North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: ssh access to cisco and "unfriendlies"
Thus spake "Jim Mercer" <[email protected]> > however, it is my understanding that IPSec will require 3des. so, while > i can have quasi-encrypted config access, i can't use the new and improved > VPN technology without 3des. Incorrect; IPsec allows for any encryption/hash algorithms to be used, though certain ones (ie. DES and MD5?) are base requirements. > i received a number of replies indicating that i should "call my state > representative". Actually, it would be your Congressional representatives, not your state ones, assuming you were American. The states do not have the power to back out of a treaty. > as theo noticed, i am not in the US, so i don't have any representation in > the US. Neither do most of us living here :) > i understand that this is moreso a US government issue then something > cisco dreamed up. Yes; the US govt believes that there are no competent programmers outside of the US, therefore by restricting the export of encryption technology, nobody else will have it. Sure... > my concern here is not that i can't install a 3des capable router in a > restricted country. > > my concern is that in my interpretation, i can't install a 3des capable > router in Canada, if i am supplying "network services" to a restricted > country. > > since i supply network services to "restricted" countries, i am not allowed > to have 3des capability on my router, even if i need it for my customers > who are not in "restricted" countries. The way you paraphrased the statement, it appears that way; I doubt that's how the official policy reads, however. My recommendation is to contact Cisco's Export Compliance & Regulatory Affairs group for clarification. You can find their contact information at: http://www.cisco.com/wwl/export/matrix.html#contacts > having 3des on _my_ router in no way exports the capability to > customers unless they have 3des capability on their side. That's a logical conclusion, but you know that lawyers and politicians abhor logic. > having done work in several "restricted" countries, i am very cautious > about what i'm using with regards to US crypto export rules, as well as > the crypto rules of the jurisdiction i'm going into. > > with one client, we specifically denied a client's request for cisco gear > because they were on the export list, and we moved forward using some > half-assed gear of canadian manufacture. > > imagine my "suprise" (none really) when i got onsite and discovered a > number of ciscos installed by competitors. (we eventually lost the > contract, and i'll note that the current supplier is using an all cisco > network, inside and outside the "restricted" country. "Restricted" in which sense? There are only ten countries to which you cannot export non-crypto Cisco products for non-military use. Or are you saying you're aware of service providers shipping strong-crypto products to crypto-restricted countries? > and my reading of the "agreement" is that it applies regardless if you are > using the 3des gear directly with the countries in question or not. I think that your situation merely requires more scrutiny before approval; nearly every major provider does business in restricted countries. S | | Stephen Sprunk, K5SSS, CCIE #3723 :|: :|: Network Design Consultant, GSOLE :|||: :|||: New office: RCDN2 in Richardson, TX .:|||||||:..:|||||||:. Email: [email protected] Not speaking for my employer; heck, not even speaking for myself.