Thanks for the reply. I'm aware of the limitations of this approach. For the same reasons you stated (proxy etc), I don't expect this to be foolproof or accurate. I'm only intending to satisfy a demand to "do something". We already dictate export requirements in the EULA, but we need to also attempt to block the embargoed countries. On 4/22/08, Buhrmaster, Gary <gtb@slac.stanford.edu> wrote:
Is there a prefix list available listing the IP space of cryptographic export restricted countries? My google skills are failing me. I'm required to apply a ban on North Korea, Iran, Syria, Sudan and Cuba.
I am pretty sure that while you can get a list of IP addresses "currently" being used, you know (as well as I do) that those can/will change, and NAT/Proxies make it nearly impossible to really enforce this. So while it can be something to do, it is not going to be complete.
I am pretty sure you need something like a "click-through" for people to say they agree they are not citizens of those countries, and agree not to export to them (same as Cisco and others do).
In any case, check with your lawyers are to the actual acceptable practices. They are the ones who will need to defend your company if/when the software gets to the "evil-doers" (and it will, if they want it, and we all know it), and someone decides you should have done more and decides to sue.
(The ITAR (and equivalent) restriction laws are complex, and you want to make sure you get it right, since you do not want to be the "designated felon" as our lawyers likes to call the guy who is responsible for compliance and will be the one the feds go after if the software or information gets to the "wrong" groups. So, make sure someone else is the "designated felon".)
Gary
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog