nanog mailing list archives

Re: most accurate geo-IP source to build country-based access lists

From: Dave Sparro <dsparro () gmail com>
Date: Wed, 10 Jun 2015 07:29:45 -0400

Years ago when meeting with the lawyers to talk about the need to block
access to a list of websites I was coming from the technical side and
talking about how all of our possible solutions were incomplete and easily
circumvented by our users.  The lawyers' response was to explain the
concept of good faith effort.  The main point was that we needed to "do
something."  We'd be in pretty good shape liability-wise as long as we made
an attempt.   Getting back to the point of the question.  I'd find the
cheapest/easiest way to implement a somewhat effective GeoIP block, and say
that you've done something.

On Tue, Jun 9, 2015 at 11:13 AM, Joe Abley <jabley () hopcount ca> wrote:

On 9 Jun 2015, at 5:11, Martin T wrote:

 At a brute force country level it is possible to use the Delegated

ranges lists but that runs into the problem where IP ranges are
subnetted and allocated to other countries.


Yeah.


I would say that a perfectly accurate mapping of address to anything
geographical (with more accuracy than "it's within the observed universe,
somewhere") is unlikely ever to exist, except by accident and for short
periods of time. Accuracy and lack of authoritative sources of data is one
reason, constant uncoordinated reconfiguration is another. You need to
decide how accurate your mapping needs to be (and figure out how to measure
that, if accuracy is important).

Another part of the problem is framing the question in a useful way: a
universal solution seems intractable when the following questions are
answered differently (but accurately) by different people who have
different needs.

Is a device in Uganda connected via satphone to a router in France in
Uganda, or France?

Is a network in Fiji that can't talk to any other networks in Fiji without
leaving the island but is one layer-3 hop away from Australia in Fiji, or
Australia?

Does the source address of a packet always identify the device that sent
the packet?

If I'm in region A and you're in region A, and you route within region to
me but my replies leave the region on the way back, are we in the same
region from my perspective? How about yours?

Even: if I'm in region A but I'm using a DNS resolver in region B, am I in
region A or region B?


Joe

Current thread:

most accurate geo-IP source to build country-based access lists Martin T (Jun 08)
- Re: most accurate geo-IP source to build country-based access lists Roland Dobbins (Jun 08)
  - Re: most accurate geo-IP source to build country-based access lists Blake Hudson (Jun 08)
    - Re: most accurate geo-IP source to build country-based access lists A . L . M . Buxey (Jun 08)
    - Re: most accurate geo-IP source to build country-based access lists Bacon Zombie (Jun 08)
    - Re: most accurate geo-IP source to build country-based access lists Martin T (Jun 09)
    - Re: most accurate geo-IP source to build country-based access lists Joe Abley (Jun 09)
    - Re: most accurate geo-IP source to build country-based access lists Dave Sparro (Jun 10)
- Re: most accurate geo-IP source to build country-based access lists Måns Nilsson (Jun 08)
  - RE: most accurate geo-IP source to build country-based access lists David Hofstee (Jun 08)
  - Re: most accurate geo-IP source to build country-based access lists A . L . M . Buxey (Jun 08)
- Re: most accurate geo-IP source to build country-based access lists John McCormac (Jun 08)