Hi All, I just wanted to throw a question out to the list... In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP. This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on. - How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content) o Side question on that - Could we simply obtain a US based IP address and selectively NAT? - Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil. - Does the idea of having local Internet at each site make more sense? If so why? Again, I would appreciate to hear the opinion from SP oriented minds...based on what they've seen from customers...and network administrators running large enterprises in different companies. Off-list replies are also appreciated. Thanks!!! ...jc __________________________________________________________________ DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail. This message has been scanned for the presence of computer viruses, Spam, and Explicit Content.
Hi Jeff, You might have some luck following the instructions on http://nanog.cluepon.net/index.php/GeoIP to register one particular /32 within your Canadian-announced netblock as being in the USA, and selectively NATing as you suggest, but I believe some stricter GeoIP databases check next hops and expected latency and might catch you out. We're lucky enough to have proxies in most geographies where we operate, so if a user has GeoIP issues we talk them through changing their proxy settings (you could also use a personal PAC file). (My employer's) principles in favour of a local internet breakout: - Is breaking out to the internet locally significantly cheaper than backhauling over private WAN (some MPLS providers will offer a local internet breakout as a VRF; this avoids the need for two access circuits) - Do you need to congest the internet traffic more than/independently to the private WAN traffic? - Would a tunnel over the internet be a useful backup to private circuits? - Are there latency-related performance reasons (lots of local content) to break out locally? - Are there regulatory reasons? (e.g. Middle East / Chinese state-level filtering) Against local breakout: - Do you need to limit the number of locations with an internet breakout because you have a heavyweight security stack protecting an internet connection (filtering proxy, IDS/IPS, multi-layer HA firewalls)? - Is local internet of poor quality? Regards, Phil Sykes Network Architect $LARGE_OIL_COMPANY On Thu, Jul 14, 2011 at 8:34 PM, Jeff Cartier < Jeff.Cartier@pernod-ricard.com> wrote:
Hi All,
I just wanted to throw a question out to the list...
In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP.
This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on.
- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content)
o Side question on that - Could we simply obtain a US based IP address and selectively NAT?
- Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil.
- Does the idea of having local Internet at each site make more sense? If so why?
Again, I would appreciate to hear the opinion from SP oriented minds...based on what they've seen from customers...and network administrators running large enterprises in different companies. Off-list replies are also appreciated.
Thanks!!!
...jc
__________________________________________________________________ DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail.
This message has been scanned for the presence of computer viruses, Spam, and Explicit Content.
On Jul 14, 2011, at 12:34 PM, Jeff Cartier wrote:
Hi All,
I just wanted to throw a question out to the list...
In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP.
This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on.
- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content)
This is an example of why content restriction based on IP address geolocation is such a bad idea in general. Frankly, the easiest thing to do (since most Canadian companies aren't as brain-dead) is to update your whois records with the address of the block allocated to your datacenter so that it looks like it's in one of your US offices. I realize this sounds silly for a variety of reasons, but, it solves the problem without expensive or configuration-intensive workarounds such as selective NAT, etc.
o Side question on that - Could we simply obtain a US based IP address and selectively NAT?
You can, but, you can also hit yourself over the head repeatedly with a hammer. Selective NAT will yield more content, but, the pain levels will probably be similar.
- Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil.
Not really. The whole content-restriction by IP geolocation thing also doesn't make sense. Unfortunately, the fact that something is nonsensical does not prevent someone from doing it or worse, selling it. You should do what makes sense for the economics of the topology you need. The address geolocation issues can usually be best addressed by manipulating whois. If your address block from ARIN is an allocation, you can manipulate sub-block address registration issues through the use of SWIP, for example.
- Does the idea of having local Internet at each site make more sense? If so why?
That's really more of an economic and policy question within your organization than a technical one.
Owen
Thanks for the comments everyone. They are much appreciated. In regards to changing the address of our ARIN block to a US office address....are their any trades-offs in doing that? Just curious. -----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Thursday, July 14, 2011 5:02 PM To: Jeff Cartier Cc: nanog@nanog.org Subject: Re: Enterprise Internet - Question On Jul 14, 2011, at 12:34 PM, Jeff Cartier wrote:
Hi All,
I just wanted to throw a question out to the list...
In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP.
This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on.
- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content)
This is an example of why content restriction based on IP address geolocation is such a bad idea in general. Frankly, the easiest thing to do (since most Canadian companies aren't as brain-dead) is to update your whois records with the address of the block allocated to your datacenter so that it looks like it's in one of your US offices. I realize this sounds silly for a variety of reasons, but, it solves the problem without expensive or configuration-intensive workarounds such as selective NAT, etc.
o Side question on that - Could we simply obtain a US based IP address and selectively NAT?
You can, but, you can also hit yourself over the head repeatedly with a hammer. Selective NAT will yield more content, but, the pain levels will probably be similar.
- Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil.
Not really. The whole content-restriction by IP geolocation thing also doesn't make sense. Unfortunately, the fact that something is nonsensical does not prevent someone from doing it or worse, selling it. You should do what makes sense for the economics of the topology you need. The address geolocation issues can usually be best addressed by manipulating whois. If your address block from ARIN is an allocation, you can manipulate sub-block address registration issues through the use of SWIP, for example.
- Does the idea of having local Internet at each site make more sense? If so why?
That's really more of an economic and policy question within your organization than a technical one.
Owen __________________________________________________________________ DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail. This message has been scanned for the presence of computer viruses, Spam, and Explicit Content.
Perhaps you have Canadian branches feeding off the same connection and they will have the reverse problem with geo-location? On Fri, Jul 15, 2011 at 6:29 AM, Jeff Cartier < Jeff.Cartier@pernod-ricard.com> wrote:
Thanks for the comments everyone. They are much appreciated. In regards to changing the address of our ARIN block to a US office address....are their any trades-offs in doing that? Just curious.
-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Thursday, July 14, 2011 5:02 PM To: Jeff Cartier Cc: nanog@nanog.org Subject: Re: Enterprise Internet - Question
On Jul 14, 2011, at 12:34 PM, Jeff Cartier wrote:
Hi All,
I just wanted to throw a question out to the list...
In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP.
This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on.
- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content)
This is an example of why content restriction based on IP address geolocation is such a bad idea in general.
Frankly, the easiest thing to do (since most Canadian companies aren't as brain-dead) is to update your whois records with the address of the block allocated to your datacenter so that it looks like it's in one of your US offices. I realize this sounds silly for a variety of reasons, but, it solves the problem without expensive or configuration-intensive workarounds such as selective NAT, etc.
o Side question on that - Could we simply obtain a US based IP address and selectively NAT?
You can, but, you can also hit yourself over the head repeatedly with a hammer. Selective NAT will yield more content, but, the pain levels will probably be similar.
- Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil.
Not really. The whole content-restriction by IP geolocation thing also doesn't make sense. Unfortunately, the fact that something is nonsensical does not prevent someone from doing it or worse, selling it.
You should do what makes sense for the economics of the topology you need. The address geolocation issues can usually be best addressed by manipulating whois. If your address block from ARIN is an allocation, you can manipulate sub-block address registration issues through the use of SWIP, for example.
- Does the idea of having local Internet at each site make more sense? If so why?
That's really more of an economic and policy question within your organization than a technical one.
Owen
__________________________________________________________________ DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail.
This message has been scanned for the presence of computer viruses, Spam, and Explicit Content.
There are fewer companies in Canada that have brain-dead attitudes about US customers than there are US companies with brain-dead attitudes towards Canadian customers. Probably not so much of an issue. Owen On Jul 15, 2011, at 6:51 AM, PC wrote:
Perhaps you have Canadian branches feeding off the same connection and they will have the reverse problem with geo-location?
On Fri, Jul 15, 2011 at 6:29 AM, Jeff Cartier <Jeff.Cartier@pernod-ricard.com> wrote: Thanks for the comments everyone. They are much appreciated. In regards to changing the address of our ARIN block to a US office address....are their any trades-offs in doing that? Just curious.
-----Original Message----- From: Owen DeLong [mailto:owen@delong.com] Sent: Thursday, July 14, 2011 5:02 PM To: Jeff Cartier Cc: nanog@nanog.org Subject: Re: Enterprise Internet - Question
On Jul 14, 2011, at 12:34 PM, Jeff Cartier wrote:
Hi All,
I just wanted to throw a question out to the list...
In our data center we feed Internet to some of our US based offices and every now and again we receive complaints that they can't access some US based Internet content because they are coming from a Canadian based IP.
This has sparked an interesting discussion around a few questions....of which I'd like to hear the lists opinions on.
- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content)
This is an example of why content restriction based on IP address geolocation is such a bad idea in general.
Frankly, the easiest thing to do (since most Canadian companies aren't as brain-dead) is to update your whois records with the address of the block allocated to your datacenter so that it looks like it's in one of your US offices. I realize this sounds silly for a variety of reasons, but, it solves the problem without expensive or configuration-intensive workarounds such as selective NAT, etc.
o Side question on that - Could we simply obtain a US based IP address and selectively NAT?
You can, but, you can also hit yourself over the head repeatedly with a hammer. Selective NAT will yield more content, but, the pain levels will probably be similar.
- Does the idea of regional Internet locations make sense? If so, when do they make sense? For instance, having a hub site in South America (ie. Brazil) and having all offices in Venezuela, Peru and Argentina route through a local Internet feed in Brazil.
Not really. The whole content-restriction by IP geolocation thing also doesn't make sense. Unfortunately, the fact that something is nonsensical does not prevent someone from doing it or worse, selling it.
You should do what makes sense for the economics of the topology you need. The address geolocation issues can usually be best addressed by manipulating whois. If your address block from ARIN is an allocation, you can manipulate sub-block address registration issues through the use of SWIP, for example.
- Does the idea of having local Internet at each site make more sense? If so why?
That's really more of an economic and policy question within your organization than a technical one.
Owen
__________________________________________________________________ DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail.
This message has been scanned for the presence of computer viruses, Spam, and Explicit Content.
On Thu, 14 Jul 2011, Jeff Cartier wrote:
- Does the idea of having local Internet at each site make more sense? If so why?
IME, costs for private backhaul circuits of any flavor are significantly higher than costs for plain internet access - so backhauling internet access (unless you have extremely restrictive access policies that you can actually enforce) through your WAN would/should cost through the nose. Routing only WAN traffic through the WAN reduces the size/scope/impact on those more expensive circuits. Probably at the expense of additional complexity, of course. -- david raistrick http://www.netmeister.org/news/learn2quote.html drais@icantclick.org http://www.expita.com/nomime.html
On Jul 14, 2011, at 2:35 PM, david raistrick wrote:
On Thu, 14 Jul 2011, Jeff Cartier wrote:
- Does the idea of having local Internet at each site make more sense? If so why?
IME, costs for private backhaul circuits of any flavor are significantly higher than costs for plain internet access - so backhauling internet access (unless you have extremely restrictive access policies that you can actually enforce) through your WAN would/should cost through the nose. Routing only WAN traffic through the WAN reduces the size/scope/impact on those more expensive circuits. Probably at the expense of additional complexity, of course.
In fact, it is often more cost effective to multihome each site and use VPNs for your WAN. Owen
- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content) You indeed might feed traffic towards such "IP restricted" sites
On Thu, Jul 14, 2011 at 2:34 PM, Jeff Cartier <Jeff.Cartier@pernod-ricard.com> wrote: through a transparent proxy server, or policy NAT based on destination IP, reducing all traffic towards those sites from "canadian" ranges, to a pool of source IP addresses. Just to take a jab at absurd "content restriction" by IP methods, a reminder... There's no such thing as a "US" IP address. There's no such thing as a Canadian IP address. There are IPs delegated to network operators who have an AS in certain countries, but that is no proof of country of origin. What "country" is an IP address located in when it is assigned to a terminal server, VPN server, or proxy server in country $X, and there are authorized users that connect from 16 different countries? -- -JH
On Jul 14, 2011, at 7:00 PM, Jimmy Hess wrote:
- How should/can an enterprise deal with accessibility to internet content issues? (ie. that whole coming from a Canadian IP accessing US content) You indeed might feed traffic towards such "IP restricted" sites
On Thu, Jul 14, 2011 at 2:34 PM, Jeff Cartier <Jeff.Cartier@pernod-ricard.com> wrote: through a transparent proxy server, or policy NAT based on destination IP, reducing all traffic towards those sites from "canadian" ranges, to a pool of source IP addresses.
Just to take a jab at absurd "content restriction" by IP methods, a reminder... There's no such thing as a "US" IP address. There's no such thing as a Canadian IP address.
There are IPs delegated to network operators who have an AS in certain countries, but that is no proof of country of origin.
What "country" is an IP address located in when it is assigned to a terminal server, VPN server, or proxy server in country $X, and there are authorized users that connect from 16 different countries?
-- -JH
Yep.... And let us also not forget that people travel. Imagine my surprise when I tried to log into Wells Fargo from Kigali and got the message that "You have authenticated successfully, but, we don't trust your current location. Everything will be fine when you log in from home." Of course, I did the seemingly obvious thing and logged in from home. Yeah, not so much. That got my account completely locked out and took a 2.5 hour phone call (well, series of phone calls, maintaining a VOIP connection from Kigali for that long wasn't happening) where I had to escalate up three levels of support representative before reaching someone who could understand what VNC was and that it was indeed possible for me to control my computer in the US from my laptop in Kigali and that I had indeed legitimately logged in from both locations about 2 minutes apart. To the best of my knowledge, while this person reset my account so that I could log in (from my house), I don't think Wells Fargo has any intention of rethinking their geo-IP based restrictions on logging in. So, if you travel, consider carefully whether to try and log into something directly vs. doing so over VNC. Owen
On 7/14/2011 7:37 PM, Owen DeLong wrote:
To the best of my knowledge, while this person reset my account so that I could log in (from my house), I don't think Wells Fargo has any intention of rethinking their geo-IP based restrictions on logging in.
So, if you travel, consider carefully whether to try and log into something directly vs. doing so over VNC.
For precisely this reason I always ensure that my banking traffic goes via a VPN through a relatively consistent set of origin IPs to the wider Internet. Solves a lot of headaches, although PayPal were confused that I could be in California and have my traffic come from Chicago (which they thought was New Jersey...).
participants (7)
-
Alastair Johnson
-
david raistrick
-
Jeff Cartier
-
Jimmy Hess
-
Owen DeLong
-
PC
-
Phil Sykes