Hya
Lately we have received a increased numbers of requests from customer employed by some banks and working in homeoffice a home office via remote access to their bank, asking us to confirm that we only assign 'swiss' IP addresses to our customers.
Well I usualy replied to those customers, that they can check the status of their IP address at RIPE and check to which country their allocation or assignment is registered. Apparently this is not enough. FINMA has made it a requirement, that if some bank employee wants to work from home, they need a written confirmation from their ISP that this ISP is not assigning IP addresses to customers outside switzerland and that the IP address the customer is using is operated in switzerland and cannot be used from abroad or assigned to customers outside switzerland.
I got in contact with one of those bank's security department to explain to them, that of course we correctly register our IP ranges at RIPE and that no, we cannot guarantee that our customers do not operate VPN or Proxies etc, which would make it possible to use IP addresses from abroad. And of course we have business customers with branch offices all over the world which could be using their IP Range to route part of it outside switzerland to such an office. I wanted to know why the information about ranges as registered @ RIPE are not good enough for the FINMA and how we could positively answer the question that we do not assign IP addresses to devices outside switzerland.
I was told, that there apparently are plenty of ISP in Switzerland, which assign 'foreign' IP addresses to their customers and that there are also switzerland based ISP which use their 'swiss' IP allocations to provide internet access to customers located outside switzerland, which causes legal problems if such an IP is used to access servers run under FINMA policies.
This is why FINMA requests that an ISP confirms that he uses his IP addresses exclusively for CPE located in switzerland. they
Hmm, I wonder.. which ISP do operate IP address ranges in switzerland which are registered at RIPE to some other entity not located in switzerland? Which Swiss ISP do offer services outside Switzerland using IP Ranges that are registered @ RIPE with Country: CH?
Or have I found a 'papiertiger' policy written by someone with no clue how IP assignment by RIPE works?
Mit freundlichen Grüssen
Benoit Panizzon
A few thoughts from me...
Hmm, I wonder.. which ISP do operate IP address ranges in switzerland which are registered at RIPE to some other entity not located in switzerland? Which Swiss ISP do offer services outside Switzerland using IP Ranges that are registered @ RIPE with Country: CH?
So as not to blame any currently existing companies, lets use the example of kpnqwest (rip). We used to be part of a supra national LIR in Switzerland. This LIR was registered to a "foreign company" (I think it was registered to the dutch BV). It was entirely company internal policy not to mix and match IP address assignments (also helped at that time by the fact that we didn't have merged autonomous systems before the big blowup). So, we operated just like any other Swiss ISP, but if you just looked at the RIPE DB you wouldn't get that impression, and could actually get the impression we would be assigning dutch IP addresses to Swiss customers (depending on what objects you looked at).
Now, there are a few supra national companies left, perhaps they operate similarly? And if they do merge AS numbers, it gets even more difficult from the outside to judge how they're assigning their IP addresses. Also, I wouldn't be surprised to see such companies actually purposely blurring country borders when IPv4 addresses run out and they might start to use "austrian" addresses for their Swiss customers?
The other example: corporate VPNs managed by ISPs, including VPN dial-in possibilities. I think the ISP would in this case be able to certify that it assigned the IP addresses to a company operating in Switzerland. However, it can't make any claims as to how that company uses those addresses.. But where draw the line? I can have a Swiss DSL IP at home and setup VPN access for myself, and use that address from abroad?
Cheers, Markus
Hi benoit,
we've had a couple of such queries from CH-banks in the last few years. We've been usually asked for our ip ranges, and if they can be used from a foreign country. e.g. DSL ip ranges which are used for CH-subscribers. Dialup-ranges (which can be used from remote) was noted as 'non-Swiss' range.
-steven
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog- bounces@lists.swinog.ch] Im Auftrag von Benoit Panizzon Gesendet: Freitag, 6. Juli 2012 14:34 An: swinog@lists.swinog.ch Betreff: [swinog] 'Foreign' IP Addresses assigned to swiss customers?
Hya
Lately we have received a increased numbers of requests from customer employed by some banks and working in homeoffice a home office via remote access to their bank, asking us to confirm that we only assign
'swiss'
IP addresses to our customers.
Well I usualy replied to those customers, that they can check the status
of
their IP address at RIPE and check to which country their allocation or assignment is registered. Apparently this is not enough. FINMA has made it
a
requirement, that if some bank employee wants to work from home, they need a written confirmation from their ISP that this ISP is not assigning
IP
addresses to customers outside switzerland and that the IP address the customer is using is operated in switzerland and cannot be used from
abroad
or assigned to customers outside switzerland.
I got in contact with one of those bank's security department to explain
to
them, that of course we correctly register our IP ranges at RIPE and that
no,
we cannot guarantee that our customers do not operate VPN or Proxies etc, which would make it possible to use IP addresses from abroad. And of
course
we have business customers with branch offices all over the world which could be using their IP Range to route part of it outside switzerland to
such an
office. I wanted to know why the information about ranges as registered @ RIPE are not good enough for the FINMA and how we could positively answer the question that we do not assign IP addresses to devices outside
switzerland.
I was told, that there apparently are plenty of ISP in Switzerland, which
assign
'foreign' IP addresses to their customers and that there are also
switzerland
based ISP which use their 'swiss' IP allocations to provide internet
access to
customers located outside switzerland, which causes legal problems if such an IP is used to access servers run under FINMA policies.
This is why FINMA requests that an ISP confirms that he uses his IP
addresses
exclusively for CPE located in switzerland. they
Hmm, I wonder.. which ISP do operate IP address ranges in switzerland which are registered at RIPE to some other entity not located in
switzerland?
Which Swiss ISP do offer services outside Switzerland using IP Ranges that are registered @ RIPE with Country: CH?
Or have I found a 'papiertiger' policy written by someone with no clue how
IP
assignment by RIPE works?
Mit freundlichen Grüssen
Benoit Panizzon
I m p r o W a r e A G - ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 07 CH-4133 Pratteln Fax +41 61 826 93 02 Schweiz Web http://www.imp.ch ______________________________________________________
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-
Benoit Panizzon -
Markus Wild -
Steven Glogger