP. Is that true?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Re: TFTP Alternative Protocol for SIP Phone Registration to CUCM

Newer phones actually use http instead of TFTP.

TFTP config files can be encrypted during download. 

Also CUCM has a ITL file that is used to verify the source of where the config file comes from after the first config file is received.

 

Since you security team is bugging you make sure you tell them that you updated your phone firmware to version 12.7 to remove the CDPWN problem.

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

View solution in original post

4 REPLIES 4
Highlighted
Rising star

Re: TFTP Alternative Protocol for SIP Phone Registration to CUCM

Newer phones actually use http instead of TFTP.

TFTP config files can be encrypted during download. 

Also CUCM has a ITL file that is used to verify the source of where the config file comes from after the first config file is received.

 

Since you security team is bugging you make sure you tell them that you updated your phone firmware to version 12.7 to remove the CDPWN problem.

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8800-series/english/adminguide/P881_BK_C136782F_00_cisco-ip-phone-8800_series/P881_BK_C136782F_00_cisco-ip-phone-8811-8841_chapter_01011.html

View solution in original post

Highlighted
Rising star

Re: TFTP Alternative Protocol for SIP Phone Registration to CUCM

HTTP Download

Enhances the file download process to the phone to use HTTP by default. If the HTTP download fails, the phone reverts to using the TFTP download.

Highlighted
Participant

Re: TFTP Alternative Protocol for SIP Phone Registration to CUCM

Can you elaborate on the definition of newer phones? I have 3905, 7821, 7861, and 8832 on my deployment. I can see 12.7 update for 821, 7861, and 8832. But not on 3905, it's stuck on version 9 and last update on 2018. So I guess 3905 is not categorized as newer phones?

Do you have any documentation on encrypted TFTP? Is it this one? https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1_SU1/secgd/cucm_b_security-guide-1151su1/cucm_b_security-guide-1151su1_chapter_01011.html

And regarding HTTP download, does it require any changes on the settings? Do you have any experience with this? Thanks!

Highlighted
Rising star

Re: TFTP Alternative Protocol for SIP Phone Registration to CUCM

You can find the similar guide like the one I sent if there is no mention of http then nope it doesn’t do it. Newer phones would be like 7800 and 8800 series. Not sure exactly when it was introduced.
CreatePlease to create content
Content for Community-Ad
Future of Work Virtual Summit Day 5

Cisco COVID-19 Survey