[104052] in North American Network Operators' Group
Re: [Nanog] Crypto export restricted prefix list
daemon@ATHENA.MIT.EDU (Kevin Blackham)
Tue Apr 22 20:04:15 2008
Date: Tue, 22 Apr 2008 18:04:05 -0600
From: "Kevin Blackham" <blackham@gmail.com>
To: "Buhrmaster, Gary" <gtb@slac.stanford.edu>
In-Reply-To: <D0D0330CBD07114D85B70B784E80C2F201545141@exch-mail2.win.slac.stanford.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Thanks for the reply. I'm aware of the limitations of this approach.
For the same reasons you stated (proxy etc), I don't expect this to be
foolproof or accurate. I'm only intending to satisfy a demand to "do
something". We already dictate export requirements in the EULA, but
we need to also attempt to block the embargoed countries.
On 4/22/08, Buhrmaster, Gary <gtb@slac.stanford.edu> wrote:
>
> > Is there a prefix list available listing the IP space of cryptographic
> > export restricted countries? My google skills are failing me. I'm
> > required to apply a ban on North Korea, Iran, Syria, Sudan and Cuba.
>
> I am pretty sure that while you can get a list of IP addresses
> "currently" being used, you know (as well as I do) that those
> can/will change, and NAT/Proxies make it nearly impossible
> to really enforce this. So while it can be something to
> do, it is not going to be complete.
>
> I am pretty sure you need something like a "click-through"
> for people to say they agree they are not citizens of those
> countries, and agree not to export to them (same as Cisco
> and others do).
>
> In any case, check with your lawyers are to the actual
> acceptable practices. They are the ones who will need
> to defend your company if/when the software gets to
> the "evil-doers" (and it will, if they want it, and
> we all know it), and someone decides you should have
> done more and decides to sue.
>
> (The ITAR (and equivalent) restriction laws are complex,
> and you want to make sure you get it right, since you
> do not want to be the "designated felon" as our lawyers
> likes to call the guy who is responsible for compliance
> and will be the one the feds go after if the software
> or information gets to the "wrong" groups. So, make
> sure someone else is the "designated felon".)
>
> Gary
>
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
