FCC issues new rules about foreign made routers
FCC issues rules about sales of routers and such not made in the us https://www.marketscreener.com/news/us-regulator-bans-imports-of-new-foreign...
Relevant URLs are https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist 'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.' I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture. On Tue, 24 Mar 2026 at 07:54, Roy via NANOG <nanog@lists.nanog.org> wrote:
FCC issues rules about sales of routers and such not made in the us
https://www.marketscreener.com/news/us-regulator-bans-imports-of-new-foreign... _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RX6CEDE5...
-- ++ytti
The National Security Determination ( https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf ) on this gives the game away quite clearly. To facilitate this transition period, entities that produce routers in a
foreign country are encouraged to apply for Conditional Approvals (Annex A) which, if approved, will allow such producers to continue to receive FCC authorization for their products while they work to address the U.S. government’s national security concerns described above.
You can reliably predict that companies will be granted their conditional approvals quickly after making a 'donation' to a presidential library fund or other associated entity, because that's basically the primary function of the US government at this point. On Tue, Mar 24, 2026 at 2:17 AM Saku Ytti via NANOG <nanog@lists.nanog.org> wrote:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
On Tue, 24 Mar 2026 at 07:54, Roy via NANOG <nanog@lists.nanog.org> wrote:
FCC issues rules about sales of routers and such not made in the us
https://www.marketscreener.com/news/us-regulator-bans-imports-of-new-foreign...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RX6CEDE5...
-- ++ytti _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LAMH3C2B...
This applies to all operators in the US. I crafted this up today just to confirm what remember of CPE supply chain. https://www.senki.org/operators-security-toolkit/us-isp-cpe-supply-chain/ I don't see how this is going to work. Other parts of the world are doing sane CPE security policies
On Mar 24, 2026, at 20:15, Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
The National Security Determination ( https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf ) on this gives the game away quite clearly.
To facilitate this transition period, entities that produce routers in a
foreign country are encouraged to apply for Conditional Approvals (Annex A) which, if approved, will allow such producers to continue to receive FCC authorization for their products while they work to address the U.S. government’s national security concerns described above.
You can reliably predict that companies will be granted their conditional approvals quickly after making a 'donation' to a presidential library fund or other associated entity, because that's basically the primary function of the US government at this point.
On Tue, Mar 24, 2026 at 2:17 AM Saku Ytti via NANOG <nanog@lists.nanog.org> wrote:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
On Tue, 24 Mar 2026 at 07:54, Roy via NANOG <nanog@lists.nanog.org> wrote:
FCC issues rules about sales of routers and such not made in the us
https://www.marketscreener.com/news/us-regulator-bans-imports-of-new-foreign...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RX6CEDE5...
-- ++ytti _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LAMH3C2B...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2ERGLTTY...
Rather obvious would be security devices such as Firewalls missing in all of this. Brings to mind, it's not a router, it's a broken firewall.... lol -Joe On Tue, Mar 24, 2026 at 4:21 AM Barry Raveendran Greene via NANOG < nanog@lists.nanog.org> wrote:
This applies to all operators in the US. I crafted this up today just to confirm what remember of CPE supply chain.
https://www.senki.org/operators-security-toolkit/us-isp-cpe-supply-chain/
I don't see how this is going to work. Other parts of the world are doing sane CPE security policies
On Mar 24, 2026, at 20:15, Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
The National Security Determination ( https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf ) on this gives the game away quite clearly.
To facilitate this transition period, entities that produce routers in a
foreign country are encouraged to apply for Conditional Approvals (Annex A) which, if approved, will allow such producers to continue to receive FCC authorization for their products while they work to address the U.S. government’s national security concerns described above.
You can reliably predict that companies will be granted their conditional approvals quickly after making a 'donation' to a presidential library fund or other associated entity, because that's basically the primary function of the US government at this point.
On Tue, Mar 24, 2026 at 2:17 AM Saku Ytti via NANOG < nanog@lists.nanog.org> wrote:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
On Tue, 24 Mar 2026 at 07:54, Roy via NANOG <nanog@lists.nanog.org> wrote:
FCC issues rules about sales of routers and such not made in the us
https://www.marketscreener.com/news/us-regulator-bans-imports-of-new-foreign...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/RX6CEDE5...
-- ++ytti _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LAMH3C2B...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2ERGLTTY...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/GQC2NH7K...
On Tue, 24 Mar 2026 at 09:14, Tom Beecher <beecher@beecher.cc> wrote:
You can reliably predict that companies will be granted their conditional approvals quickly after making a 'donation' to a presidential library fund or other associated entity, because that's basically the primary function of the US government at this point.
1) O-1 to get Taiwanese employees 2) Assemble TP-Link in US 3) Spray paint with gold and stencil 'Patriot Router' on top 4) Pro^WSecurity -- ++ytti
Normal rulemaking goes through a comment period, as required by the Administrative Procedures Act. The end goal of the APA is to prevent "arbitrary and capricious" regulations. Given that we are hearing about this now, and not when the comment period notice was issued, I expect an injunction shortly, and eventual rulings that this violates APA.
On Tue, Mar 24, 2026 at 3:14 AM Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
The National Security Determination ( https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf ) on this gives the game away quite clearly.
To facilitate this transition period, entities that produce routers in a
foreign country are encouraged to apply for Conditional Approvals (Annex A) which, if approved, will allow such producers to continue to receive FCC authorization for their products while they work to address the U.S. government’s national security concerns described above.
You can reliably predict that companies will be granted their conditional approvals quickly after making a 'donation' to a presidential library fund or other associated entity, because that's basically the primary function of the US government at this point.
Library fund note aside, didn't India attempt a similar lockdown/process for equipment used to operate networks in India ~7 yr back? Whatever happened to that I wonder?
Is adding equipment to the covered list considered rule making? The FCC could also use the excuse of The Good Cause Exception. It would have to go to court for either to be clarified. From: Mike Lewinski via NANOG <nanog@lists.nanog.org> Sent: Tuesday, March 24, 2026 7:41 AM To: nanog@lists.nanog.org Cc: Mike Lewinski <mlewinski@massivenetworks.com> Subject: [External Sender] Re: FCC issues new rules about foreign made routers CAUTION: This email originated from outside of the organization. Normal rulemaking goes through a comment period, as required by the Administrative Procedures Act. The end goal of the APA is to prevent "arbitrary and capricious" regulations. Given that we are hearing about this now, and not when the comment period notice was issued, I expect an injunction shortly, and eventual rulings that this violates APA. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SLTJM6MIRWYBYUC7RS2SKE6YAPQIUSVW/<https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SLTJM6MIRWYBYUC7RS2SKE6YAPQIUSVW> Disclaimer The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful. This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast, a leader in email security and cyber resilience. Mimecast integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.
It appears that Saku Ytti via NANOG <nanog@lists.nanog.org> said:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
As far as I know, the answer is none. There are plenty of routers designed in the US but they're all built offshore. It would make sense to ask where the software is written, but they don't do that. The conditional approval procedure is absurd. It requires the vendor to commit to manufacture in the U.S. R's, John
The news is likely a response to recent events. Props go to the FBI Alaska field office! District of Alaska | Authorities disrupt world’s largest IoT DDoS botnets responsible for record breaking attacks targeting victims worldwide | United States Department of Justice https://share.google/oNBQGeRtp05TtSbMI On Tue, Mar 24, 2026, 10:05 AM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Saku Ytti via NANOG <nanog@lists.nanog.org> said:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
As far as I know, the answer is none. There are plenty of routers designed in the US but they're all built offshore. It would make sense to ask where the software is written, but they don't do that.
The conditional approval procedure is absurd. It requires the vendor to commit to manufacture in the U.S.
R's, John _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/FSHMKN36...
The takedown was also due to the help of network operators, many of whom are on this list. Huzzah! Thanks, Scott
On Mar 24, 2026, at 1:27 PM, cosmo via NANOG <nanog@lists.nanog.org> wrote:
The news is likely a response to recent events. Props go to the FBI Alaska field office!
District of Alaska | Authorities disrupt world’s largest IoT DDoS botnets responsible for record breaking attacks targeting victims worldwide | United States Department of Justice https://share.google/oNBQGeRtp05TtSbMI
On Tue, Mar 24, 2026, 10:05 AM John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Saku Ytti via NANOG <nanog@lists.nanog.org> said:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
As far as I know, the answer is none. There are plenty of routers designed in the US but they're all built offshore. It would make sense to ask where the software is written, but they don't do that.
The conditional approval procedure is absurd. It requires the vendor to commit to manufacture in the U.S.
R's, John _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/FSHMKN36...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/N4WOGJW3...
Yessir! It definitely takes a village, and NANOG is mostly certainly that village! On Tue, Mar 24, 2026, 10:35 AM Scott Fisher <sfisher@cymru.com> wrote:
The takedown was also due to the help of network operators, many of whom are on this list. Huzzah!
Thanks, Scott
On Mar 24, 2026, at 1:27 PM, cosmo via NANOG <nanog@lists.nanog.org> wrote:
The news is likely a response to recent events. Props go to the FBI Alaska field office!
District of Alaska | Authorities disrupt world’s largest IoT DDoS botnets responsible for record breaking attacks targeting victims worldwide | United States Department of Justice https://share.google/oNBQGeRtp05TtSbMI
On Tue, Mar 24, 2026, 10:05 AM John Levine via NANOG < nanog@lists.nanog.org> wrote:
It appears that Saku Ytti via NANOG <nanog@lists.nanog.org> said:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
As far as I know, the answer is none. There are plenty of routers designed in the US but they're all built offshore. It would make sense to ask where the software is written, but they don't do that.
The conditional approval procedure is absurd. It requires the vendor to commit to manufacture in the U.S.
R's, John _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/FSHMKN36...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/N4WOGJW3...
On Mar 24, 2026, at 1:04 PM, John Levine via NANOG <nanog@lists.nanog.org> wrote:
It appears that Saku Ytti via NANOG <nanog@lists.nanog.org> said:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
As far as I know, the answer is none. There are plenty of routers designed in the US but they're all built offshore. It would make sense to ask where the software is written, but they don't do that.
The conditional approval procedure is absurd. It requires the vendor to commit to manufacture in the U.S.
I suspect this is why the waiver is really the method, at least for the foreseeable future. Much of this is existing and predates the current administration for those of us who have been watching this space. There’s quite a bit of problems out there with these embedded systems and how they are managed and maintained. The number of people who don’t want to upgrade firmware because of worries of new problems vs those who really should upgrade because the embedded solution is based on a very old and already exploitable software suite is quite large. I discovered this during a lot of the research into open resolvers done quite some time ago. The number of these embedded platforms that did something odd or were broken was quite big. With the advancements in tools where you can take something like binwalk and a software image to find exploits by using an AI toolset, plus you get the really difficult to patch situations such as this: https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malwa... The likelihood that you can determine how to exploit something is really easy these days. Just as many have been working on securing things like routing for years, the idea that these critical devices might need to have some sort of broader set of steps than “have vendor SDK, built and shipped image” is really a good thing. If you don’t know what tools/suites are under the covers, you may want to look closer at it. Since so many devices run Linux, a variant of busy box, possibly dnsmasq and other items, you will become quite surprised when you look at the nested licenses (if there is proper transparency here). These all periodically get updates which may address public or privately reported vulnerabilities which may be a reason to upgrade. I’ll leave the rest as an exercise for those who primarily deal with the security lists/forums. - Jared
I suspect this is why the waiver is really the method, at least for the foreseeable future. Much of this is existing and predates the current administration for those of us who have been watching this space. There’s quite a bit of problems out there with these embedded systems and how they are managed and maintained.
All they are doing here is : - Creating a conditional approval process they could extort companies into paying for fast tracking. - Forcing companies to apply for conditional approval to commit to onshoring manufacturing of said devices within 5 years, so they can bleat about 'deals reached to return manufacturing to the US. Nothing is actually being requested which actually improves security posture of these devices. It is just performative theater. On Tue, Mar 24, 2026 at 4:47 PM Jared Mauch via NANOG <nanog@lists.nanog.org> wrote:
On Mar 24, 2026, at 1:04 PM, John Levine via NANOG < nanog@lists.nanog.org> wrote:
It appears that Saku Ytti via NANOG <nanog@lists.nanog.org> said:
Relevant URLs are
https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf https://www.fcc.gov/supplychain/coveredlist
'Routers^ produced in a foreign country, except routers which have been granted a Conditional Approval by DoW or DHS.'
I wonder what 'Routers^' are 'produced' in the US, in such a way that it meaningfully improves security posture.
As far as I know, the answer is none. There are plenty of routers designed in the US but they're all built offshore. It would make sense to ask where the software is written, but they don't do that.
The conditional approval procedure is absurd. It requires the vendor to commit to manufacture in the U.S.
I suspect this is why the waiver is really the method, at least for the foreseeable future. Much of this is existing and predates the current administration for those of us who have been watching this space. There’s quite a bit of problems out there with these embedded systems and how they are managed and maintained.
The number of people who don’t want to upgrade firmware because of worries of new problems vs those who really should upgrade because the embedded solution is based on a very old and already exploitable software suite is quite large. I discovered this during a lot of the research into open resolvers done quite some time ago. The number of these embedded platforms that did something odd or were broken was quite big.
With the advancements in tools where you can take something like binwalk and a software image to find exploits by using an AI toolset, plus you get the really difficult to patch situations such as this:
https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malwa...
The likelihood that you can determine how to exploit something is really easy these days.
Just as many have been working on securing things like routing for years, the idea that these critical devices might need to have some sort of broader set of steps than “have vendor SDK, built and shipped image” is really a good thing.
If you don’t know what tools/suites are under the covers, you may want to look closer at it. Since so many devices run Linux, a variant of busy box, possibly dnsmasq and other items, you will become quite surprised when you look at the nested licenses (if there is proper transparency here). These all periodically get updates which may address public or privately reported vulnerabilities which may be a reason to upgrade.
I’ll leave the rest as an exercise for those who primarily deal with the security lists/forums.
- Jared
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LV7JFALG...
On Tue, 24 Mar 2026, Jared Mauch wrote:
The conditional approval procedure is absurd. It requires the vendor to commit to manufacture in the U.S.
I suspect this is why the waiver is really the method, at least for the foreseeable future. Much of this is existing and predates the current administration for those of us who have been watching this space. There’s quite a bit of problems out there with these embedded systems and how they are managed and maintained.
In the documents I don't see any provision for waivers other than conditional approval. People more familiar with FCC process than me say the same, there's no realistic way to get anything approved.
The number of people who don’t want to upgrade firmware because of worries of new problems vs those who really should upgrade because the embedded solution is based on a very old and already exploitable software suite is quite large. I discovered this during a lot of the research into open resolvers done quite some time ago. The number of these embedded platforms that did something odd or were broken was quite big.
With the advancements in tools where you can take something like binwalk and a software image to find exploits by using an AI toolset, plus you get the really difficult to patch situations such as this:
Oh, absolutely, the software is awful and there's a lot we can and should do about it. But that's unrelated to where the box is physically assembled. I have a Ubiquiti Edgerouter which as far as I know is designed in the US, and runs software written in the US, but it's assembled in China so it's lucky I already have one. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
On Mar 24, 2026, at 07:30, Christopher Morrow via NANOG <nanog@lists.nanog.org> wrote:
On Tue, Mar 24, 2026 at 3:14 AM Tom Beecher via NANOG <nanog@lists.nanog.org> wrote:
The National Security Determination ( https://www.fcc.gov/sites/default/files/NSD-Routers0326.pdf ) on this gives the game away quite clearly.
To facilitate this transition period, entities that produce routers in a
foreign country are encouraged to apply for Conditional Approvals (Annex A) which, if approved, will allow such producers to continue to receive FCC authorization for their products while they work to address the U.S. government’s national security concerns described above.
You can reliably predict that companies will be granted their conditional approvals quickly after making a 'donation' to a presidential library fund or other associated entity, because that's basically the primary function of the US government at this point.
Library fund note aside, didn't India attempt a similar lockdown/process for equipment used to operate networks in India ~7 yr back? Whatever happened to that I wonder? ———- I believe this was aimed at Chinese vendors specially during border tensions in 2020. If anything India has gone lot more stringent, citing cyber security threat to the nation. Government wants access to the underlying code (vetting) of equipment including smartphones. Vendors are having a fit, calling it intellectual property risk. cisco & apple are not happy because DOT wants to get inside their skivvies ;-)
Some do but nobody fully grasp the magnitude of tectonic shift taking place in India. /vrode
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/XRDMJGOT...
On Tue, 24 Mar 2026 at 23:31, John R. Levine via NANOG <nanog@lists.nanog.org> wrote:
Oh, absolutely, the software is awful and there's a lot we can and should do about it. But that's unrelated to where the box is physically assembled. I have a Ubiquiti Edgerouter which as far as I know is designed in the US, and runs software written in the US, but it's assembled in China so it's lucky I already have one.
Aren they mostly Taiwanese and eastern European developers? Someone mentioned India and AFAIK India does have domestic capabilities. Tejas Networks contracts some of their manufacturing to Optiemus Electronics, but silicon likely still comes from Taiwan and Korea. Of course all of this is ridiculous posturing, it doesn't matter where the developer sits, it doesn't make them lower or higher risk. Silicon Valley bigtech has teams who use Mandarin at the office because they're all first generation immigrants. Most people are happy to inject some code in git repo for money, and we have some security incidents which strongly suggest this vector in American firewall vendor. I was recently looking at Marvell Alaska and there is absolutely no way thing that complex could possibly be secure. And of course unlike your phone CPU and software which have very advanced defenses, these embedded things have nothing. I'm sure if network devices weren't so easy and cheap to pwn, anyone motivated could pwn your device if connected to it, via attacking the PHY and putting APT in the PHY, jumping to other PHYs on the box to propagate the attack further. This is not a specific complaint about Marvell Alaska, it's a fine product. Just that infosec is an absolute joke and we have no reasonable answer how to make it less so. Only thing we have are policies that reduce the motivation to attack, and stick is an incredibly inefficient policy. -- ++ytti
On Wed, Mar 25, 2026 at 10:48:22AM +0200, Saku Ytti via NANOG wrote:
Of course all of this is ridiculous posturing, it doesn't matter where the developer sits, it doesn't make them lower or higher risk. Silicon Valley bigtech has teams who use Mandarin at the office because they're all first generation immigrants. Most people are happy to inject some code in git repo for money, and we have some security incidents which strongly suggest this vector in American firewall vendor.
What relation does speaking in Mandarin have with injecting code for money? Mukund
It’s a “national security” matter, so they probably found some level of exception to the APA by calling it that. I agree that it’s a blatant attempt at extortion against manufacturers of networking equipment and I would hope to see multiple legal challenges against it. Unfortunately my faith in the US courts is greatly eroded by some of the recent shadow docket rulings by the Supreme Court , so time will tell, but I suspect this is just another example of damage the next administration will hopefully clean up. I remain dismayed that this jackass got a second term in office instead of the prison cell he so richly deserves. Owen
On Mar 24, 2026, at 05:40, Mike Lewinski via NANOG <nanog@lists.nanog.org> wrote:
Normal rulemaking goes through a comment period, as required by the Administrative Procedures Act. The end goal of the APA is to prevent "arbitrary and capricious" regulations.
Given that we are hearing about this now, and not when the comment period notice was issued, I expect an injunction shortly, and eventual rulings that this violates APA.
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SLTJM6MI...
On Wed, 25 Mar 2026 at 11:51, Mukund Sivaraman <muks@mukund.org> wrote:
What relation does speaking in Mandarin have with injecting code for money?
None. Hence 'Most people'. Point being, the seat doesn't matter, Chinese nationals sitting in China or Silicon Valley does not have security implications. -- ++ytti
Sixteen years ago, I was asked to attend a meeting at Verizon regarding the IPv6 plan, whether the routers were manufactured in China, and what is your consumer security look like. I was informed that they were working on IPv6, they are secure and that all consumer routers were produced in the US.. Fast forward to March 10, 2026, when I began researching the topic. Here the my results. *The main OEMs Verizon used for consumer routers/gateways were:* - *Actiontec* — U.S. company; at least some Verizon MI424WR units were *made in China*. - *Westell* — U.S. company; at least some Verizon VersaLink 7500 units were *made in China*. - *D-Link* — Taiwan company; production country *not firmly verified *here for Verizon-labeled units. - *Linksys* — U.S. company at the time Verizon used the BEFW11S4; production country *not firmly verified here*. - *Arcadyan* — Taiwan company; verified as OEM/grantee for Verizon’s *G3100*, and likely associated with *CR1000B* and *ARC-XCI55AX*. - *Wistron NeWeb (WNC)* — Taiwan company; associated with Verizon’s *CR1000A*, *ASK-NCQ1338*, and likely *WNC-CR200A*. *What I can say confidently about their production location* *Clearly verified as produced in China* - Actiontec *MI424WR Rev. F* - Actiontec *MI424WR Rev. I* - Westell *VersaLink 7500* *OEM company is verified, but factory country is not yet firm from the sources I checked was one year ago.* - Arcadyan-made Verizon *G3100* - WNC-made Verizon *CR1000A* - Arcadyan-associated *CR1000B* - WNC-made / WNC-associated Verizon 5G gateways - D-Link and Linksys older Verizon consumer units *Best initial conclusion* For Verizon consumer routers from the 2000s through today, the OEM pattern is: - *Older DSL / early broadband / early FiOS:* mostly *Actiontec, Westell, D-Link, Linksys*. - *Modern FiOS / 5G Home:* mostly *Arcadyan* and *Wistron NeWeb*, both *Taiwan-based OEMs*. *Today Update: *From the models we discussed, the ones I can *confidently tie to physical assembly in China* are: - *Verizon G3100* — third-party hardware databases identify the OEM as Arcadyan and list the *country of manufacture as China*. - *Verizon D-Link VDI/DI-624 generation* — multiple hardware-db entries for DI-624 revisions list *country of manufacture as China*. That supports the Verizon-era D-Link family being physically assembled in China, though not every single revision is proven by the same source. - *Verizon Linksys BEFW11S4 family* — at least the *BEFW11S4 v4 (r2, China)* is explicitly listed as *country of manufacture: China*. Earlier revisions were not all China-built; for example, v3.0 is listed as Taiwan. The ones I *would not label as China-assembled based on what I could verify* are: - *CR1000A* — FCC documents identify *Wistron NeWeb (Taiwan)* as applicant/manufacturer, and third-party hardware databases list the *country of manufacture as Vietnam*, not China. - *CR1000B* — FCC documents identify *Arcadyan (Taiwan)* as applicant, but I did *not* find a solid primary source proving China assembly for this exact Verizon model. A third-party hardware database result suggests *ROC/Taiwan*, not China. *OEM/Production/Manufacture Update*From the models we discussed, the ones I can *confidently tie to physical assembly in China* are: - *Verizon G3100* — third-party hardware databases identify the OEM as Arcadyan and list the *country of manufacture as China*. - *Verizon D-Link VDI/DI-624 generation* — multiple hardware-db entries for DI-624 revisions list *country of manufacture as China*. That supports the Verizon-era D-Link family being physically assembled in China, though not every single revision is proven by the same source. - *Verizon Linksys BEFW11S4 family* — at least the *BEFW11S4 v4 (r2, China)* is explicitly listed as *country of manufacture: China*. Earlier revisions were not all China-built; for example, v3.0 is listed as Taiwan. The ones I *would not label as China-assembled based on what I could verify* are: - *CR1000A* — FCC documents identify *Wistron NeWeb (Taiwan)* as applicant/manufacturer, and third-party hardware databases list the *country of manufacture as Vietnam*, not China. - *CR1000B* — FCC documents identify *Arcadyan (Taiwan)* as applicant, but I did *not* find a solid primary source proving China assembly for this exact Verizon model. A third-party hardware database result suggests *ROC/Taiwan*, not China. *Model/family* *Physically assembled in China?* *What I could verify* Verizon *G3100* *Yes* China listed in hardware databases. Verizon *CR1000A* *No evidence of China; likely Vietnam* FCC shows WNC Taiwan; hardware-db lists Vietnam. Verizon *CR1000B* *Not verified as China* FCC shows Arcadyan Taiwan; no strong China-assembly proof found. Verizon *D-Link VDI/DI-624 era* *Yes, at least some revisions* Several DI-624 revisions list China. Verizon *Linksys BEFW11S4 era* *Yes, at least some revisions* v4 (r2, China) explicitly lists China; older revs varied. The main caveat is that the *manufacturing country can vary by hardware revision*, even within the same retail model family. That is especially clear with the Linksys BEFW11S4 line, where one revision is from Taiwan and another is explicitly from China. *Now the question...* Will the US carriers require all their consumers to change routers, who will bear the cost and what about timeline? Just a thought... Joe Klein On Wed, Mar 25, 2026 at 6:43 AM Saku Ytti via NANOG <nanog@lists.nanog.org> wrote:
On Wed, 25 Mar 2026 at 11:51, Mukund Sivaraman <muks@mukund.org> wrote:
What relation does speaking in Mandarin have with injecting code for money?
None. Hence 'Most people'.
Point being, the seat doesn't matter, Chinese nationals sitting in China or Silicon Valley does not have security implications.
-- ++ytti _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SO6ROA5Q...
Hi John, This is all pulled together in this report: https://www.senki.org/us-isp-cpe-supply-chain/ US ISP CPE SUPPLY CHAIN senki.org The FCC ruling was a topic of conversation in several other forums as soon as it came out. This FCC action is NOT going to solve any of our cyber security problems. We still have the US ISPs making it easy to find vulnerable CPR - leaving CWMP wide open (see https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=scan&source=scan6&tag=cwmp&data_set=count&scale=log&auto_update=on). We still have not economically feasible way for ISPs to contact their customers and let them know “they are infected.” We still have the FCC rules pushing to allow ISP customers to “get their own CPEs.” In the mean time, the rest of the world are weaving three efforts together: * ETSI EN 303 645 is working on a Universal Baseline. Still need more to be added, but it is better than NIST and FCC. * EU Cyber Resiliency Act (CRA) is evolving and kicking in action on Dec 2027. All the CPEs will be covered. The specs are still evolving. The US will benefit from the CRA’s impact on vendors all over the world. * Singapore’s Cybersecurity Labelling Scheme (CLS) is taking off. It has learned from the legislative cybersecurity progress in Australia to build a step-by-step process. This started in October 2025 and gaining momentum in Asia and Europe. * The Global Cybersecurity Labelling Initiative was also launched in October 2025. This is a policy coordination forum to get all the countries to legislate the same way. That makes compliance to CRA and CLS harder for vendors to avoid. Some countries (like Thailand and New Zealand) can ban vendor sales in the country “digitally not safe” equipment where the vendor is not responding. What do you do now? - If you are an Telcom, Broadband, or ISP - update your report subscriptions with the Shadowserver Foundation. Those reports will give you the list of customers infected (and if you are really interested, join the Shadowserver Alliance and help take action). - Talk to your public policy and legal teams (on-staff or through some other industry group). Push back on the FCC ruling. - Look into joining the CLS efforts. Everyone is working with the same CPE vendors. Collective - reasonable - persistent pressure changes a vendor’s business model. My $.02, Barry
On Mar 26, 2026, at 07:45, Joe Klein via NANOG <nanog@lists.nanog.org> wrote:
Sixteen years ago, I was asked to attend a meeting at Verizon regarding the IPv6 plan, whether the routers were manufactured in China, and what is your consumer security look like. I was informed that they were working on IPv6, they are secure and that all consumer routers were produced in the US..
Fast forward to March 10, 2026, when I began researching the topic. Here the my results.
*The main OEMs Verizon used for consumer routers/gateways were:*
-
*Actiontec* — U.S. company; at least some Verizon MI424WR units were *made in China*. -
*Westell* — U.S. company; at least some Verizon VersaLink 7500 units were *made in China*. -
*D-Link* — Taiwan company; production country *not firmly verified *here for Verizon-labeled units. -
*Linksys* — U.S. company at the time Verizon used the BEFW11S4; production country *not firmly verified here*. -
*Arcadyan* — Taiwan company; verified as OEM/grantee for Verizon’s *G3100*, and likely associated with *CR1000B* and *ARC-XCI55AX*. -
*Wistron NeWeb (WNC)* — Taiwan company; associated with Verizon’s *CR1000A*, *ASK-NCQ1338*, and likely *WNC-CR200A*.
*What I can say confidently about their production location*
*Clearly verified as produced in China*
-
Actiontec *MI424WR Rev. F* -
Actiontec *MI424WR Rev. I* -
Westell *VersaLink 7500*
*OEM company is verified, but factory country is not yet firm from the sources I checked was one year ago.*
-
Arcadyan-made Verizon *G3100* -
WNC-made Verizon *CR1000A* -
Arcadyan-associated *CR1000B* -
WNC-made / WNC-associated Verizon 5G gateways -
D-Link and Linksys older Verizon consumer units
*Best initial conclusion*
For Verizon consumer routers from the 2000s through today, the OEM pattern is:
-
*Older DSL / early broadband / early FiOS:* mostly *Actiontec, Westell, D-Link, Linksys*. -
*Modern FiOS / 5G Home:* mostly *Arcadyan* and *Wistron NeWeb*, both *Taiwan-based OEMs*.
*Today Update: *From the models we discussed, the ones I can *confidently tie to physical assembly in China* are:
-
*Verizon G3100* — third-party hardware databases identify the OEM as Arcadyan and list the *country of manufacture as China*. -
*Verizon D-Link VDI/DI-624 generation* — multiple hardware-db entries for DI-624 revisions list *country of manufacture as China*. That supports the Verizon-era D-Link family being physically assembled in China, though not every single revision is proven by the same source. -
*Verizon Linksys BEFW11S4 family* — at least the *BEFW11S4 v4 (r2, China)* is explicitly listed as *country of manufacture: China*. Earlier revisions were not all China-built; for example, v3.0 is listed as Taiwan.
The ones I *would not label as China-assembled based on what I could verify* are:
-
*CR1000A* — FCC documents identify *Wistron NeWeb (Taiwan)* as applicant/manufacturer, and third-party hardware databases list the *country of manufacture as Vietnam*, not China. -
*CR1000B* — FCC documents identify *Arcadyan (Taiwan)* as applicant, but I did *not* find a solid primary source proving China assembly for this exact Verizon model. A third-party hardware database result suggests *ROC/Taiwan*, not China.
*OEM/Production/Manufacture Update*From the models we discussed, the ones I can *confidently tie to physical assembly in China* are:
-
*Verizon G3100* — third-party hardware databases identify the OEM as Arcadyan and list the *country of manufacture as China*. -
*Verizon D-Link VDI/DI-624 generation* — multiple hardware-db entries for DI-624 revisions list *country of manufacture as China*. That supports the Verizon-era D-Link family being physically assembled in China, though not every single revision is proven by the same source. -
*Verizon Linksys BEFW11S4 family* — at least the *BEFW11S4 v4 (r2, China)* is explicitly listed as *country of manufacture: China*. Earlier revisions were not all China-built; for example, v3.0 is listed as Taiwan.
The ones I *would not label as China-assembled based on what I could verify* are:
-
*CR1000A* — FCC documents identify *Wistron NeWeb (Taiwan)* as applicant/manufacturer, and third-party hardware databases list the *country of manufacture as Vietnam*, not China. -
*CR1000B* — FCC documents identify *Arcadyan (Taiwan)* as applicant, but I did *not* find a solid primary source proving China assembly for this exact Verizon model. A third-party hardware database result suggests *ROC/Taiwan*, not China.
*Model/family*
*Physically assembled in China?*
*What I could verify*
Verizon *G3100*
*Yes*
China listed in hardware databases.
Verizon *CR1000A*
*No evidence of China; likely Vietnam*
FCC shows WNC Taiwan; hardware-db lists Vietnam.
Verizon *CR1000B*
*Not verified as China*
FCC shows Arcadyan Taiwan; no strong China-assembly proof found.
Verizon *D-Link VDI/DI-624 era*
*Yes, at least some revisions*
Several DI-624 revisions list China.
Verizon *Linksys BEFW11S4 era*
*Yes, at least some revisions*
v4 (r2, China) explicitly lists China; older revs varied.
The main caveat is that the *manufacturing country can vary by hardware revision*, even within the same retail model family. That is especially clear with the Linksys BEFW11S4 line, where one revision is from Taiwan and another is explicitly from China.
*Now the question...*
Will the US carriers require all their consumers to change routers, who will bear the cost and what about timeline?
Just a thought...
Joe Klein
On Wed, Mar 25, 2026 at 6:43 AM Saku Ytti via NANOG <nanog@lists.nanog.org> wrote:
On Wed, 25 Mar 2026 at 11:51, Mukund Sivaraman <muks@mukund.org> wrote:
What relation does speaking in Mandarin have with injecting code for money?
None. Hence 'Most people'.
Point being, the seat doesn't matter, Chinese nationals sitting in China or Silicon Valley does not have security implications.
-- ++ytti _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SO6ROA5Q...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/SOZOIIMW...
On Wed, 25 Mar 2026, Joe Klein wrote:
*The main OEMs Verizon used for consumer routers/gateways were:* ...
The main caveat is that the *manufacturing country can vary by hardware revision*, even within the same retail model family. That is especially clear with the Linksys BEFW11S4 line, where one revision is from Taiwan and another is explicitly from China.
It's not just China, the rules forbid stuff manufactured anywhere but the US.
Will the US carriers require all their consumers to change routers, who will bear the cost and what about timeline?
The order clearly says it does not apply to installed equipment. R's, John
participants (18)
-
Barry Greene -
Barry Raveendran Greene
-
Christopher Morrow -
cosmo -
Jared Mauch -
Joe -
Joe Klein -
John Levine -
John R. Levine
-
Matt Rienzo -
Mike Lewinski -
Mukund Sivaraman -
Owen DeLong -
Roy -
Saku Ytti -
Scott Fisher -
Tom Beecher -
virendra rode