most accurate geo-IP source to build country-based access lists

Martin T m4rtntns at gmail.com
Mon Jun 8 14:11:15 UTC 2015


Hi,

let's say that I need to build an ACL where I block all the IPv4
traffic from Sweden. I considered following solutions:

1) RIR statistics
files(ftp://ftp.ripe.net/ripe/stats/RIR-Statistics-Exchange-Format.txt)
accessible for example at ftp://ftp.apnic.net/pub/stats/. However,
those files contain allocations and assignment made by the registry
producing the file and not any sub-assignments by other agencies(for
example NIR, LIR). This means that this information is not very
accurate. Another problem which I found out is that in case of inetnum
object has many country fields, the first one is used. In addition,
even the RIR statistics exchange format document says that:

    cc        = ISO 3166 2-letter country code, and the enumerated
                variances of

                        {AP,EU,UK}

                These values are not defined in ISO 3166 but are widely used.

                The cc value identifies the country. However, it is
not specified
                if this is the country where the addresses are used.
                There are no rules defined for this value.
                It therefore cannot be used in any reliable way to map
IP addresses
                to countries



2) MaxMind products. Those should rely on user input(for example
MaxMind purchases user data from ISP's or content providers) and based
on personal experience defaults to RIR data if no other more accurate
source is available. If anyone has something to specify here, then
please do so.


3) Use iptables geoip module, but turned out, that it uses MaxMind database:

root at VM-host:~# grep -Hsi maxmind $(dpkg -L xtables-addons-common)
/usr/lib/xtables-addons/xt_geoip_build:#        Converter for MaxMind
CSV database to binary, for xt_geoip
/usr/lib/xtables-addons/xt_geoip_dl:
http://geolite.maxmind.com/download/geoip/database/GeoIPv6.csv.gz \
/usr/lib/xtables-addons/xt_geoip_dl:
http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip;
root at VM-host:~#


4) In theory geofeeds(http://tools.ietf.org/html/draft-google-self-published-geofeeds-02)
would be a nice solution, but as I understand the RFC, it would work
for my example only in case all the IP address users would provide
their geofeed and there is a centralized database to query.


5) Use prefix AS path. However, there seems to be no reliable way to
determine source country based on information in BGP routing tables.


Are there any other possibilities to geolocate IPv4 addresses with
higher accuracy?


regards,
Martin



More information about the NANOG mailing list