In my previous jobs we didn't have any business in china and banning all IP ranges was a cheap an easy strategy to remove 50% of unsuccessful login attempts.
It's the interpretation of some cloud providers that exchanging datagrams with entities in OFAC-sanctioned countries constitutes a prohibited transaction.
There's a big list of allowed Internet activity between the US and Iran.[2]
It is explicitly US policy to not cut off Iran from the Internet.
The State Department wants people in Iran to get info from the outside world.
However, the US does not allow US domain registrations or web hosting "for or on behalf of the Government of Iran".
The Office of Foreign Assets Control can be queried for case by case info. That's appropriate here.
You de-risk your enterprise significantly by cutting Iran out completely, and you only lose the handful of dollars this would’ve translated into down the road.
I'm a Hetzner customer in Australia that have moved away a big part of my workloads which was CI related as most build would start to fail with some access denied error calling various registries. I had a bunch of deep integration through their API as well which had to be reworked because that issue made it a no go anymore.
Banning an entire country and punishing its innocent citizens feels extreme. It doesn't seem right that, for example, an Iranian student can't use cloud services. Ban commercial and government entities, not the individuals.
This is a political argument, not a business one. Now that Uncle Sam has swung the banhammer on a particular country, pity the exec who exposes their company to doing business with the enemy.
Isn't intent of sanctions to weaken the adversary? Providing services, even free-tier (or, may be, especially so), to sanctioned countries is exactly the opposite of that.
That's just not true. You don't know what you're talking about.
I encourage you to skim through the sanctions. I promise you that you will find plenty of exemptions telling you not to block every Iranian citizen from communicating, not to block them access to information, not to block them from free-to-use services, not to prevent them from traveling etc etc.
If you just cut the whole country off the internet, how do you expect them to organise towards overthrowing the government? Via carrier pigeons?
It makes US service providers, like Google and Amazon, very unattractive for businesses that require worldwide coverage - for example wikipedia.
I would argue that for unpaid services (for example serving up web content), we should not be applying sanctions. Those specific sanctions are so easy for the iranians to work around (VPN), and so damaging to our businesses (no worldwide service).
> It makes US service providers, like Google and Amazon, very unattractive for businesses that require worldwide coverage
You know what is much more unattractive to these businesses? Getting on the wrong side of the US government. And honestly, I don't see any business (except for ones in Russia, China and Iran) changing provider because they don't provide service to Iran.
> damaging to our businesses (no worldwide service)
I'm confused, are you arguing here for allowing free-tier services under the sanction regime, or for getting rid of sanctions against Iran altogether? If it's the latter, then the argument is self-consistent. But if it's the former, then you're effectively saying that an american business which currently doesn't provide any services to iranian customers would instead prefer to provide free-tier services for them without any way to get them to paid tier, and that doesn't make any sense. If you know that users from a certain region would always be at 0% conversion, you would get nothing by providing them with a free tier.
They consider Google cloud, but then reject it because GCP cannot serve users in Iran, and Wikipedia's policy is to be globally available.
Google loses worldwide revenue from all of wikipedia.
(I have met multiple companies who have dismissed GCP for this reason. Even companies with no current business in Iran might one day want to expand there, so don't want to make infrastructure choices which lock them out).
No, but I expect the judges who interpret the law to see that.
No judge will send a google employee to prison because someone located in Iran managed to download a copy of the docker image to Alpine Linux from the google/amazon container registry...
My servers ban huge swaths of IPs from certain places that originates enormous amounts of spam, scanners, and other nefarious traffic. It's very effective
If I followed your strategy I would be blocking all of Google. Back in the days I operated my own mail server >50% of all spam was from Google USA... YMMV.
I do that on several of my hobby nodes. I block entire ASN's for all the major platforms. Real people can still reach them just fine. To your point I do less of that on my self hosted mail servers and instead use a regex methodology called S25R created by a mail admin in Japan a long time ago and it works great.
Tricky thing about Google is quite a lot of my contacts are on Gmail or some domain hosted by Gmail so blocking Google's ASN is a no go for me. I'm now with Fastmail -- they use Spamassassin (plus I suspect their own custom rules) which uses a range of different metrics to determine whether an email is spam. That is is far more effective than straight up blocking ASNs and the like.
but the traffic is _clearly coming from Germany_, the issue is that cloudflare/google have tagged certain ip addresses as Iranian no matter where the traffic actually originates from
Marked where? With the assigning authority of the IP address which has been granted the legal right to manage the IP space (a common good)? Or in the database of some arbitrary company?
Curiosity may get me on this one, but is sharing information (such as this post/comment) an example of transfer of information (to potentially all countries)?
