Can really spot someone who has never had to deal with OFAC with a comment like this. Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.

Geographic IP information is one of our best tools to defend against those outcomes, and if anything it should be better.

On the other hand, GeoIP is arguably the reason you are in this situation in the first place, i.e., having to use it since it's there and everybody else is doing so as well.

Intentionally ambiguous regulations (in terms of how companies and individuals are expected to comply) backed by the existential threat of huge fines often lead to a race to the bottom in terms of false positives and collateral damage to non-sanctioned users.

If you were serious about limiting who uses your services you'd use an allowlist of ASNs. Even then, what about users using US-based residential proxies?

ASNs can obviously span multiple countries, and aren't a great way to gate this at all. While we block ASNs we KNOW are owned/operated by companies in limited countries, but I couldn't imagine a worse way to approach it at scale. Hate doing it, it's heavy-handed and wrong.

ASNs aren’t going to cut it. Google “residential proxies”

> Even if I don't necessarily agree with the concept, or who is actually being blocked, my business is dead in the water if I'm a) sent to prison or b) fined out of existence.

Is there some specific way we can get the laws like this to be gone? They're obviously useless (witness this very thread of people describing ways for anyone to get around them) and threatening people with destruction for not doing something asinine isn't the sort of thing any decent government should be doing.

We (IPinfo) attended the IETF 3-day workshop on IP geolocation. Our presentation was about geofeed that can be viewed here: https://youtu.be/l8PR7VCmA3Q?si=dG-00UqljTopBquF&t=372.

It was a great session and we received a lot of questions. We attend different NOG conferences regularly. ISPs are incentivized to help us by providing good data. Although we are agnostic about adversarial geofeeds, ISPs themselves need to work with us to ensure good quality of service to their users.

We already do quite a lot of outreach, in fact, most network engineers in the ISP industry across the world are familiar with us. But if any ISP operator has any feedback for us, we are only an email (or even a social media comment) away.

> ISPs are incentivized to help us by providing good data.

That's the entire problem in a nutshell. Good quality of service should not depend on every site I visit knowing my geographic location at the ZIP code or even street level (I've actually seen the latter occasionally).

I can somewhat understand the need for country-wide geoip blocking due to per-country distribution rights for media and whatnot, but when my bank does it, it just screams security theater to me.

That is an excellent point!

That is why we have the IP to country level data available for free. As you have recognized the fact that country level data is good for security, we are willing to take a massive hit on potential revenue to allow everyone to use our country level data for free, even for commercial purposes. We literally built separate dedicated infrastructure that provides unlimited queries for our IP to Country data. We want to ensure that everyone has access to reliable data.

For us, based on active measurements, what we do is distribute IP addresses to more densely populated areas. The issue is that we are good at zip code level accuracy, but it is impossible for us to get street addresses correct for residential internet connections. Even if we get geographic coordinates fairly close to you, it is largely coincidental. Our accuracy radius goes as low as 5 KM.

However, consider hotels, conference centers, airports, train stations, etc., where large numbers of people gather and where there are a few public WiFi hotspots that usually remain in the same location. We can identify the exact building from those WiFi hotspot IP addresses.

We have approximately 1,200 servers in operation. Simply by knowing which data centers house our servers, we can reliably identify neighboring hosting IP addresses to the exact data center.

> As you have recognized the fact that country level data is good for security [...]

That's the opposite of what I said. I think blocking entire countries is largely security theater. Bad actors will just use botnets or other residential proxies wherever needed, while legitimate users traveling abroad get locked out.

I can see it make sense for login-free distribution of media with limited regional rights (e.g., some public broadcasters offer their streams for free but are only allowed to do so domestically), or to provide a best guess for region-specific services (weather forecasts, shipping rate estimates etc.), although I'd also love to see that handled via the user agent instead, e.g. via granting coarse location access, to prevent false positives.

I also wouldn't mind it as much as one of many input signals into some risk calculation, e.g. for throttling password (but not passkey) attempts, to be overridden by login status, but outright bans are incredibly annoying, and unfortunately that's what I see many companies doing with GeoIP data.

Almost as annoying: Companies insisting on serving me a different language just because I traveled abroad, even though my "Accept-Language" header is right there.

With CGNAT becoming more widespread, formats like this might need expansion to include location data for ports. Ie. Port 10,000-20,000 are consumers in New york, port numbers 20000-30000 are in Boston, etc.

Do you have actual evidence of this? What ASN operates this way?

Why would any CG-NAT split their volume that way?

IPv4 addresses are not that scarce yet, and realistically any CG-NAT will have several IPv4 addresses per metro area, if only to allow for reasonable levels of geolocation (e.g. to not break the "pizza near me" search use case).

Sounds awful, though. Maybe we should get more widespread usage for IPv6 instead.

Yes. I’ll never forgive IETF for standardizing CGNAT back in 2013. They should have just said “no, deploy IPv6 with a transition technology”.

If that had happened, IPv4 would likely already could be regarded as a relic of the past.

The ietf standardization was irrelevant so I would give them some slack. ISPs were using CGNAT already in a widespread fashion. The ietf just said, “if we’re gonna do this shit, at least stay out of the blocks used by private networks”.

Surely IPv6 makes location spoofing harder, you're not identified by just location anymore but uniquely identified down to the device?

This was solved in 2007 with Privacy Extensions.

It has been a non-existent problem for roughly 20 years now. Why do people still keep pulling out "uniquely identified down to the device" as an argument?

Windows, macOS and most Linux distros by default rotate SLAAC addresses every 24 hours.

That is really interesting. I wonder if we have any internal data on this. I will check.

We are trying to work with ISPs everywhere, so if port level geolocation of the IP address is common, we surely need to account for that. I will flag this to the data team. To get the ball rolling, I would love to talk to an ISP operator who operates like this. If you know someone please kindly introduce me to them.

I hope they can use DNS for this instead like they do PTR entries