North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ssh access to cisco and "unfriendlies"

  • From: Stephen Sprunk
  • Date: Fri Nov 24 06:27:51 2000

Thus spake "Jim Mercer" <[email protected]>
> however, it is my understanding that IPSec will require 3des.  so,
> i can have quasi-encrypted config access, i can't use the new and
> VPN technology without 3des.

Incorrect; IPsec allows for any encryption/hash algorithms to be used,
though certain ones (ie. DES and MD5?) are base requirements.

> i received a number of replies indicating that i should "call my state
> representative".

Actually, it would be your Congressional representatives, not your state
ones, assuming you were American.  The states do not have the power to
back out of a treaty.

> as theo noticed, i am not in the US, so i don't have any
representation in
> the US.

Neither do most of us living here :)

> i understand that this is moreso a US government issue then something
> cisco dreamed up.

Yes; the US govt believes that there are no competent programmers
outside of the US, therefore by restricting the export of encryption
technology, nobody else will have it.  Sure...

> my concern here is not that i can't install a 3des capable router in a
> restricted country.
> my concern is that in my interpretation, i can't install a 3des
> router in Canada, if i am supplying "network services" to a restricted
> country.
> since i supply network services to "restricted" countries, i am not
> to have 3des capability on my router, even if i need it for my
> who are not in "restricted" countries.

The way you paraphrased the statement, it appears that way; I doubt
that's how the official policy reads, however.  My recommendation is to
contact Cisco's Export Compliance & Regulatory Affairs group for

You can find their contact information at:

> having 3des on _my_ router in no way exports the capability to
> customers unless they have 3des capability on their side.

That's a logical conclusion, but you know that lawyers and politicians
abhor logic.

> having done work in several "restricted" countries, i am very cautious
> about what i'm using with regards to US crypto export rules, as well
> the crypto rules of the jurisdiction i'm going into.
> with one client, we specifically denied a client's request for cisco
> because they were on the export list, and we moved forward using some
> half-assed gear of canadian manufacture.
> imagine my "suprise" (none really) when i got onsite and discovered a
> number of ciscos installed by competitors.  (we eventually lost the
> contract, and i'll note that the current supplier is using an all
> network, inside and outside the "restricted" country.

"Restricted" in which sense?  There are only ten countries to which you
cannot export non-crypto Cisco products for non-military use.

Or are you saying you're aware of service providers shipping
strong-crypto products to crypto-restricted countries?

> and my reading of the "agreement" is that it applies regardless if you
> using the 3des gear directly with the countries in question or not.

I think that your situation merely requires more scrutiny before
approval; nearly every major provider does business in restricted


     |          |         Stephen Sprunk, K5SSS, CCIE #3723
    :|:        :|:        Network Design Consultant, GSOLE
   :|||:      :|||:       New office: RCDN2 in Richardson, TX
.:|||||||:..:|||||||:.    Email: [email protected]
Not speaking for my employer; heck, not even speaking for myself.