At 03:56 PM 5/15/2006, Alexander Harrowell wrote:
This is a frequent source of silly news stories - viz. the recent one, based on Google Trends, that Birmingham (UK) is the "top city" for porn searches and Brentford (UK) in the top five despite being a small suburb of London. Reason: both are the location of big isp NOCs.
Since you completely ignored the security aspect, I'll address your reference to Google Trends. This is what you are probably talking about: http://www.google.com/trends?q=porn If what you are saying is true, that's some pretty bad geo-location and YMMV, but what source are you using to discount Googles numbers? Are you saying that everyone on all 3 shifts in those "two large NOC's" are searching for Porn on Google? Or are you saying that all their netblocks are in whois and have roles that state their blocks are located at those NOC's? If it's the latter, that would support either you being innacurtae in your assumption about the Trend, or google being wrong. I'd need more proof that Google is that far off and that it would "appear" as though they are simply using whois registrations for geo locating in their Trends product. I'd tend to doubt it. Anything is possible, I suppose. -M<
On 5/15/06, Martin Hannigan <<mailto:hannigan@renesys.com>hannigan@renesys.com> wrote:
At 01:56 PM 5/15/2006, <mailto:Valdis.Kletnieks@vt.edu>Valdis.Kletnieks@vt.edu wrote:
On Mon, 15 May 2006 13:14:41 EDT, Bill Nash said:
It works for spammers.
Certainly explains all the Turkish spam I get, what with me being just outside Ankara and all.
That's likely because they are attempting to do some sort of location analysis themselves and have limited data to work with. Spammers are generally not stupid. They are cheap since their ability o generate revenue is randomized based on the exploit of the day, so to speak. Targeting you with Turkish ads is probably a combination of being cheap and someone possibly stupid. Anyhow...before this thread turns into the debacle of incorrect information that the NTP one did --
Typically, an ip address is analyzed by using multiple sources of data. An attempt is made at a "triangulation" of sorts with both good and bad bits compared. As the good bits build the confidence factor in the triangulation rises. So you could have 2 pieces of info that do correlate, bring in the whois record, no correlation with that, and then toss it and bring something else in. Whois accuracy is not a factor here.
Geo location isn't perfect, but it's not "bad". I've heard of accuracy levels as high as 90% and I don't think that's too far fetched. With HostIP reporting 50% on the user survey and them being what I can demonstrate as "bad", 90% isn't a stretch at all.
Look at a geo use case. If there were a cyber threat level, a defcon so to speak, and the highest level is 5 and we reach this level someday, it could be prudent to build filter lists based on geo located routing table data and begin to block and log certain sources based on the threat level alone. Good geo data makes this entirely feasible.
Applying this type of thinking to Internet doomsday scenarios will be key in survivability, IMHO. If you want every solution to be 100%, we're likely to be down for some factor longer than we need to be.
Anyhow, back to your regularly scheduled show. :-)
-M<
-- Martin Hannigan (c) 617-388-2663 Renesys Corporation (w) 617-395-8574 Member of Technical Staff Network Operations
<mailto:hannigan@renesys.com>hannigan@renesys.com
-- Martin Hannigan (c) 617-388-2663 Renesys Corporation (w) 617-395-8574 Member of Technical Staff Network Operations hannigan@renesys.com
The NSA was granted a patent for an IP geo-location technology based on triangulation using latency measures. We played around with a similar approach using UDP several years ago and you could triangulate to the zip code level or so. A better way I think than the current approaches being discussed. Not sure if the NSA patent is being commercialized or not though. http://news.com.com/NSA+granted+Net+location-tracking+patent/2100-7348_3-587...
Date: Mon, 15 May 2006 17:24:48 -0400 From: sgorman1@...
The NSA was granted a patent for an IP geo-location technology based on triangulation using latency measures.
It could probably be foiled by this patented technology: http://www.tinyurl.com/ebu6t which is equally reliable and useful. ;-) ObOp: Latency and jitter cause problems with triangulation. I find zipcode-level accuracy hard to believe for a predictive system. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
I seriously doubt this would work to better than the regional area. My zip code (20124) region is about 5 km across, which would be 15 microseconds in vacuum, and maybe at most 50 micro seconds in glass. So, you would need accuracies at the 10's of microsecond level to specify zip codes. I can believe that you can measure transmission times down a fiber and achieve repeatability at the microsecond level - in fact, I remember a Michelson interferometer that they set up at JPL / Goldstone that tested the Sagnac effect in glass, which required substantially better repeatibility than that. But do you really think that you can estimate the router delay on the (for example) 9 hops between here and GMU to better than 1 millisecond each ? (That would imply a 3 millisecond rms error if these errors were random and Gaussian, or about 1000 km in vacuum, and maybe 500 km error in glass.) So, I think that this would fail by at least 2 orders of magnitude for zip codes in a real operational network. Which coast of the US, sure, but not much better than that. Regards Marshall On May 15, 2006, at 5:24 PM, sgorman1@gmu.edu wrote:
The NSA was granted a patent for an IP geo-location technology based on triangulation using latency measures. We played around with a similar approach using UDP several years ago and you could triangulate to the zip code level or so. A better way I think than the current approaches being discussed. Not sure if the NSA patent is being commercialized or not though.
http://news.com.com/NSA+granted+Net+location-tracking+patent/ 2100-7348_3-5875953.html
On Mon, 15 May 2006 21:49:31 -0400, Marshall Eubanks <tme@multicasttech.com> wrote:
I seriously doubt this would work to better than the regional area.
My zip code (20124) region is about 5 km across, which would be 15 microseconds in vacuum, and maybe at most 50 micro seconds in glass. So, you would need accuracies at the 10's of microsecond level to specify zip codes.
I can believe that you can measure transmission times down a fiber and achieve repeatability at the microsecond level - in fact, I remember a Michelson interferometer that they set up at JPL / Goldstone that tested the Sagnac effect in glass, which required substantially better repeatibility than that.
But do you really think that you can estimate the router delay on the (for example) 9 hops between here and GMU to better than 1 millisecond each ? (That would imply a 3 millisecond rms error if these errors were random and Gaussian, or about 1000 km in vacuum, and maybe 500 km error in glass.)
So, I think that this would fail by at least 2 orders of magnitude for zip codes in a real operational network. Which coast of the US, sure, but not much better than that.
I suspect you can do that; a bigger factor is the link type of the last hop. Cable modems, DSL, 802.11 -- they all have characteristic delays. The important insight is that you care about *minimum* time. You can lots of queueing delays and jitter most of the time, as long as you get one packet through unobstructed. Send enough probes and you'll make it. I did some similar work in 1992; see http://www.cs.columbia.edu/~smb/papers/netmeas.pdf for details. You couldn't repeat, today, exactly what I did then, because of the way pings are handled by modern routers, but I suspect one could find analogous schemes. To give one example of what I could tell -- and I was looking at the per-byte cost -- I was able to determine, from New Jersey, that a router outside Chicago was misconfigured; the site's backbone Ethernet should have been on the same card as the serial line (in the days of T-1 interfaces...), because copying the packet across the backplane introduced a noticeable per-byte delay. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Well I must admit that zip code was best case under ideal conditions ;-) There are always plenty of exceptions that put sand in the gears. Putting on my conservative hat the approach is more granular than guessing the right country as was being discussed before. My intention was only to infer there is more than one way to approach the problem and an approach that can avoid some of the DHCP issues seen in the datbase approaches. This was work from 6 years ago so a bit fuzzy on the particulars at this point. best, sean ----- Original Message ----- From: "Steven M. Bellovin" <smb@cs.columbia.edu> Date: Monday, May 15, 2006 10:25 pm Subject: Re: Geo location to IP mapping
On Mon, 15 May 2006 21:49:31 -0400, Marshall Eubanks <tme@multicasttech.com> wrote:
I seriously doubt this would work to better than the regional area.
My zip code (20124) region is about 5 km across, which would be
15
microseconds in vacuum, and maybe at most 50 micro seconds in glass. So, you would need accuracies at the 10's of microsecond level to specify zip codes.
I can believe that you can measure transmission times down a fiber and achieve repeatability at the microsecond level - in fact, I remember a Michelson interferometer that they set up at JPL / Goldstone that tested the Sagnac effect in glass, which required substantially better repeatibility than that.
But do you really think that you can estimate the router delay on the (for example) 9 hops between here and GMU to better than 1 millisecond each ? (That would imply a 3 millisecond rms error if these errors were random and Gaussian, or about 1000 km in vacuum, and maybe 500 km error in glass.)
So, I think that this would fail by at least 2 orders of magnitude for zip codes in a real operational network. Which coast of the US, sure, but not much better than that.
I suspect you can do that; a bigger factor is the link type of the lasthop. Cable modems, DSL, 802.11 -- they all have characteristic delays.
The important insight is that you care about *minimum* time. You can lots of queueing delays and jitter most of the time, as long as you get one packet through unobstructed. Send enough probes and you'll make it.
I did some similar work in 1992; see http://www.cs.columbia.edu/~smb/papers/netmeas.pdf for details. You couldn't repeat, today, exactly what I did then, because of the way pings are handled by modern routers, but I suspect one could find analogous schemes. To give one example of what I could tell -- and I was looking at the per-byte cost -- I was able to determine, from New Jersey, that a router outside Chicago was misconfigured; the site's backbone Ethernet should have been on the same card as the serial line (in the days of T-1 interfaces...), because copying the packet across the backplane introduceda noticeable per-byte delay.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
--- Marshall Eubanks <tme@multicasttech.com> wrote:
I seriously doubt this would work to better than the regional area.
My zip code (20124) region is about 5 km across, which would be 15 microseconds in vacuum, and maybe at most 50 micro seconds in glass. So, you would need accuracies at the 10's of microsecond level to specify zip codes.
don't forget, cable paths are not direct, and each bend in the cable increases the distance that the light must travel within the fiber. optical repeaters, optical switches and other equipment can add distance, (thus time) to the signal. Please see http://www.fiber-optics.info/fiber-history.htm
On May 16, 2006, at 2:00 PM, Charles Cala wrote:
--- Marshall Eubanks <tme@multicasttech.com> wrote:
I seriously doubt this would work to better than the regional area.
My zip code (20124) region is about 5 km across, which would be 15 microseconds in vacuum, and maybe at most 50 micro seconds in glass. So, you would need accuracies at the 10's of microsecond level to specify zip codes.
don't forget, cable paths are not direct, and each bend in the cable increases the distance that the light must travel within the fiber. optical repeaters, optical switches and other equipment can add distance, (thus time) to the signal.
Oh, I am well aware of that, but you are making my point for me. I have seen nothing to make me change my conclusion - You can't do geolocation using network timing to much better than about 10 milliseconds because you don't control either paths or the routers etc. in those paths. (This requires absolute timing; differential measurements can be better and useful for some things, but they won't give you location.) In glass, at 1/2 c, 10 msec is ~ 1500 km. If you had an unlimited budget, lots and lots of measurement points with known locations, etc., and used other info (such as traceroutes) you might do a little better, but even a factor of ten better means 100 km error. I am not saying you can't do geolocation, at least in some cases, but just that network timing won't get you anything very precise. Regards Marshall
--- Marshall Eubanks <tme@multicasttech.com> wrote: (snip)
You can't do geolocation using network timing to much better than about 10 milliseconds because you don't control either paths or the routers etc. in those paths. (This requires absolute timing; differential measurements can be better and useful for some things, but they won't give you location.) (snip)
I'm in total agreement with you, (IMHO) its crap science at best, who the hell cares about where you are on the earth... what matters where on the network _is your access point_, if you are in small-cuty.kr and your vpn endpoint is in sf.ba.ca.us , the closest "interweb" server (using network topology) is going to probably be in ca.us, not the one in .jp . to try to use geo-ip data in the real world is to add a small tool to to your kit. geo-ip is a feather duster, not a leatherman.
participants (6)
-
Charles Cala -
Edward B. DREGER -
Marshall Eubanks -
Martin Hannigan -
sgorman1@gmu.edu -
Steven M. Bellovin