de-peering for security sake

Lee ler762 at
Fri Dec 25 19:06:33 UTC 2015

On 12/24/15, Baldur Norddahl <baldur.norddahl at> wrote:
> I am afraid people are already doing this. Every time I bring a new IP
> series into production, my users will complain that they are locked out
> from sites including many government sites. This is because people will
> load IP location lists into their firewall and drop packets at the border.
> Of course they will not update said lists and load year old lists into
> their firewalls.

Enable IPv6 for your users.  1) it's not going to have any "history" &
2) ipv6 probably isn't blocked.

> So now my users can not access government sites because the IP ranges were
> owned by a company in a different country two years ago.

Find one of your users that's a citizen of said gov't & forward their
complaint to the gov't sites.  Non-citizen complaints are much easier
to ignore..


> Take a guess on how responsive site owners are when we complain about their
> firewall. Most refuse to acknowledge they do any blocking and insist the
> problem is at our end. That is if they respond at all.
> Regards,
> Baldur
> On 25 December 2015 at 02:25, Stephen Satchell <list at> wrote:
>> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>>> Let’s just cut off the entirety of the third world instead of having
>>> a tangible mitigation plan in place.
>> While you thing you are making a snarky response, it would be handy for
>> end users to be able to turn on and off access to other countries retail.
>> If *they* don't need access to certain third world countries, it would be
>> their decision, not the operator's decision.
>> For example, here on my little network we have no need for connectivity
>> to
>> much of Asia, Africa, or India.  We do have need to talk to Europe,
>> Australia, and some countries in South America.

More information about the NANOG mailing list