de-peering for security sake

Baldur Norddahl baldur.norddahl at
Fri Dec 25 19:43:55 UTC 2015

On 25 December 2015 at 20:06, Lee <ler762 at> wrote:

> Enable IPv6 for your users.  1) it's not going to have any "history" &
> 2) ipv6 probably isn't blocked.

I am not aware of just one single government site in this country (Denmark)
that is IPv6 enabled. There are zero danish news sites that are IPv6
enabled. In fact, nothing here is IPv6 enabled - with the exception of all
major ISP sites. For some strange reason all ISPs have IPv6 on their
websites (but they do not provide IPv6 to their customers). It is sad

> > So now my users can not access government sites because the IP ranges
> were
> > owned by a company in a different country two years ago.
> Find one of your users that's a citizen of said gov't & forward their
> complaint to the gov't sites.  Non-citizen complaints are much easier
> to ignore..

I am a citizen and yes, they do ignore us. If you can manage to find the
right guy, he can probably fix it in a few minutes. It is just that there
is no way to get to that guy. The front desk has no clue what you are
talking about. To these people we should just stop sending traffic from
Romania and it would all be fixed, no?

To make it worse it is a really boring game of whack a mole. The users are
constantly finding new sites that are either blocking us or are showing the
site in the wrong language. Each time we open up a new IP series, it all
starts over again. We do not have enough cash on hand to simply buy a real
large chunk of IPv4, so we have multiple smaller blocks.

With regards to this thread, I am finding a worrying trend for websites to
block out of country IP-addresses at the firewall. In the past you could
expect that some content would not play or that your credit card payment
would be blocked. But now you never get to that stage because sites are
dropping the packets at the firewall.



More information about the NANOG mailing list