Re: most accurate geo-IP source to build country-based access lists

["Joe Abley" <jabley () hopcount ca>]

On 9 Jun 2015, at 5:11, Martin T wrote:

> > At a brute force country level it is possible to use the Delegated
> > ranges lists but that runs into the problem where IP ranges are
> > subnetted and allocated to other countries.
>
> Yeah.

I would say that a perfectly accurate mapping of address to anything 
geographical (with more accuracy than "it's within the observed 
universe, somewhere") is unlikely ever to exist, except by accident and 
for short periods of time. Accuracy and lack of authoritative sources of 
data is one reason, constant uncoordinated reconfiguration is another. 
You need to decide how accurate your mapping needs to be (and figure out 
how to measure that, if accuracy is important).

Another part of the problem is framing the question in a useful way: a 
universal solution seems intractable when the following questions are 
answered differently (but accurately) by different people who have 
different needs.

Is a device in Uganda connected via satphone to a router in France in 
Uganda, or France?

Is a network in Fiji that can't talk to any other networks in Fiji 
without leaving the island but is one layer-3 hop away from Australia in 
Fiji, or Australia?

Does the source address of a packet always identify the device that sent 
the packet?

If I'm in region A and you're in region A, and you route within region 
to me but my replies leave the region on the way back, are we in the 
same region from my perspective? How about yours?

Even: if I'm in region A but I'm using a DNS resolver in region B, am I 
in region A or region B?


Joe