Submitting Fake Geolocation for blocks to Data Brokers and RIRs

Thu Apr 22 14:47:30 UTC 2021

I sincerely doubt that any actual *law* could be enforced against an ISP
which is a legal entity in one location, yet has multiple discrete /23 or
/24 blocks and without any obfuscation choose to announce them from
multiple different geographic locations. Configurations where an AS has
multiple islands of service which are not linked together by an internal
transport network are not that rare these days (see prior discussion about
merits vs risks of filtering out your own netblock at your BGP edge). If
anyone is aware of any case law precedent for such a prosecution it would
be interesting to see citations.

The only scenario in which I could see a legal penalty being imposed on
some ISP, is if it fails to publish an accurate record of its corporate
name, address and contact info for its ARIN, RIPE, AFRINIC, APNIC, etc
entity listing as a corporation. Obviously you can't and shouldn't attempt
to obfuscate where you're headquartered, and you need to be able to prove
your legal entity bona fides to ARIN or RIPE anyways in order to maintain
registration.

As to whether third party content sources might refuse to serve content to
an ISP announcing blocks in weird places, an ISP tunneling a customer's
traffic from one location to another, or misunderstanding their geolocation
(Hulu in the US is a fine example of this, its regional content is broken
on Starlink right now because of a misunderstanding of how the cgnat
traffic meets the real Internet), that's not a law...

That's an arbitrary private choice of some OTT video content provider or
CDN to serve or not serve certain licenses of copyrighted content based on
what it thinks is geolocation data. Another example would be the content
you see on Canadian domestic netflix vs US domestic netflix.

On Wed, Apr 21, 2021 at 12:22 PM William Herrin <bill at herrin.us> wrote:

> On Wed, Apr 21, 2021 at 11:58 AM nanoguser100 via NANOG <nanog at nanog.org>
> wrote:
> > I wanted to get the communities' opinion on this.
> >
> > Increasingly I have run into 'niche needs' where a client has a few
> users in a country we don't have a POP, say Estonia.  This is 'mainly' for
> localization but also in some cases for compliance (some sites REQUIRE an
> Estonian IP).  With that being said is it common practice to 'fake'
> Geolocations?  In this case the user legitimately lives in Estonia, they
> just happen to be using our cloud service in Germany.
>
> If the endpoint (e.g. web server) is physically located in Germany and
> you're helping a client misrepresent that it's located in Estonia in
> order to evade a legal requirement that it be located in Estonia then
> you've made yourself a party to criminal fraud. Do I really need to
> explain how bad an idea that is?
>
> If the service is a VPN relay for addresses which are actually being
> used in Estonia then what's the problem? You're just a transit for
> those IPs. Report the location where the endpoints are, not the
> transits.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210422/e6356706/attachment.html>