Chapter 8 – Frequently Asked Questions (FAQs)
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D) 136
Q19. Why is the export of cryptography controlled?
A19. Cryptography is export-controlled for several reasons. Strong cryptography can be used for criminal purposes or even
as a weapon of war. In wartime, the ability to intercept and decipher enemy communications is crucial. Therefore,
cryptographic technologies are subject to export controls. U.S. government agencies consider strong encryption to be
systems that use key sizes over 512 bits or symmetric algorithms (such as triple-DES) with key sizes over 56 bits.
Since government encryption policy is influenced by the agencies responsible for gathering domestic and international
intelligence (e.g., the FBI and NSA), the government tries to balance the conflicting requirements of making strong
cryptography available for commercial purposes while still making it possible for those agencies to break the codes, if
need be.
To most cryptographers, this level of cryptography (56 bits for symmetric algorithms) is not necessarily considered
"strong". Government agencies use the terms "strategic'' and "standard'' to differentiate encryption systems.
"Standard'' refers to algorithms that have been drafted and selected as a federal standard (DES being the prime
example). The US government defines "strategic'' as any algorithm that requires "excessive work factors'' to
successfully attack. Unfortunately, the government does not frequently publish criteria for what it defines as
"acceptable'' or "excessive'' work factors.
Q20. Can digital signature applications be exported from the U. S.?
A20. Digital signature applications are one of the nine special categories of cryptography that automatically fall under the
more relaxed Commerce regulations; digital signature implementations using RSA key sizes in excess of 512 bits
were exportable even before the year 2000. However, there were some restrictions in developing a digital signature
application using a reversible algorithm (that is, the signing operation is sort of the reverse operation for encryption),
such as RSA. In this case, the application should sign a hash of the message, not the message itself. Otherwise, the
message had to be transmitted with the signature appended. If the message was not transmitted with the signature,
the NSA considered this quasi-encryption and the State controls would apply.
Q21. Can DES be exported from the U.S. to other countries?
A21. For years, the government rarely approved the export of DES for use outside of the financial sector or by foreign
subsidiaries of U.S. companies. Several years ago, export policy was changed to allow the unrestricted export of DES
to companies that demonstrate plans to implement key recovery systems in a few years. Today, Triple-DES is
exportable under the regulations described above.
Q22. I want to use DNAT with multiple original IPs, but my external NIC has just one IP.
How can I do this?
A22. Make sure that the request reaches the RouteFinder, and then use DNAT to redirect the request to the Web servers.
There are two ways to do this:
1. Bind an alias to the external interface, so that it answers ARP requests for this address and the packets are sent
to the MAC address of this NIC. You can do this in Network Setup > Interface (refer to Chapter 3 of this
manual).
2. Tell your router to send those packets directly to the RouteFinder's interface by adding a static routing entry to
the RouteFinder.
Q23. My FTP clients want to use FXP transfers on my Server. How can I do that?
A23. For a fully functional FTP server (able to do FXP), the RouteFinder's "stateful inspection" function is not enough. Due
to security concerns, the RouteFinder will only allow data connections from and to the same client IP as the control
connection.
The example below shows how to make a "glftpd" server work behind a RouteFinder, which does both packet filtering
and DNAT. The general principle applies to all other FTP servers too, so you can use it even if you use another server
daemon.
Let‘s assume that you have glftpd set up in your LAN on address 192.168.1.10 with control port 23456. Your
external, official IP on the RouteFinder is 1.2.3.4.
Go to Networks & Services > Networks and define the host entries for FTP server and external RouteFinder
interface:
FTP_Server 192.168.1.10 255.255.255.255
ASL_Extern 1.2.3.4 255.255.255.255
Go to Networks & Services > Services and define entries for the control connection and the passive mode port
range that the RouteFinder will use.
FTP_ALTControl TCP 1024:65535 23456
PASV_Range TCP 1024:65535 3000:4000
Note that we selected the ports from 3000-4000 to be our passive connection range in this example. You should
select a range matching your setup, do not make it too small, and make sure you do not need any ports in this range
for other services.
Go to Packet Filters > Packet Filter Rules and add the following rules:
Any FTP_ALTControl FTP_Server Allow
This rule allows connections of clients to the FTP server.
FTP_Server Any Any Allow