|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ssh access to cisco and "unfriendlies"
On Thu, Nov 23, 2000 at 10:40:45AM +0100, theo wrote: > Jim Mercer wrote: > > i've been trying to get ssh access to cisco IOS 12.1.2 working, but no > > matter what i do, the openssh client says "3des not supported by server". > > or you need to recompile your ssh distribution so that it supports des as well > (3des is the default option). In that way it works. yes, this is likely what i will do. that will give me somewhat encrypted access to a variety of routers such that i don't have to do clear text access across the 'net. however, it is my understanding that IPSec will require 3des. so, while i can have quasi-encrypted config access, i can't use the new and improved VPN technology without 3des. > If you are outside US is very unlikely that you will get a copy of 3des > capable software by cisco. They seem to be very strict on export policy > regarding that thing. i received a number of replies indicating that i should "call my state representative". as theo noticed, i am not in the US, so i don't have any representation in the US. i understand that this is moreso a US government issue then something cisco dreamed up. my concern here is not that i can't install a 3des capable router in a restricted country. my concern is that in my interpretation, i can't install a 3des capable router in Canada, if i am supplying "network services" to a restricted country. since i supply network services to "restricted" countries, i am not allowed to have 3des capability on my router, even if i need it for my customers who are not in "restricted" countries. having 3des on _my_ router in no way exports the capability to customers unless they have 3des capability on their side. having done work in several "restricted" countries, i am very cautious about what i'm using with regards to US crypto export rules, as well as the crypto rules of the jurisdiction i'm going into. with one client, we specifically denied a client's request for cisco gear because they were on the export list, and we moved forward using some half-assed gear of canadian manufacture. imagine my "suprise" (none really) when i got onsite and discovered a number of ciscos installed by competitors. (we eventually lost the contract, and i'll note that the current supplier is using an all cisco network, inside and outside the "restricted" country. i wonder if uunet/teleglobe/cable-and-wireless have gotten special permission to run 3des capable routers on their networks. i'm sure that all three are supplying network services to countries not on that list. and my reading of the "agreement" is that it applies regardless if you are using the 3des gear directly with the countries in question or not. -- [ Jim Mercer [email protected] +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
|