[32504] in North American Network Operators' Group
Re: ssh access to cisco and "unfriendlies"
daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Fri Nov 24 06:27:01 2000
Message-ID: <03ce01c05609$1d54b940$dcb544ab@glock>
From: "Stephen Sprunk" <ssprunk@cisco.com>
To: "Jim Mercer" <jim@reptiles.org>, "theo" <tb@rimail.com>
Cc: "North American Noise and Off-topic Gripes" <nanog@merit.edu>
Date: Fri, 24 Nov 2000 05:09:27 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Thus spake "Jim Mercer" <jim@reptiles.org>
> however, it is my understanding that IPSec will require 3des. so,
while
> i can have quasi-encrypted config access, i can't use the new and
improved
> VPN technology without 3des.
Incorrect; IPsec allows for any encryption/hash algorithms to be used,
though certain ones (ie. DES and MD5?) are base requirements.
> i received a number of replies indicating that i should "call my state
> representative".
Actually, it would be your Congressional representatives, not your state
ones, assuming you were American. The states do not have the power to
back out of a treaty.
> as theo noticed, i am not in the US, so i don't have any
representation in
> the US.
Neither do most of us living here :)
> i understand that this is moreso a US government issue then something
> cisco dreamed up.
Yes; the US govt believes that there are no competent programmers
outside of the US, therefore by restricting the export of encryption
technology, nobody else will have it. Sure...
> my concern here is not that i can't install a 3des capable router in a
> restricted country.
>
> my concern is that in my interpretation, i can't install a 3des
capable
> router in Canada, if i am supplying "network services" to a restricted
> country.
>
> since i supply network services to "restricted" countries, i am not
allowed
> to have 3des capability on my router, even if i need it for my
customers
> who are not in "restricted" countries.
The way you paraphrased the statement, it appears that way; I doubt
that's how the official policy reads, however. My recommendation is to
contact Cisco's Export Compliance & Regulatory Affairs group for
clarification.
You can find their contact information at:
http://www.cisco.com/wwl/export/matrix.html#contacts
> having 3des on _my_ router in no way exports the capability to
> customers unless they have 3des capability on their side.
That's a logical conclusion, but you know that lawyers and politicians
abhor logic.
> having done work in several "restricted" countries, i am very cautious
> about what i'm using with regards to US crypto export rules, as well
as
> the crypto rules of the jurisdiction i'm going into.
>
> with one client, we specifically denied a client's request for cisco
gear
> because they were on the export list, and we moved forward using some
> half-assed gear of canadian manufacture.
>
> imagine my "suprise" (none really) when i got onsite and discovered a
> number of ciscos installed by competitors. (we eventually lost the
> contract, and i'll note that the current supplier is using an all
cisco
> network, inside and outside the "restricted" country.
"Restricted" in which sense? There are only ten countries to which you
cannot export non-crypto Cisco products for non-military use.
Or are you saying you're aware of service providers shipping
strong-crypto products to crypto-restricted countries?
> and my reading of the "agreement" is that it applies regardless if you
are
> using the 3des gear directly with the countries in question or not.
I think that your situation merely requires more scrutiny before
approval; nearly every major provider does business in restricted
countries.
S
| | Stephen Sprunk, K5SSS, CCIE #3723
:|: :|: Network Design Consultant, GSOLE
:|||: :|||: New office: RCDN2 in Richardson, TX
.:|||||||:..:|||||||:. Email: ssprunk@cisco.com
Not speaking for my employer; heck, not even speaking for myself.
