de-peering for security sake

Baldur Norddahl baldur.norddahl at
Fri Dec 25 01:41:14 UTC 2015

I am afraid people are already doing this. Every time I bring a new IP
series into production, my users will complain that they are locked out
from sites including many government sites. This is because people will
load IP location lists into their firewall and drop packets at the border.
Of course they will not update said lists and load year old lists into
their firewalls.

So now my users can not access government sites because the IP ranges were
owned by a company in a different country two years ago.

Take a guess on how responsive site owners are when we complain about their
firewall. Most refuse to acknowledge they do any blocking and insist the
problem is at our end. That is if they respond at all.



On 25 December 2015 at 02:25, Stephen Satchell <list at> wrote:

> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>> Let’s just cut off the entirety of the third world instead of having
>> a tangible mitigation plan in place.
> While you thing you are making a snarky response, it would be handy for
> end users to be able to turn on and off access to other countries retail.
> If *they* don't need access to certain third world countries, it would be
> their decision, not the operator's decision.
> For example, here on my little network we have no need for connectivity to
> much of Asia, Africa, or India.  We do have need to talk to Europe,
> Australia, and some countries in South America.

More information about the NANOG mailing list