Re: IPv4 country of origin

[Ralph Doncaster <ralph () istop com>]

That's basically all Netscape & Microsoft were doing when they had to
restrict 128-bit SSL.  They threw in the requirement to enter your address
& phone number, but they had no way of telling if you were entering your
address, or the one you got from doing a four11.com lookup of John Smith
in Plano, Tx.

I block anonymizer & some other proxies, as well as AOL.

So I guess you're saying there's not much better than what I'm already
doing?  The only info I have on the client is what I can get from a TCP
connection.

-Ralph 

On Wed, 2 Oct 2002, Rick Ernst wrote:

> "Good luck"?
>
> Have you thought about folks using tunneling and proxies?  IP-based
> authorization is a very weak and inaccurate/insecure method...
>
> On Wed, 2 Oct 2002, Ralph Doncaster wrote:
>
> :>
> :>I would like to restrict access from certain countries to content on my
> :>network (for security and legal reasons).
> :>
> :>So far the best algorithm I've been able to come up with is a combination
> :>of reverse DNS and APNIC/ARIN/RIPE whois queries.  I've written a perl
> :>cgi that checks reverse DNS first, and if there is no gtld country code
> :>for the reverse mapping, does a whois query and parses the response for
> :>the address.
> :>
> :>The problem I have is that the country for the company that owns the IP
> :>block is sometimes not the country the IP block is used in.  For example
> :>sungold22.de.ibm.com 194.196.100.86
> :>Whois parsing indicates a country of UK, but from the reverse DNS a person
> :>can see that it is Germany.  I've built the pattern of cc.ibm.com into my
> :>cgi, but I'm sure there are other blocks that I'm incorrectly identifying.
> :>
> :>I've looked at RADB entries, as well as origin AS for various IP blocks,
> :>and neither source looks any better than whois.
> :>
> :>Is there a more accurate method to determine the country of origin for an
> :>IP than the methods I've described above?
> :>
> :>-Ralph
> :>
> :>