[52477] in North American Network Operators' Group
Re: IPv4 country of origin
daemon@ATHENA.MIT.EDU (Ralph Doncaster)
Wed Oct 2 23:38:19 2002
Date: Wed, 2 Oct 2002 23:39:03 -0400 (EDT)
From: Ralph Doncaster <ralph@istop.com>
To: Rick Ernst <erond@legendz.com>
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <Pine.BSF.4.21.0210022023070.19633-100000@legendz.com>
Errors-To: owner-nanog-outgoing@merit.edu
That's basically all Netscape & Microsoft were doing when they had to
restrict 128-bit SSL. They threw in the requirement to enter your address
& phone number, but they had no way of telling if you were entering your
address, or the one you got from doing a four11.com lookup of John Smith
in Plano, Tx.
I block anonymizer & some other proxies, as well as AOL.
So I guess you're saying there's not much better than what I'm already
doing? The only info I have on the client is what I can get from a TCP
connection.
-Ralph
On Wed, 2 Oct 2002, Rick Ernst wrote:
> "Good luck"?
>
> Have you thought about folks using tunneling and proxies? IP-based
> authorization is a very weak and inaccurate/insecure method...
>
> On Wed, 2 Oct 2002, Ralph Doncaster wrote:
>
> :>
> :>I would like to restrict access from certain countries to content on my
> :>network (for security and legal reasons).
> :>
> :>So far the best algorithm I've been able to come up with is a combination
> :>of reverse DNS and APNIC/ARIN/RIPE whois queries. I've written a perl
> :>cgi that checks reverse DNS first, and if there is no gtld country code
> :>for the reverse mapping, does a whois query and parses the response for
> :>the address.
> :>
> :>The problem I have is that the country for the company that owns the IP
> :>block is sometimes not the country the IP block is used in. For example
> :>sungold22.de.ibm.com 194.196.100.86
> :>Whois parsing indicates a country of UK, but from the reverse DNS a person
> :>can see that it is Germany. I've built the pattern of cc.ibm.com into my
> :>cgi, but I'm sure there are other blocks that I'm incorrectly identifying.
> :>
> :>I've looked at RADB entries, as well as origin AS for various IP blocks,
> :>and neither source looks any better than whois.
> :>
> :>Is there a more accurate method to determine the country of origin for an
> :>IP than the methods I've described above?
> :>
> :>-Ralph
> :>
> :>
>
>
