Hi Serhii, Thank you for the question. I'll share our approach, but since you've raised an important design question, I'd genuinely welcome your thoughts on how we could improve this - perhaps a portal for ASN operators or geofeed providers to flag issues directly.
We use a scoring model that weighs multiple data sources: active measurements, geofeeds, WHOIS data, and others. When they conflict, we make decisions based on what we can verify. In our NANOG 96 talk, my colleague described this more precisely as a "decision tree" where multiple data points are aggregated and scored. Legitimate networks can have inaccurate geofeeds for non-malicious reasons - stale data, network architecture changes, anycast configurations. Meanwhile, adversarial actors can forge geofeed data that appears legitimate. We do score geofeed sources based on factors like ASN verification, history, last update time etc. When an ISP contacts us saying "your data conflicts with our geofeed and here's why we're correct," we investigate and adjust the scoring for that prefix. I've done this several times during this thread - reviewing evidence with ISPs, presenting it to our data team, and updating the geofeed priority scoring. Should active measurement or self-reported data be the default? We chose measurement because it scales globally and provides verifiable evidence. Geofeeds remain part of the scoring model, but not the only factor. I understand this may not be the answer you were hoping for. If you have specific prefixes where you think we're making the wrong choice, please reach out: [email protected] — Abdullah | DevRel, IPinfo _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/NJSJG3SW55HZXYBVSOBAWC27A5AQPADK/
