Re: Geoip lookup

[Owen DeLong <owen () delong com>]

On May 24, 2013, at 01:13 , shawn wilson <ag4ve.us () gmail com> wrote:

> I knew this would come up. Actually I'm surprised and glad it waited until I got a solution first.
>
> I'll address a few points:
> - this is mainly to stop stupid things from sending packets from countries we will probably never want to do business 
> with (I'm looking mainly at that big country under APNIC). 

I can't tell you how much I enjoyed all the hoops I had to jump through in order to access my online banking while 
traveling in that country.

Assuming that your local customers aren't in that location isn't a valid assumption to begin with. Making life 
difficult for those that do travel will not earn you brownie points with them. (I am no longer with the financial 
institution that made this most difficult).
> - I'd prefer a solution that blocks all traffic that is routed through those countries so that they could never see 
> data from us (and when Jin-rong has a configuration mess up and rerouts ~10% of traffic through them for a half hour, 
> I don't see any of that traffic). Since I have no idea how one would go about doing this, just blocking traffic from 
> IP addresses registered in certain countries is good enough. 
That's hard to do. Unless you require "record-route" on all packets and have some way to validate the contents of the 
route recording header (and enough space in the header to record all hops every time), it's not going to be possible. 
Further, even if it were, there's no way to ensure that all of your client's packets will get retransmitted on a path 
that works, so you would have the potential to severely degrade customer service in non-intuitive and hard-to-diagnose 
ways.

If you are my competitor, then I encourage you to try this.
> - it is well known (I think everyone on this list at least) that you can evade geographic placement of your origin by 
> tunneling. Given this, I fail to see the point in bringing up that "GeoIP" doesn't work. Also, if it doesn't work, 
> why do content providers, CDNs, google, and streaming services rely on it as part of their business model? The sad 
> truth of the mater is it does work and surprisingly well. We just don't like it because it's brittle and a user can 
> fool us (I know Akami and the like look at trip time and the like because they know there are issues). Given all of 
> this, how often is looking at the country an IP address originates from via what is listed for the particular ASN 
> actually fiction?

Asking why providers rely on GeoIP in the face of it's flaws is like asking why people continue to buy Windows. It's a 
cross between inertia and a lack of better solutions at comparable cost. The sad truth of the matter is that it doesn't 
work. It works well enough to give the illusion of working. Deeper analysis, however, reveals that it works just well 
enough to keep honest people honest some of the time. Further, victims of it not working have little or no recourse 
available to them even if they understand what is happening. For the average user, it just looks like some portion of 
the internet is {permanently|temporarily} broken again for reasons passing understanding and they go somewhere else.

Owen

> Again, the input was invaluable for getting me where I wanted to be so thanks again. 
>
> On May 24, 2013 2:59 AM, "Owen DeLong" <owen () delong com> wrote:
>
> On May 23, 2013, at 23:49 , bmanning () vacation karoshi com wrote:
>
> > On Thu, May 23, 2013 at 11:39:12PM -0700, Owen DeLong wrote:
> > > On May 23, 2013, at 23:17 , David Conrad <drc () virtualized org> wrote:
> > >
> > > > On May 23, 2013, at 10:53 PM, Andreas Larsen <andreas.larsen () ip-only se> wrote:
> > > > > The whole idea of Geoip is flawed.
> > > >
> > > > Sure, but pragmatically, it's an 80% solution.
> > > >
> > > > > IP dosen't reside in countries,
> > > >
> > > > True, according to (at least some of) the RIRs they reside in regions...
> > >
> > > Really? Which ones? I thought they were only issued to organizations that had operations in regions.
> > >
> > > Owen
> >
> >       Just because I have operations in one region does not preclude me from having operations
> >       in other regions.  YMMV of course.
> >
> > /bill
>
> That was exactly my point, Bill... If you have operations in RIPE and ARIN regions, it is entirely possible for you 
> to obtain addresses from RIPE or ARIN and use them in both locations, or, obtain addresses from both RIPE and ARIN 
> and use them in their respective regions, or mix and match in just about any imaginable way. Thus, IP addresses don't 
> reside in regions, either. They are merely issued somewhat regionally.
>
> Owen