[Nanog] Crypto export restricted prefix list

Kevin Blackham blackham at gmail.com
Tue Apr 22 19:04:05 CDT 2008


Thanks for the reply. I'm aware of the limitations of this approach.
For the same reasons you stated (proxy etc), I don't expect this to be
foolproof or accurate. I'm only intending to satisfy a demand to "do
something".  We already dictate export requirements in the EULA, but
we need to also attempt to block the embargoed countries.


On 4/22/08, Buhrmaster, Gary <gtb at slac.stanford.edu> wrote:
>
> > Is there a prefix list available listing the IP space of cryptographic
> > export restricted countries?  My google skills are failing me.  I'm
> > required to apply a ban on North Korea, Iran, Syria, Sudan and Cuba.
>
> I am pretty sure that while you can get a list of IP addresses
> "currently" being used, you know (as well as I do) that those
> can/will change, and NAT/Proxies make it nearly impossible
> to really enforce this.  So while it can be something to
> do, it is not going to be complete.
>
> I am pretty sure you need something like a "click-through"
> for people to say they agree they are not citizens of those
> countries, and agree not to export to them (same as Cisco
> and others do).
>
> In any case, check with your lawyers are to the actual
> acceptable practices.  They are the ones who will need
> to defend your company if/when the software gets to
> the "evil-doers" (and it will, if they want it, and
> we all know it), and someone decides you should have
> done more and decides to sue.
>
> (The ITAR (and equivalent) restriction laws are complex,
> and you want to make sure you get it right, since you
> do not want to be the "designated felon" as our lawyers
> likes to call the guy who is responsible for compliance
> and will be the one the feds go after if the software
> or information gets to the "wrong" groups.  So, make
> sure someone else is the "designated felon".)
>
> Gary
>




More information about the NANOG mailing list