Re: [db-wg] Question regarding delta between "delegated-ripencc-extended-latest" and Whois output

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3549 bytes --]

Hello Nick, hello Leo,

thanks for your fast and informative replies. I take the liberty to reply to
both of you at the same time.

> The RIPE Database, queried by Whois or RDAP, serves a different
> purpose from the stats file. The former enables communication between
> operators and supports the routing registry. The latter is to provide
> high level statistical data to researchers.

I see, it did not became clear to us that those file mainly exists for
statistical purposes - we were glad to find something that has a unique
syntax across all RIRs, instead of reintroducing the wheel for each one.

Oh well... :-)

> Incidentally, IP address allocation queries in the RIPE Database now
> return the country where the holder of the block is legally resident,
> not where the IP address is actually used.

Yes. This seems to be a common source of misunderstandings when trying to
assign a country code to an IP network, as most people/applications/databases
do not specify if they are trying to show the jurisdiction of that IP
network, or the country where its machines are physically located. In
my humble opinion, the latter is hard - if any - to determine.

> The situation with 51.15.0.0/17 and 51.15.0.0/16 is only the tip of a
> gigantic iceberg of quirks and anomalies, not just because you have
> inconsistent statements about the country, but also because this is
> legacy (i.e. pre-RIPE) address space and there can be multiple inetnum
> entries in the ripedb which may be fully inconsistent with each other and
> where all, some or none of the inetnum records may be an accurate reflection
> of reality.

Although we have already sensed something in that direction, it is a
bit frustrating to receive that message from someone in the RIPE DB working
group...

What would you do if you need to build a database to determine the
country assigned to an IP address - let's take the one assigned to it by
it's owner, regardless of jurisdiction or physical location -? Would you
collect the most specific inetnums first, and proceed with the less specific
ones?

(Basically, this is what we trying to do as we need to replace the GeoIP
database provided by MaxMind due to license changes - some other open-source
projects are in need of an alternative as well -, and instead of just using
the next commercial provider, we are trying to build an open-source solution.

In case of further interest, please refer to:
https://blog.ipfire.org/post/on-retiring-the-maxmind-geoip-database)

> I.e. if you're planning to use either the RIPE DB or any other whois db
> for the ipfire geoip blocking mechanism, you may want to consider putting
> up very large and obtrusive warnings about how thoroughly inaccurate
> geoblocking may end up being in practice.

I believe we are more or less aware of that inaccuracies. Personally, I consider
firewall rules based on Autonomous Systems Numbers to be _way_ more precise
and practical - countries like US or NL are hard to block in productive environments.

We are keen to raise awareness of those issues in our user community as
well, but unfortunately are unable to drop the ability of selecting countries
as source or destination of a firewall rule completely. For a quick look, it
also might be interesting to show some geographical information so very
unusual connections are easier to identify.

Anyway: Thanks for your replies so far and thanks in advance for the upcoming ones. :-)

Thanks, and best regards,
Peter Müller