Re: IPv4 country of origin
That's basically all Netscape & Microsoft were doing when they had to restrict 128-bit SSL. They threw in the requirement to enter your address & phone number, but they had no way of telling if you were entering your address, or the one you got from doing a four11.com lookup of John Smith in Plano, Tx. I block anonymizer & some other proxies, as well as AOL. So I guess you're saying there's not much better than what I'm already doing? The only info I have on the client is what I can get from a TCP connection. -Ralph On Wed, 2 Oct 2002, Rick Ernst wrote:
"Good luck"?
Have you thought about folks using tunneling and proxies? IP-based authorization is a very weak and inaccurate/insecure method...
On Wed, 2 Oct 2002, Ralph Doncaster wrote:
:> :>I would like to restrict access from certain countries to content on my :>network (for security and legal reasons). :> :>So far the best algorithm I've been able to come up with is a combination :>of reverse DNS and APNIC/ARIN/RIPE whois queries. I've written a perl :>cgi that checks reverse DNS first, and if there is no gtld country code :>for the reverse mapping, does a whois query and parses the response for :>the address. :> :>The problem I have is that the country for the company that owns the IP :>block is sometimes not the country the IP block is used in. For example :>sungold22.de.ibm.com 194.196.100.86 :>Whois parsing indicates a country of UK, but from the reverse DNS a person :>can see that it is Germany. I've built the pattern of cc.ibm.com into my :>cgi, but I'm sure there are other blocks that I'm incorrectly identifying. :> :>I've looked at RADB entries, as well as origin AS for various IP blocks, :>and neither source looks any better than whois. :> :>Is there a more accurate method to determine the country of origin for an :>IP than the methods I've described above? :> :>-Ralph :> :>
Thus spake "Ralph Doncaster" <ralph@istop.com>
That's basically all Netscape & Microsoft were doing when they had to restrict 128-bit SSL. They threw in the requirement to enter your address & phone number, but they had no way of telling if you were entering your address, or the one you got from doing a four11.com lookup of John Smith in Plano, Tx.
The new crypto regulations allow shrink-wrapped software to be exported if the receiver claims to be authorized; there is no legal requirement on the exporter to actually verify this status... I really wonder if there's any point in regulating at all, if they're going to be so blatantly stupid about it. S
On Thu, 3 Oct 2002, Stephen Sprunk wrote:
Thus spake "Ralph Doncaster" <ralph@istop.com>
That's basically all Netscape & Microsoft were doing when they had to restrict 128-bit SSL. They threw in the requirement to enter your address & phone number, but they had no way of telling if you were entering your address, or the one you got from doing a four11.com lookup of John Smith in Plano, Tx.
The new crypto regulations allow shrink-wrapped software to be exported if the receiver claims to be authorized; there is no legal requirement on the exporter to actually verify this status...
One of my clients is a large computer security software company. According to them, it's not just crypto export rules that are the concern, but also the ITAR countries (N. Korea, Lybia, Cuba, ...). As well they are concerned about liabilities in countries like France where it is illegal to import crypto so they want to restrict people from France too. -Ralph
participants (2)
-
Ralph Doncaster
-
Stephen Sprunk