Re: ssh access to cisco and "unfriendlies"

["Stephen Sprunk" <ssprunk () cisco com>]

Thus spake "Jim Mercer" <jim () reptiles org>
> however, it is my understanding that IPSec will require 3des.  so,
while
> i can have quasi-encrypted config access, i can't use the new and
improved
> VPN technology without 3des.

Incorrect; IPsec allows for any encryption/hash algorithms to be used,
though certain ones (ie. DES and MD5?) are base requirements.

> i received a number of replies indicating that i should "call my state
> representative".

Actually, it would be your Congressional representatives, not your state
ones, assuming you were American.  The states do not have the power to
back out of a treaty.

> as theo noticed, i am not in the US, so i don't have any
representation in
> the US.

Neither do most of us living here :)

> i understand that this is moreso a US government issue then something
> cisco dreamed up.

Yes; the US govt believes that there are no competent programmers
outside of the US, therefore by restricting the export of encryption
technology, nobody else will have it.  Sure...

> my concern here is not that i can't install a 3des capable router in a
> restricted country.
>
> my concern is that in my interpretation, i can't install a 3des
capable
> router in Canada, if i am supplying "network services" to a restricted
> country.
>
> since i supply network services to "restricted" countries, i am not
allowed
> to have 3des capability on my router, even if i need it for my
customers
> who are not in "restricted" countries.

The way you paraphrased the statement, it appears that way; I doubt
that's how the official policy reads, however.  My recommendation is to
contact Cisco's Export Compliance & Regulatory Affairs group for
clarification.

You can find their contact information at:
http://www.cisco.com/wwl/export/matrix.html#contacts

> having 3des on _my_ router in no way exports the capability to
> customers unless they have 3des capability on their side.

That's a logical conclusion, but you know that lawyers and politicians
abhor logic.

> having done work in several "restricted" countries, i am very cautious
> about what i'm using with regards to US crypto export rules, as well
as
> the crypto rules of the jurisdiction i'm going into.
>
> with one client, we specifically denied a client's request for cisco
gear
> because they were on the export list, and we moved forward using some
> half-assed gear of canadian manufacture.
>
> imagine my "suprise" (none really) when i got onsite and discovered a
> number of ciscos installed by competitors.  (we eventually lost the
> contract, and i'll note that the current supplier is using an all
cisco
> network, inside and outside the "restricted" country.

"Restricted" in which sense?  There are only ten countries to which you
cannot export non-crypto Cisco products for non-military use.

Or are you saying you're aware of service providers shipping
strong-crypto products to crypto-restricted countries?

> and my reading of the "agreement" is that it applies regardless if you
are
> using the 3des gear directly with the countries in question or not.

I think that your situation merely requires more scrutiny before
approval; nearly every major provider does business in restricted
countries.

S

     |          |         Stephen Sprunk, K5SSS, CCIE #3723
    :|:        :|:        Network Design Consultant, GSOLE
   :|||:      :|||:       New office: RCDN2 in Richardson, TX
.:|||||||:..:|||||||:.    Email: ssprunk () cisco com
Not speaking for my employer; heck, not even speaking for myself.