documents-transference-symbolTFTP was first defined in 1980 and with later revisions between 1981 and 1998. The name itself is an abbreviation of Trivial File Transfer Protocol. It operates like FTP, but is much simpler. It lacks login and access control mechanisms, it can only store and retrieve files, and it uses no transmission encryption. To make it clear, you can’t list, delete or rename files using it. Anyone can connect to it without credentials and the traffic can be eavesdropped. All in all, a unsecure service.

In technical terms TFTP is implemented on top of the UDP/IP protocols. This means it has no handshaking dialogues, which leaves it exposed to any unreliability of the underlying network protocol. It has no guarantees of delivery, ordering or duplication protection either. This means, if anything goes wrong you’ll have to start over.Communication wise it uses the well-known port number 69.

All of this combined makes TFTP trivial to put into use. You don’t have to implement a large code base to code the features in, which makes this protocol favorable for less than powerful systems (VOIP phones, routers, switches etc). For instance this is the protocol of choice for the initial stages of network booting strategies like BSDP, BOOTP, PXE and others. TFTP can also be used to transfer firmware and configuration files to network appliances.

grid-worldIn practical use TFTP is generally only used on local area networks (LAN) – but it isn’t uncommon to encounter it on the Net either. For the most part, most encounters happens when contacting servers directly on the IP-address over the Net.

Closing

TFTP isn’t a secure protocol or service, as many hacking tutorials on the Net will show you. IMHO the use of it should be restricted. It shouldn’t be allowed on Internet facing devices and servers. Hiding it on direct IP-address access is security by obscurity. Be smart and restrict access to it by using at least, say, a firewall. The best option would be to turn it off, but sometimes you got to support it. The same applies to LAN.

This was a quick intro into the TFTP protocol and service. It is quite fun to dig through the history of protocols, and I plan to do more.

 

Resources

Advertisements