ssh access to cisco and "unfriendlies"
i've been trying to get ssh access to cisco IOS 12.1.2 working, but no matter what i do, the openssh client says "3des not supported by server". so, i fired up a local copy of win32 SecureCRT, and use just "des" encryption, and lo, and behold, it worked. so, i started poking around and discovered that likely what i need is a version of IOS with 3des support. as i understand it, in order to get a 3des IOS, you need to agree to: We will not supply network services (e.g., running a virtual private network) to, or for government organizations/enterprises other than those of, or in: Austria, Australia, Belgium, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Spain, Sweden, Switzerland, United Kingdom, United States without written authorization from Cisco Systems Inc. and/or the governments of the U.S., United Kingdom, and The Netherlands. now, considering some of my clients, i need to pay heed to this. in smaller countries, the first and only internet service is generally run by the PTT, which is usually a "government organization or enterprise". that being said, i find it extremely draconian that i can't run a 3des IOS on a router in Canada, if i supply network services in countries not on that list. so, when i go to set up a connection to Ghana, i am going to need Cisco's permission if i want 3des ssh enabled on the canadian router? and Brazil? and Mexico? -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
On Wed, 22 Nov 2000, Jim Mercer wrote:
so, i fired up a local copy of win32 SecureCRT, and use just "des" encryption, and lo, and behold, it worked.
so, i started poking around and discovered that likely what i need is a version of IOS with 3des support.
Or just build a copy of ssh for your favorite unix with des support. I did this back when I played with SSH in IOS 12.0S for the first time. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Jim Mercer wrote:
i've been trying to get ssh access to cisco IOS 12.1.2 working, but no matter what i do, the openssh client says "3des not supported by server".
or you need to recompile your ssh distribution so that it supports des as well (3des is the default option). In that way it works. If you are outside US is very unlikely that you will get a copy of 3des capable software by cisco. They seem to be very strict on export policy regarding that thing. -- theo
On Thu, Nov 23, 2000 at 10:40:45AM +0100, theo wrote:
Jim Mercer wrote:
i've been trying to get ssh access to cisco IOS 12.1.2 working, but no matter what i do, the openssh client says "3des not supported by server".
or you need to recompile your ssh distribution so that it supports des as well (3des is the default option). In that way it works.
yes, this is likely what i will do. that will give me somewhat encrypted access to a variety of routers such that i don't have to do clear text access across the 'net. however, it is my understanding that IPSec will require 3des. so, while i can have quasi-encrypted config access, i can't use the new and improved VPN technology without 3des.
If you are outside US is very unlikely that you will get a copy of 3des capable software by cisco. They seem to be very strict on export policy regarding that thing.
i received a number of replies indicating that i should "call my state representative". as theo noticed, i am not in the US, so i don't have any representation in the US. i understand that this is moreso a US government issue then something cisco dreamed up. my concern here is not that i can't install a 3des capable router in a restricted country. my concern is that in my interpretation, i can't install a 3des capable router in Canada, if i am supplying "network services" to a restricted country. since i supply network services to "restricted" countries, i am not allowed to have 3des capability on my router, even if i need it for my customers who are not in "restricted" countries. having 3des on _my_ router in no way exports the capability to customers unless they have 3des capability on their side. having done work in several "restricted" countries, i am very cautious about what i'm using with regards to US crypto export rules, as well as the crypto rules of the jurisdiction i'm going into. with one client, we specifically denied a client's request for cisco gear because they were on the export list, and we moved forward using some half-assed gear of canadian manufacture. imagine my "suprise" (none really) when i got onsite and discovered a number of ciscos installed by competitors. (we eventually lost the contract, and i'll note that the current supplier is using an all cisco network, inside and outside the "restricted" country. i wonder if uunet/teleglobe/cable-and-wireless have gotten special permission to run 3des capable routers on their networks. i'm sure that all three are supplying network services to countries not on that list. and my reading of the "agreement" is that it applies regardless if you are using the 3des gear directly with the countries in question or not. -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
however, it is my understanding that IPSec will require 3des. so, while i can have quasi-encrypted config access, i can't use the new and improved VPN technology without 3des.
hmmm, I think you can still run ipsec tunnels with des only. But still the argument counts that you are not using the latest encryption technology.
imagine my "suprise" (none really) when i got onsite and discovered a number of ciscos installed by competitors. (we eventually lost the contract, and i'll note that the current supplier is using an all cisco network, inside and outside the "restricted" country.
i wonder if uunet/teleglobe/cable-and-wireless have gotten special permission to run 3des capable routers on their networks. i'm sure that all three are supplying network services to countries not on that list.
very good question. My interpretation of the licence agreement is that they can do so in the "listed" countries *only* but not in the rest. In general this is a very sensitive point. People lost their accounts with cisco when they applied for the software without their companies knowing about that. I still don't understand though how others (some unix os for example) ship 3des with public domain software. -- theo
On Thu, Nov 23, 2000 at 05:53:11PM +0100, theo wrote:
however, it is my understanding that IPSec will require 3des. so, while i can have quasi-encrypted config access, i can't use the new and improved VPN technology without 3des.
hmmm, I think you can still run ipsec tunnels with des only. But still the argument counts that you are not using the latest encryption technology.
i have no interest in using the latest crypto gunge in "restricted" countries. i would like to 3des enable my local (canadian) routers, so that i can use 3des with my canadian/US/UK customers.
i wonder if uunet/teleglobe/cable-and-wireless have gotten special permission to run 3des capable routers on their networks. i'm sure that all three are supplying network services to countries not on that list.
very good question. My interpretation of the licence agreement is that they can do so in the "listed" countries *only* but not in the rest.
my interpretation is that they can't use it in their enterprise if they are providing "network services" with countries _not_ listed.
I still don't understand though how others (some unix os for example) ship 3des with public domain software.
my understanding is that the various unix OS's use crypto gunge that was developed outside the US, or which the US has deemed ok-for-export. there is another element, which was the patent on the RSA stuff, which has now expired. -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
Thus spake "Jim Mercer" <jim@reptiles.org>
however, it is my understanding that IPSec will require 3des. so, while i can have quasi-encrypted config access, i can't use the new and improved VPN technology without 3des.
Incorrect; IPsec allows for any encryption/hash algorithms to be used, though certain ones (ie. DES and MD5?) are base requirements.
i received a number of replies indicating that i should "call my state representative".
Actually, it would be your Congressional representatives, not your state ones, assuming you were American. The states do not have the power to back out of a treaty.
as theo noticed, i am not in the US, so i don't have any representation in the US.
Neither do most of us living here :)
i understand that this is moreso a US government issue then something cisco dreamed up.
Yes; the US govt believes that there are no competent programmers outside of the US, therefore by restricting the export of encryption technology, nobody else will have it. Sure...
my concern here is not that i can't install a 3des capable router in a restricted country.
my concern is that in my interpretation, i can't install a 3des capable router in Canada, if i am supplying "network services" to a restricted country.
since i supply network services to "restricted" countries, i am not allowed to have 3des capability on my router, even if i need it for my customers who are not in "restricted" countries.
The way you paraphrased the statement, it appears that way; I doubt that's how the official policy reads, however. My recommendation is to contact Cisco's Export Compliance & Regulatory Affairs group for clarification. You can find their contact information at: http://www.cisco.com/wwl/export/matrix.html#contacts
having 3des on _my_ router in no way exports the capability to customers unless they have 3des capability on their side.
That's a logical conclusion, but you know that lawyers and politicians abhor logic.
having done work in several "restricted" countries, i am very cautious about what i'm using with regards to US crypto export rules, as well as the crypto rules of the jurisdiction i'm going into.
with one client, we specifically denied a client's request for cisco gear because they were on the export list, and we moved forward using some half-assed gear of canadian manufacture.
imagine my "suprise" (none really) when i got onsite and discovered a number of ciscos installed by competitors. (we eventually lost the contract, and i'll note that the current supplier is using an all cisco network, inside and outside the "restricted" country.
"Restricted" in which sense? There are only ten countries to which you cannot export non-crypto Cisco products for non-military use. Or are you saying you're aware of service providers shipping strong-crypto products to crypto-restricted countries?
and my reading of the "agreement" is that it applies regardless if you are using the 3des gear directly with the countries in question or not.
I think that your situation merely requires more scrutiny before approval; nearly every major provider does business in restricted countries. S | | Stephen Sprunk, K5SSS, CCIE #3723 :|: :|: Network Design Consultant, GSOLE :|||: :|||: New office: RCDN2 in Richardson, TX .:|||||||:..:|||||||:. Email: ssprunk@cisco.com Not speaking for my employer; heck, not even speaking for myself.
participants (4)
-
Jim Mercer -
jlewis@lewis.org -
Stephen Sprunk -
theo