[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions



	I've been having some offline communication with Jim Bound
and one of the things that's come out is that I don't think I was
sufficiently clear about some of the problems regarding export
control issues.

	Not speaking in an official capacity for TIS, it's still
OK for me to observe that TIS has had a lot of involvement in
export control issues. :) The other day I mentioned in my "paranoid"
comments the possibility that law enforcement and intelligence
may not want to see IPV6 deployed with even weak encryption for
confidentiality. The other shoe is that if IPV6 has hooks in it
for encryption - EVEN IF THE ENCRYPTION IS LEFT OUT - it falls
under ITAR regulations for some interpretations of ITAR. The
intelligence community in the past has taken a dim view of
products that embody weak crypto but have "hooks" for strong
crypto. I see no reason to believe they'll feel any differently
about IPV6. They're not idiots and even if it only includes
ROT-13 as the confidentiality algorithm, some interpretations
of ITAR cover it.

	Getting a clear answer on these matters from the bureau
of politico-military affairs at State Dept has sometimes been
difficult. Generally, in the past, my understanding is that
export permission needs to be requested for each implementation
or each case of export. I suspect that blanket export ok for IPV6
with any confidentiality built into it at all is going to be
a protracted battle. Someone with experience in export control
regulations should start fighting it ASAP to get a feeling for
what you're up against. I'm a bit of a paranoid but from here
it looks like one of the major weapons in the export controllers
arsenal is bureaucracy. If you play it their way, you have to
jump through their hoops. Anyone who has done hoop-jumping
for the intelligence community will tell you it's good exercise
because there are a lot of hoops.

mjr.