nanog mailing list archives

Re: FCC issues new rules about foreign made routers

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Tue, 24 Mar 2026 17:17:04 -0400


I suspect this is why the waiver is really the method, at least for the
foreseeable future.  Much of this is existing and predates the current
administration for those of us who have been watching this space.  There’s
quite a bit of problems out there with these embedded systems and how they
are managed and maintained.




All they are doing here is :

   - Creating a conditional approval process they could extort
   companies into paying for fast tracking.
   - Forcing companies to apply for conditional approval to commit to
   onshoring manufacturing of said devices within 5 years, so they can bleat
   about 'deals reached to return manufacturing to the US.


Nothing is actually being requested which actually improves security
posture of these devices. It is  just performative theater.

On Tue, Mar 24, 2026 at 4:47 PM Jared Mauch via NANOG <nanog () lists nanog org>
wrote:

On Mar 24, 2026, at 1:04 PM, John Levine via NANOG <

nanog () lists nanog org> wrote:


It appears that Saku Ytti via NANOG <nanog () lists nanog org> said:

Relevant URLs are

https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf
https://www.fcc.gov/supplychain/coveredlist

'Routers^ produced in a foreign country, except routers which have
been granted a Conditional Approval by DoW or DHS.'

I wonder what 'Routers^' are 'produced' in the US, in such a way that
it meaningfully improves security posture.


As far as I know, the answer is none.  There are plenty of routers

designed in the

US but they're all built offshore.  It would make sense to ask where the

software is

written, but they don't do that.

The conditional approval procedure is absurd. It requires the vendor
to commit to manufacture in the U.S.

I suspect this is why the waiver is really the method, at least for the
foreseeable future. Much of this is existing and predates the current
administration for those of us who have been watching this space. There’s
quite a bit of problems out there with these embedded systems and how they
are managed and maintained.

The number of people who don’t want to upgrade firmware because of worries
of new problems vs those who really should upgrade because the embedded
solution is based on a very old and already exploitable software suite is
quite large. I discovered this during a lot of the research into open
resolvers done quite some time ago. The number of these embedded platforms
that did something odd or were broken was quite big.

With the advancements in tools where you can take something like binwalk
and a software image to find exploits by using an AI toolset, plus you get
the really difficult to patch situations such as this:

https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/

The likelihood that you can determine how to exploit something is really
easy these days.

Just as many have been working on securing things like routing for years,
the idea that these critical devices might need to have some sort of
broader set of steps than “have vendor SDK, built and shipped image” is
really a good thing.

If you don’t know what tools/suites are under the covers, you may want to
look closer at it. Since so many devices run Linux, a variant of busy box,
possibly dnsmasq and other items, you will become quite surprised when you
look at the nested licenses (if there is proper transparency here). These
all periodically get updates which may address public or privately reported
vulnerabilities which may be a reason to upgrade.

I’ll leave the rest as an exercise for those who primarily deal with the
security lists/forums.

- Jared

_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/LV7JFALGNHNCN2ZJMWCO4B5X25IY5GUS/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/D4ECBBOKUBXJTJU4AZCRF6QEQDFYW3IA/

Current thread:

Re: FCC issues new rules about foreign made routers, (continued)
- - - Re: FCC issues new rules about foreign made routers Barry Raveendran Greene via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers Joe via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers Saku Ytti via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers Christopher Morrow via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers virendra rode via NANOG (Mar 24)
  - Re: FCC issues new rules about foreign made routers John Levine via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers cosmo via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers Scott Fisher via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers cosmo via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers Jared Mauch via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers Tom Beecher via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers John R. Levine via NANOG (Mar 24)
    - Re: FCC issues new rules about foreign made routers Saku Ytti via NANOG (Mar 25)
    - Re: FCC issues new rules about foreign made routers Mukund Sivaraman via NANOG (Mar 25)
    - Re: FCC issues new rules about foreign made routers Saku Ytti via NANOG (Mar 25)
- Re: FCC issues new rules about foreign made routers Mike Lewinski via NANOG (Mar 24)
  - RE: [External Sender] Re: FCC issues new rules about foreign made routers Matt Rienzo via NANOG (Mar 24)
  - Re: FCC issues new rules about foreign made routers Owen DeLong via NANOG (Mar 25)