Years ago when meeting with the lawyers to talk about the need to block access to a list of websites I was coming from the technical side and talking about how all of our possible solutions were incomplete and easily circumvented by our users. The lawyers' response was to explain the concept of good faith effort. The main point was that we needed to "do something." We'd be in pretty good shape liability-wise as long as we made an attempt. Getting back to the point of the question. I'd find the cheapest/easiest way to implement a somewhat effective GeoIP block, and say that you've done something. On Tue, Jun 9, 2015 at 11:13 AM, Joe Abley <jabley@hopcount.ca> wrote:
On 9 Jun 2015, at 5:11, Martin T wrote:
At a brute force country level it is possible to use the Delegated
ranges lists but that runs into the problem where IP ranges are subnetted and allocated to other countries.
Yeah.
I would say that a perfectly accurate mapping of address to anything geographical (with more accuracy than "it's within the observed universe, somewhere") is unlikely ever to exist, except by accident and for short periods of time. Accuracy and lack of authoritative sources of data is one reason, constant uncoordinated reconfiguration is another. You need to decide how accurate your mapping needs to be (and figure out how to measure that, if accuracy is important).
Another part of the problem is framing the question in a useful way: a universal solution seems intractable when the following questions are answered differently (but accurately) by different people who have different needs.
Is a device in Uganda connected via satphone to a router in France in Uganda, or France?
Is a network in Fiji that can't talk to any other networks in Fiji without leaving the island but is one layer-3 hop away from Australia in Fiji, or Australia?
Does the source address of a packet always identify the device that sent the packet?
If I'm in region A and you're in region A, and you route within region to me but my replies leave the region on the way back, are we in the same region from my perspective? How about yours?
Even: if I'm in region A but I'm using a DNS resolver in region B, am I in region A or region B?
Joe