Re: most accurate geo-IP source to build country-based access lists

[John McCormac <jmcc () hackwatch com>]

On 08/06/2015 15:11, Martin T wrote:> Hi,
>
> let's say that I need to build an ACL where I block all the IPv4
> traffic from Sweden. I considered following solutions:
>
> 1) RIR statistics
> files(ftp://ftp.ripe.net/ripe/stats/RIR-Statistics-Exchange-Format.txt)
> accessible for example at ftp://ftp.apnic.net/pub/stats/. However,
> those files contain allocations and assignment made by the registry
> producing the file and not any sub-assignments by other agencies(for
> example NIR, LIR). This means that this information is not very
> accurate. Another problem which I found out is that in case of inetnum
> object has many country fields, the first one is used. In addition,
> even the RIR statistics exchange format document says that:
>

It is a very difficult problem because IP ranges change and are split or 
redelegated. This means that even a reasonably current database will 
have data that is either out of date or not current.

I mapped all websites in com/net/org/biz/info/mobi and the new gTLDs 
last year. While these are simply websites, the rise of VPN services and 
TOR have made blocking at a country level somewhat problematic. You may 
get many of the IPs associated with the country but you will not get 
them all.

At a brute force country level it is possible to use the Delegated 
ranges lists but that runs into the problem where IP ranges are 
subnetted and allocated to other countries. This happens more with 
hosting service providers more than ISPs. There is also the Adjacent 
Markets effect where a provider will be operating in geographically 
close markets and the provider's largest IP range will encompass all the 
country level allocations. This problem typically reoccurs every time a 
large transnational cable TV/ISP acquires a new range of IPs and the 
online services such as Netflix are waiting for the IP range lists to 
update. The cable ISP's users generally appear, to the online services, 
as being in another country.


> 4) In theory 
geofeeds(http://tools.ietf.org/html/draft-google-self-published-geofeeds-02)
> would be a nice solution, but as I understand the RFC, it would work
> for my example only in case all the IP address users would provide
> their geofeed and there is a centralized database to query.

The idea of all IP address users submitting their data is nice in theory 
but it runs into much the same problem as submission based web 
directories. Most users are either unaware of the existence of such 
projects or have no interest in doing so.

> Are there any other possibilities to geolocate IPv4 addresses with
> higher accuracy?

There is but it is seriously labour and resource intensive as it would 
require a working model of a country's network infrastructure. Basically 
it uses a combination of IP data and IP mapping using route tracing. 
There were some US patents published on it a few years ago (I think that 
Google may have been one of the patentees.

Regards...jmcc
--
**********************************************************
John McCormac  *  e-mail: jmcc () hosterstats com
MC2            *  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford      *  And Historical DNS Database.
Ireland        *  Over 396 Million Domains Tracked.
IE             *  web: http://newgtldnews.com
**********************************************************