Trivial File Transfer Protocol (TFTP)

TFTP is a simplified file transfer protocol. It is simpler than FTP and is designed to be implemented in ROM for booting diskless systems like X terminals, diskless workstations, and routers. There is no authentication with TFTP; a TFTP client simply connects to the server and asks for a file, without saying who the file is for. If the file is one that the server can access, the server gives the client the file. For this reason, you need to be very careful about what your TFTP server (if you have one) can access, and what clients can access the server.

Generally, there's no reason at all to allow TFTP across your firewall, even if you use it internally. You do not want to boot diskless systems across the Internet, and people do not transfer files with TFTP.

Packet Filtering Characteristics of TFTP

TFTP is a UDP-based protocol. Servers listen on port 69 for the initial client-to-server packet to establish the TFTP session, then use a port above 1023 for all further packets during that session. Clients use ports above 1023.

Direction SourceAddr. Dest.Addr. Protocol SourcePort Dest.Port ACKSet Notes
In Ext Int UDP >1023 69 [71] Incoming TFTP request (first packet from client)
Out Int Ext UDP >1023 >1023 [71] Response to incoming request
In Ext Int UDP >1023 >1023 [71] Subsequent packets from client
Out Int Ext UDP >1023 69 [71] Outgoing TFTP request (first packet from client)
In Ext Int UDP >1023 >1023 [71] Response to outgoing request
Out Int Ext UDP >1023 >1023 [71] Subsequent packets from client

[71]UDP has no ACK equivalent.

Intelligent packet filters may have difficulty supporting TFTP because the responses do not match normal criteria for responses. In general, a packet is considered a response only if its source and destination are reversed from a recently received packet. In TFTP, the response packet has a destination that matches a recent source, but the source is new. In order to support this, the packet filter needs to have special rules for TFTP, instead of using normal rules for supporting UDP-based protocols.

Proxying Characteristics of TFTP

TFTP does not lend itself well to proxying. Because TFTP clients are often implemented in hardware, with no users involved, neither modified clients nor modified user procedures are generally implementable. A transparent proxy could easily support TFTP, providing the same extremely minimal amount of security achievable if you allow TFTP through packet filters.

Network Address Translation Characteristics of TFTP

TFTP does not use embedded IP addresses and can work with network address translation systems. There are two possible problems. First, TFTP responses come from a different port from the one the original request is sent to. Some systems will consider this a new interaction and may not perform the appropriate translation to match the original request. Second, TFTP clients and servers pay attention to the source port of data. If the source port maps changes during an interaction, the transfer will be interrupted.

Summary of Recommendations for TFTP