Geoip lookup

I knew this would come up. Actually I'm surprised and glad it waited until I got a solution first.

I'll address a few points:
- this is mainly to stop stupid things from sending packets from countries we will probably never want to do business with (I'm looking mainly at that big country under APNIC).

I can't tell you how much I enjoyed all the hoops I had to jump through in order to access my online banking while traveling in that country.

Assuming that your local customers aren't in that location isn't a valid assumption to begin with. Making life difficult for those that do travel will not earn you brownie points with them. (I am no longer with the financial institution that made this most difficult).

- I'd prefer a solution that blocks all traffic that is routed through those countries so that they could never see data from us (and when Jin-rong has a configuration mess up and rerouts ~10% of traffic through them for a half hour, I don't see any of that traffic). Since I have no idea how one would go about doing this, just blocking traffic from IP addresses registered in certain countries is good enough.

That's hard to do. Unless you require "record-route" on all packets and have some way to validate the contents of the route recording header (and enough space in the header to record all hops every time), it's not going to be possible. Further, even if it were, there's no way to ensure that all of your client's packets will get retransmitted on a path that works, so you would have the potential to severely degrade customer service in non-intuitive and hard-to-diagnose ways.

If you are my competitor, then I encourage you to try this.

- it is well known (I think everyone on this list at least) that you can evade geographic placement of your origin by tunneling. Given this, I fail to see the point in bringing up that "GeoIP" doesn't work. Also, if it doesn't work, why do content providers, CDNs, google, and streaming services rely on it as part of their business model? The sad truth of the mater is it does work and surprisingly well. We just don't like it because it's brittle and a user can fool us (I know Akami and the like look at trip time and the like because they know there are issues). Given all of this, how often is looking at the country an IP address originates from via what is listed for the particular ASN actually fiction?

Asking why providers rely on GeoIP in the face of it's flaws is like asking why people continue to buy Windows. It's a cross between inertia and a lack of better solutions at comparable cost. The sad truth of the matter is that it doesn't work. It works well enough to give the illusion of working. Deeper analysis, however, reveals that it works just well enough to keep honest people honest some of the time. Further, victims of it not working have little or no recourse available to them even if they understand what is happening. For the average user, it just looks like some portion of the internet is {permanently|temporarily} broken again for reasons passing understanding and they go somewhere else.


You're thinking like an engineer.

Think like a marketer.

They expect less than 1% response on paper mail advertising.

Now, compare and contrast your idea of a reasonable confidence level
and theirs.

  Just because I have operations in one region does not preclude me

from having operations

  in other regions. YMMV of course.


That was exactly my point, Bill... If you have operations in RIPE and ARIN
regions, it is entirely possible for you to obtain addresses from RIPE or ARIN
and use them in both locations, or, obtain addresses from both RIPE and
ARIN and use them in their respective regions, or mix and match in just about
any imaginable way. Thus, IP addresses don't reside in regions, either. They
are merely issued somewhat regionally.

In theory Maxmind is quite accurate. From 1 x /20 that we own we tag different space with the country: flag in the RIPE db. Maxmind picks this up after approx 30 days and says it's in Country X vrs country Y.


I wonder how many days it takes the RIPE db to report the correct country for those more specifics that you've tagged...


Indeed. This was covered in more detail in the Policy Experience Report
given at the ARIN 31, in which it was noted that we are seeing an increase
in requests for IPv4 address space from parties who have infrastructure in
the region, but for customers entirely from outside the region. This has
resulted in a significant change in the issuance rate and therefore any
estimates for regional free pool depletion. ARIN has sought guidance from
the community regarding what constitutes appropriate in-region use, should
this be based on infrastructure or served customers, and whether incidental
use outside the region is appropriate. (This topic was also on this list on
26 April 2012 - see attached email from that thread) Policy proposals in
this area to bring further clarity in address management are encouraged.


John Curran
President and CEO

If anyone is interrested, here's a little Perl CLI util to lookup what
countries registered networks within a block. There's no documentation
yet, it's a .pl where it should probably be a command with a makefile
installer, and Net::CIDR overlaps Net::IP. At any rate, hopefully it
is useful to someone.

PS - do note the -mask option (where you can define say, a 20 or 21 or
22) so that you're not sitting there banging on their DNS looking up
tons of /32s for blocks CYMRU doesn't have any information on.

Here's a few more resources: