Enterprise Internet - Question

Hi All,

I just wanted to throw a question out to the list...

In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP.

This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on.

- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content)

o Side question on that - Could we simply obtain a US based IP address and selectively NAT?

- Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil.

- Does the idea of having local Internet at each site make more sense? If so why?

Again, I would appreciate to hear the opinion from SP oriented minds...based on what they've seen from customers...and network administrators running large enterprises in different companies. Off-list replies are also appreciated.

Thanks!!!

...jc

Hi Jeff,

You might have some luck following the instructions on
http://nanog.cluepon.net/index.php/GeoIP to register one particular /32
within your Canadian-announced netblock as being in the USA, and selectively
NATing as you suggest, but I believe some stricter GeoIP databases check
next hops and expected latency and might catch you out.

We're lucky enough to have proxies in most geographies where we operate, so
if a user has GeoIP issues we talk them through changing their proxy
settings (you could also use a personal PAC file).

(My employer's) principles in favour of a local internet breakout:

- Is breaking out to the internet locally significantly cheaper than
backhauling over private WAN (some MPLS providers will offer a local
internet breakout as a VRF; this avoids the need for two access circuits)
- Do you need to congest the internet traffic more than/independently to the
private WAN traffic?
- Would a tunnel over the internet be a useful backup to private circuits?
- Are there latency-related performance reasons (lots of local content) to
break out locally?
- Are there regulatory reasons? (e.g. Middle East / Chinese state-level
filtering)

Against local breakout:

- Do you need to limit the number of locations with an internet breakout
because you have a heavyweight security stack protecting an internet
connection (filtering proxy, IDS/IPS, multi-layer HA firewalls)?
- Is local internet of poor quality?

Regards,

Phil Sykes
Network Architect
$LARGE_OIL_COMPANY

Hi All,

I just wanted to throw a question out to the list...

In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP.

This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on.

- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content)

This is an example of why content restriction based on IP address geolocation is such a bad idea in general.

Frankly, the easiest thing to do (since most Canadian companies aren't as brain-dead) is to update your whois records with the address of the block
allocated to your datacenter so that it looks like it's in one of your US offices. I realize this sounds silly for a variety of reasons, but, it solves the problem
without expensive or configuration-intensive workarounds such as selective NAT, etc.

o Side question on that - Could we simply obtain a US based IP address and selectively NAT?

You can, but, you can also hit yourself over the head repeatedly with a hammer. Selective NAT will yield more content, but, the pain levels will probably be similar.

- Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil.

Not really. The whole content-restriction by IP geolocation thing also doesn't make sense. Unfortunately, the fact that something is nonsensical does not prevent someone from doing it or worse, selling it.

You should do what makes sense for the economics of the topology you need. The address geolocation issues can usually be best addressed by manipulating whois. If your address block from ARIN is an allocation, you can manipulate sub-block address registration issues through the use of SWIP, for example.

- Does the idea of having local Internet at each site make more sense? If so why?

That's really more of an economic and policy question within your organization than a technical one.

Owen

IME, costs for private backhaul circuits of any flavor are significantly higher than costs for plain internet access - so backhauling internet access (unless you have extremely restrictive access policies that you can actually enforce) through your WAN would/should cost through the nose. Routing only WAN traffic through the WAN reduces the size/scope/impact on those more expensive circuits. Probably at the expense of additional complexity, of course.

In fact, it is often more cost effective to multihome each site and use VPNs for your WAN.

Owen

You indeed might feed traffic towards such "IP restricted" sites
through a transparent proxy server,
or policy NAT based on destination IP, reducing all traffic towards
those sites from "canadian"
ranges, to a pool of source IP addresses.

Just to take a jab at absurd "content restriction" by IP methods, a reminder...
There's no such thing as a "US" IP address. There's no such thing as
a Canadian IP address.

There are IPs delegated to network operators who have an AS in certain
countries,
but that is no proof of country of origin.

What "country" is an IP address located in when it is assigned to a
terminal server, VPN server,
or proxy server in country $X, and there are authorized users that connect
from 16 different countries?

Yep.... And let us also not forget that people travel. Imagine my surprise
when I tried to log into Wells Fargo from Kigali and got the message that
"You have authenticated successfully, but, we don't trust your current
location. Everything will be fine when you log in from home."

Of course, I did the seemingly obvious thing and logged in from home.
Yeah, not so much. That got my account completely locked out and took
a 2.5 hour phone call (well, series of phone calls, maintaining a VOIP
connection from Kigali for that long wasn't happening) where I had
to escalate up three levels of support representative before reaching
someone who could understand what VNC was and that it was indeed
possible for me to control my computer in the US from my laptop in
Kigali and that I had indeed legitimately logged in from both locations
about 2 minutes apart.

To the best of my knowledge, while this person reset my account so that
I could log in (from my house), I don't think Wells Fargo has any intention
of rethinking their geo-IP based restrictions on logging in.

So, if you travel, consider carefully whether to try and log into something
directly vs. doing so over VNC.

Owen

Thanks for the comments everyone. They are much appreciated.
In regards to changing the address of our ARIN block to a US office address....are their any trades-offs in doing that? Just curious.

Perhaps you have Canadian branches feeding off the same connection and they
will have the reverse problem with geo-location?

There are fewer companies in Canada that have brain-dead attitudes about US customers than there are US companies with
brain-dead attitudes towards Canadian customers.

Probably not so much of an issue.

Owen

For precisely this reason I always ensure that my banking traffic goes via a VPN through a relatively consistent set of origin IPs to the wider Internet.

Solves a lot of headaches, although PayPal were confused that I could be in California and have my traffic come from Chicago (which they thought was New Jersey...).