That's basically all Netscape & Microsoft were doing when they had to restrict 128-bit SSL. They threw in the requirement to enter your address & phone number, but they had no way of telling if you were entering your address, or the one you got from doing a four11.com lookup of John Smith in Plano, Tx. I block anonymizer & some other proxies, as well as AOL. So I guess you're saying there's not much better than what I'm already doing? The only info I have on the client is what I can get from a TCP connection. -Ralph On Wed, 2 Oct 2002, Rick Ernst wrote:
"Good luck"?
Have you thought about folks using tunneling and proxies? IP-based authorization is a very weak and inaccurate/insecure method...
On Wed, 2 Oct 2002, Ralph Doncaster wrote:
:> :>I would like to restrict access from certain countries to content on my :>network (for security and legal reasons). :> :>So far the best algorithm I've been able to come up with is a combination :>of reverse DNS and APNIC/ARIN/RIPE whois queries. I've written a perl :>cgi that checks reverse DNS first, and if there is no gtld country code :>for the reverse mapping, does a whois query and parses the response for :>the address. :> :>The problem I have is that the country for the company that owns the IP :>block is sometimes not the country the IP block is used in. For example :>sungold22.de.ibm.com 194.196.100.86 :>Whois parsing indicates a country of UK, but from the reverse DNS a person :>can see that it is Germany. I've built the pattern of cc.ibm.com into my :>cgi, but I'm sure there are other blocks that I'm incorrectly identifying. :> :>I've looked at RADB entries, as well as origin AS for various IP blocks, :>and neither source looks any better than whois. :> :>Is there a more accurate method to determine the country of origin for an :>IP than the methods I've described above? :> :>-Ralph :> :>