Thus spake "Jim Mercer" <jim@reptiles.org>
however, it is my understanding that IPSec will require 3des. so, while i can have quasi-encrypted config access, i can't use the new and improved VPN technology without 3des.
Incorrect; IPsec allows for any encryption/hash algorithms to be used, though certain ones (ie. DES and MD5?) are base requirements.
i received a number of replies indicating that i should "call my state representative".
Actually, it would be your Congressional representatives, not your state ones, assuming you were American. The states do not have the power to back out of a treaty.
as theo noticed, i am not in the US, so i don't have any representation in the US.
Neither do most of us living here :)
i understand that this is moreso a US government issue then something cisco dreamed up.
Yes; the US govt believes that there are no competent programmers outside of the US, therefore by restricting the export of encryption technology, nobody else will have it. Sure...
my concern here is not that i can't install a 3des capable router in a restricted country.
my concern is that in my interpretation, i can't install a 3des capable router in Canada, if i am supplying "network services" to a restricted country.
since i supply network services to "restricted" countries, i am not allowed to have 3des capability on my router, even if i need it for my customers who are not in "restricted" countries.
The way you paraphrased the statement, it appears that way; I doubt that's how the official policy reads, however. My recommendation is to contact Cisco's Export Compliance & Regulatory Affairs group for clarification. You can find their contact information at: http://www.cisco.com/wwl/export/matrix.html#contacts
having 3des on _my_ router in no way exports the capability to customers unless they have 3des capability on their side.
That's a logical conclusion, but you know that lawyers and politicians abhor logic.
having done work in several "restricted" countries, i am very cautious about what i'm using with regards to US crypto export rules, as well as the crypto rules of the jurisdiction i'm going into.
with one client, we specifically denied a client's request for cisco gear because they were on the export list, and we moved forward using some half-assed gear of canadian manufacture.
imagine my "suprise" (none really) when i got onsite and discovered a number of ciscos installed by competitors. (we eventually lost the contract, and i'll note that the current supplier is using an all cisco network, inside and outside the "restricted" country.
"Restricted" in which sense? There are only ten countries to which you cannot export non-crypto Cisco products for non-military use. Or are you saying you're aware of service providers shipping strong-crypto products to crypto-restricted countries?
and my reading of the "agreement" is that it applies regardless if you are using the 3des gear directly with the countries in question or not.
I think that your situation merely requires more scrutiny before approval; nearly every major provider does business in restricted countries. S | | Stephen Sprunk, K5SSS, CCIE #3723 :|: :|: Network Design Consultant, GSOLE :|||: :|||: New office: RCDN2 in Richardson, TX .:|||||||:..:|||||||:. Email: ssprunk@cisco.com Not speaking for my employer; heck, not even speaking for myself.