I'm in the process of enabling SSH on all of my routers, switches and firewalls. After upgrading the IOS to one that supports SSH, generating the crypto key and then setting all of the VTY sessions to SSH only, my security team informs me that telnet is still vulnerable to IP spoofing. They can demonstrate that when they launch a telnet session to one of my routers, the telnet session will pause for maybe 2 seconds before receivign the message that the session was terminated by the router. They claim this indicates that the router is responding to the telnet session and before the actual disconnect is forced they could IP spoof the box and cause a DOS.
I say boulderdash but without any proof I am forced to create a bunch of ACL's to specifically deny telnet. Here is an example of my VTY's:
line vty 0 4 access-class 23 in exec-timeout 30 0 password 7 xxxxxxxxxxxxx logging synchronous transport preferred ssh transport input ssh transport output ssh
*The access list here is limiting access from a certain internal set of IP's.