[163191] in North American Network Operators' Group
Re: Geoip lookup
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri May 24 12:18:20 2013
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAH_OBicNxBE8XNMk1UnLziYN26WE5rmv2h9kzqbzyHeQM3eM3A@mail.gmail.com>
Date: Fri, 24 May 2013 09:15:53 -0700
To: shawn wilson <ag4ve.us@gmail.com>
Cc: bmanning@vacation.karoshi.com,
North American Network Operators Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On May 24, 2013, at 01:13 , shawn wilson <ag4ve.us@gmail.com> wrote:
> I knew this would come up. Actually I'm surprised and glad it waited =
until I got a solution first.
>=20
> I'll address a few points:
> - this is mainly to stop stupid things from sending packets from =
countries we will probably never want to do business with (I'm looking =
mainly at that big country under APNIC).=20
>=20
I can't tell you how much I enjoyed all the hoops I had to jump through =
in order to access my online banking while traveling in that country.
Assuming that your local customers aren't in that location isn't a valid =
assumption to begin with. Making life difficult for those that do travel =
will not earn you brownie points with them. (I am no longer with the =
financial institution that made this most difficult).
> - I'd prefer a solution that blocks all traffic that is routed through =
those countries so that they could never see data from us (and when =
Jin-rong has a configuration mess up and rerouts ~10% of traffic through =
them for a half hour, I don't see any of that traffic). Since I have no =
idea how one would go about doing this, just blocking traffic from IP =
addresses registered in certain countries is good enough.=20
>=20
That's hard to do. Unless you require "record-route" on all packets and =
have some way to validate the contents of the route recording header =
(and enough space in the header to record all hops every time), it's not =
going to be possible. Further, even if it were, there's no way to ensure =
that all of your client's packets will get retransmitted on a path that =
works, so you would have the potential to severely degrade customer =
service in non-intuitive and hard-to-diagnose ways.
If you are my competitor, then I encourage you to try this.
> - it is well known (I think everyone on this list at least) that you =
can evade geographic placement of your origin by tunneling. Given this, =
I fail to see the point in bringing up that "GeoIP" doesn't work. Also, =
if it doesn't work, why do content providers, CDNs, google, and =
streaming services rely on it as part of their business model? The sad =
truth of the mater is it does work and surprisingly well. We just don't =
like it because it's brittle and a user can fool us (I know Akami and =
the like look at trip time and the like because they know there are =
issues). Given all of this, how often is looking at the country an IP =
address originates from via what is listed for the particular ASN =
actually fiction?
>=20
Asking why providers rely on GeoIP in the face of it's flaws is like =
asking why people continue to buy Windows. It's a cross between inertia =
and a lack of better solutions at comparable cost. The sad truth of the =
matter is that it doesn't work. It works well enough to give the =
illusion of working. Deeper analysis, however, reveals that it works =
just well enough to keep honest people honest some of the time. Further, =
victims of it not working have little or no recourse available to them =
even if they understand what is happening. For the average user, it just =
looks like some portion of the internet is {permanently|temporarily} =
broken again for reasons passing understanding and they go somewhere =
else.
Owen
> Again, the input was invaluable for getting me where I wanted to be so =
thanks again.=20
>=20
> On May 24, 2013 2:59 AM, "Owen DeLong" <owen@delong.com> wrote:
>=20
> On May 23, 2013, at 23:49 , bmanning@vacation.karoshi.com wrote:
>=20
> > On Thu, May 23, 2013 at 11:39:12PM -0700, Owen DeLong wrote:
> >>
> >> On May 23, 2013, at 23:17 , David Conrad <drc@virtualized.org> =
wrote:
> >>
> >>> On May 23, 2013, at 10:53 PM, Andreas Larsen =
<andreas.larsen@ip-only.se> wrote:
> >>>> The whole idea of Geoip is flawed.
> >>>
> >>> Sure, but pragmatically, it's an 80% solution.
> >>>
> >>>> IP dosen't reside in countries,
> >>>
> >>> True, according to (at least some of) the RIRs they reside in =
regions...
> >>>
> >>
> >> Really? Which ones? I thought they were only issued to =
organizations that had operations in regions.
> >>
> >> Owen
> >
> > Just because I have operations in one region does not preclude =
me from having operations
> > in other regions. YMMV of course.
> >
> > /bill
>=20
> That was exactly my point, Bill... If you have operations in RIPE and =
ARIN regions, it is entirely possible for you to obtain addresses from =
RIPE or ARIN and use them in both locations, or, obtain addresses from =
both RIPE and ARIN and use them in their respective regions, or mix and =
match in just about any imaginable way. Thus, IP addresses don't reside =
in regions, either. They are merely issued somewhat regionally.
>=20
> Owen
>=20
>=20
