Re: [nanog] BGP routes by country
Peace, On Fri, Sep 27, 2019, 1:07 AM Michel Py wrote: > A while ago, I tried to block China. The attack profile lowered a little > bit, but I did not feel my network was safer. Looks kind of futile to me. > The bots are everywhere, blocking entire countries does not reduce the > risk much. > Just the existence of onion routing makes such protection attempts ridiculous overall. That being said, there are ASes which, as rfg frequently reminds us, not worth handling traffic from. But that's just particular ASes, not countries, and sometimes those ASes belong to generally innocent geographic places. -- Töma >
Re: BGP routes by country
Peace, On Thu, Sep 26, 2019, 7:19 PM Chris Phillips wrote: > Greetings, > > Is anyone offering a service providing BGP routes by country? I'm not > looking to buy transit, but rather build policies based on the routes > received to allow traffic from certain countries, or disallow traffic from > others. > I hope you understand that U.S. citizens, including, but not limited to, your company's employees and executives, are free to travel to any country they please, and they still expect their American Internet services of choice to be available from where they are?.. And some of those countries are blocking VPNs... -- Töma >
RE: [nanog] BGP routes by country
> Christopher Morrow wrote : > Maybe asking from the get-go: "What are you trying to do?" Indeed. > because the question asked is fraught with peril and disaster... Allowing only US and Canada will be be a manual whitelist nightmare and will likely result in some unreachability. A while ago, I tried to block China. The attack profile lowered a little bit, but I did not feel my network was safer. Looks kind of futile to me. The bots are everywhere, blocking entire countries does not reduce the risk much. I totally believe in the "my network, my rules" thing though. I do not provide Internet access to the public so what I deliver is my call. At any given time I blacklist between 30K and 100K prefixes, motsly /32s. http://arneill-py.sacramento.ca.us/cbbc/ Michel. TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...
Re: [nanog] BGP routes by country
On Thu, Sep 26, 2019 at 4:48 PM Chris Knipe wrote: > > On Thu, Sep 26, 2019 at 9:53 PM Christopher Morrow > wrote: >> >> Maybe asking from the get-go: >> "What are you trying to do?" >> >> because the question asked is fraught with peril and disaster... > > > Why? When you have a serious problem with a specific ASN, it's not > unreasonable to drop traffic to that entire ASN. isn't the question though not ASN but 'country' ? > When you have a serious problem predominantly originating from a certain > country, why is it unreasonable to drop traffic to that entire country? Sure, where is 74.125.0.0/24 originated from? There's not really a simple answer in bgp for this ;( > Just because I own an ASN and participate in the world of BGP, doesn't mean I > *must* accept everyone's traffic from all over the world. My network, my > rules(1) > sure, and you can drop whatever you want, my point was that it's not really straight forward which ip is which country over time :( > (1) my as in the ASN whom choose to drop prefixes for an entire ASN and/or > country. > >
Re: [nanog] BGP routes by country
On Thu, Sep 26, 2019 at 9:53 PM Christopher Morrow wrote: > Maybe asking from the get-go: > "What are you trying to do?" > > because the question asked is fraught with peril and disaster... > Why? When you have a serious problem with a specific ASN, it's not unreasonable to drop traffic to that entire ASN. When you have a serious problem predominantly originating from a certain country, why is it unreasonable to drop traffic to that entire country? Just because I own an ASN and participate in the world of BGP, doesn't mean I *must* accept everyone's traffic from all over the world. My network, my rules(1) (1) my as in the ASN whom choose to drop prefixes for an entire ASN and/or country.
Re: [nanog] BGP routes by country
Maybe asking from the get-go: "What are you trying to do?" because the question asked is fraught with peril and disaster... On Thu, Sep 26, 2019 at 3:32 PM Michel Py wrote: > > > Chris Phillips wrote : > > Is anyone offering a service providing BGP routes by country? I'm not > > looking to buy transit, but rather build policies based on the routes > > received to allow traffic from certain countries, or disallow traffic from > > others. Kind of like the the CYMRU bogons list, but, by country. > > It greatly depends if you receive a full-feed or not. If you do receive a > full-feed, chances are that you will get more specific routes than the ones > that come into your blacklist and achieve nothing. > > If you do not have a full-feed, it is relatively straightforward to fetch one > of the lists available on the Internet and inject it in your BGP. > > Michel. > TSI Disclaimer: This message and any files or text attached to it are > intended only for the recipients named above and contain information that may > be confidential or privileged. If you are not the intended recipient, you > must not forward, copy, use or otherwise disclose this communication or the > information contained herein. In the event you have received this message in > error, please notify the sender immediately by replying to this message, and > then delete all copies of it from your system. Thank you!...
RE: [nanog] BGP routes by country
> Chris Phillips wrote : > Is anyone offering a service providing BGP routes by country? I'm not > looking to buy transit, but rather build policies based on the routes > received to allow traffic from certain countries, or disallow traffic from > others. Kind of like the the CYMRU bogons list, but, by country. It greatly depends if you receive a full-feed or not. If you do receive a full-feed, chances are that you will get more specific routes than the ones that come into your blacklist and achieve nothing. If you do not have a full-feed, it is relatively straightforward to fetch one of the lists available on the Internet and inject it in your BGP. Michel. TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...
RE: BGP routes by country
RIR Delegations data is public. https://www.apnic.net/about-apnic/corporate-documents/documents/resource-guidelines/rir-statistics-exchange-format/ The various RIR delegation statistics can be gotten from: https://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest https://ftp.apnic.net/stats/apnic/delegated-apnic-latest https://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest https://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest They do follow the format in the rir-statistics exchange format doc. They are not necessarily located or replicated as described (apparently). Of course, the country code does not necessarily reflect where the resource is used -- I believe it is the CC of the registering org. If it were so simple then all the geolocation companies would be outa business in a flash. >-Original Message- >From: NANOG On Behalf Of Chris Phillips >Sent: Thursday, 26 September, 2019 00:46 >To: nanog@nanog.org >Subject: BGP routes by country > >Greetings, > >Is anyone offering a service providing BGP routes by country? I'm not >looking to buy transit, but rather build policies based on the routes >received to allow traffic from certain countries, or disallow traffic >from others. Kind of like the the CYMRU bogons list, but, by country. > >Thank you in advance.
Re: BGP routes by country
https://www.countryipblocks.net/ this might be useful to you From: NANOG on behalf of Chris Phillips Date: Thursday, 26 September 2019 at 17:19 To: "nanog@nanog.org" Subject: BGP routes by country ** EXTERNAL EMAIL ** Greetings, Is anyone offering a service providing BGP routes by country? I'm not looking to buy transit, but rather build policies based on the routes received to allow traffic from certain countries, or disallow traffic from others. Kind of like the the CYMRU bogons list, but, by country. Thank you in advance.
BGP routes by country
Greetings, Is anyone offering a service providing BGP routes by country? I'm not looking to buy transit, but rather build policies based on the routes received to allow traffic from certain countries, or disallow traffic from others. Kind of like the the CYMRU bogons list, but, by country. Thank you in advance.