most accurate geo-IP source to build country-based access lists
Joe Abley
jabley at hopcount.ca
Tue Jun 9 15:13:56 UTC 2015
On 9 Jun 2015, at 5:11, Martin T wrote:
>> At a brute force country level it is possible to use the Delegated
>> ranges lists but that runs into the problem where IP ranges are
>> subnetted and allocated to other countries.
>
> Yeah.
I would say that a perfectly accurate mapping of address to anything
geographical (with more accuracy than "it's within the observed
universe, somewhere") is unlikely ever to exist, except by accident and
for short periods of time. Accuracy and lack of authoritative sources of
data is one reason, constant uncoordinated reconfiguration is another.
You need to decide how accurate your mapping needs to be (and figure out
how to measure that, if accuracy is important).
Another part of the problem is framing the question in a useful way: a
universal solution seems intractable when the following questions are
answered differently (but accurately) by different people who have
different needs.
Is a device in Uganda connected via satphone to a router in France in
Uganda, or France?
Is a network in Fiji that can't talk to any other networks in Fiji
without leaving the island but is one layer-3 hop away from Australia in
Fiji, or Australia?
Does the source address of a packet always identify the device that sent
the packet?
If I'm in region A and you're in region A, and you route within region
to me but my replies leave the region on the way back, are we in the
same region from my perspective? How about yours?
Even: if I'm in region A but I'm using a DNS resolver in region B, am I
in region A or region B?
Joe
More information about the NANOG
mailing list