Submitting Fake Geolocation for blocks to Data Brokers and RIRs

Izaac izaac at setec.org
Thu Apr 22 14:32:45 UTC 2021


On Wed, Apr 21, 2021 at 12:21:26PM -0700, William Herrin wrote:
> a legal requirement that it be located in [Atlantis]

A legal requirement of whom?  Undoubtedly the requirement is made of
provider of this theoretical service doing the restricting.  Is that
"legal requirement" satisfied by asking a third party their opinion of
the source of a given IP packet?  Or is there an actual measure of due
diligence necessary on the part of the service provider or the
maintainer of the GeoIP database?

Because it amuses me, let's think this one out:

Let's assume there are sanctions by Utopia against Atlantis, because I
cannot think of any other geolocation-based legal requirement.  Can you?

Widgets Unlimited of Utopia, LLC provides access to technical manuals on
its website.  Someone in their customer service IT support group learns
of the sanctions and wires up their website to IPgeoco's API.  A
"devious" Atlantean sends a SYN to Widgets Unlimited server, who sends a
SYN/ACK back, followed by a GET request from the Atlantean, which
triggers an API call for "geolocation of origin" to IPgeoco, which
returns "El Dorado", and then the LLC sends the Atlantean the manual for
their tractor.

The Utopian government uses its enormous, ubiquitous surveillance
mechanisms (every Utopian government has one) to discover the
transaction and is FURIOUS.  They slap Widgets Unlimited with a huge
fine (also a feature of Utopian governments) and threaten to schedule
them for a holiday at the local re-education camp (Utopian service at
its finest.)  The remaining executives at Widgets Unlimited start to
look into "how this could have happened!"

They discover that no one did any due diligence to qualify these
transactions.  They just asked a third party what their opinion of the
source of the connection might be.  Widgets Unlimited didn't inquire
from the requester if they were a customer, where they might be located,
or anything else.  They based their entire determination on a JSON
field.

One of the younger lawyers decides to seek damages from IPgeoco for
misrepresenting the information in their database.  IPgeoco shrugs and
points at their terms of service.  And they're located in the
Switzerhamas anyway.  "We don't do due diligence on our database.  We
just format and republish information provided to us."

So, the young Widgets Unlimited lawyer, high on ...fees, decides to
bully an ISP in El Dorado who runs a microwave relay across the strait
for some Atlantean customers.  "You misrepresented the geographic
location of those IP addresses!"

"We've never spoken to you and don't know who you are," replies Phantom
Gold ISP's legal team.  "But you provided this information to IPgeoco!"
"And?"  "And you materially misrepresented that information!"  "We did
not.  We're located in El Dorado, we told IPgeoco that the addresses are
assigned to us in El Dorado, and they were issued by FARIN, the RIR for
the Fantastic realms which lists us in El Dorado."

"But it's inaccurate!" "Accurate to what standard?"  "International
borders!"  "Of whom?"  "The actual host sending the packets."  "Why?"
"Because we use this as the basis of our compliance with Utopian
sanctions regulations!"

"So let me get this straight: you blindly trusted a database operated by
a disinterested party ... who collects data from a wide variety of other
disinterested third parties ... who follow widely variant policies for
the meaning of, let alone "accuracy" (to what standard?) of, that data
... and find this to be a sufficiently stable basis for bypassing your
seeking redress from your GeoIP provider and harassing me as a common
carrier in third party nation for some kind of nebulous damages?"

-- 
. ___ ___  .   .  ___
.  \    /  |\  |\ \
.  _\_ /__ |-\ |-\ \__


More information about the NANOG mailing list