Specific motivations for implementing geo-blocking at the BGP level can vary depending on the industry, the company, and the particular circumstances.
Some reasons for implementing geo-blocking at the BGP level include:
There are several ways to implement BGP-based geo-blocking. One approach to implementing geo-blocking is using BGP communities. They tag specific routes based on the geographic location of their destination IP addresses. This can be done by creating a list of IP address ranges associated with each country or region and using BGP communities to tag routes that match those IP address ranges with the corresponding country code.
For example, suppose a company wants to block traffic from China to its network. The company can obtain a list of IP address ranges associated with China and use BGP communities to tag routes that match those IP address ranges with the particular community number. The company can then apply a routing policy that drops any traffic with that community from entering its network.
Alternatively, the company can use BGP communities to redirect traffic to a different network path based on the country of origin or destination. For example, the company can tag routes with the “US” community to redirect traffic from the US to a different network path with better performance or lower latency.
BGP FlowSpec is another option for implementing geo-blocking at the BGP level. It is a BGP extension that allows network administrators to define rules for packet filtering based on various criteria. With BGP FlowSpec, network administrators can specify filtering rules based on parameters such as IP addresses, protocols, and port numbers. This allows for a more granular approach to traffic filtering compared to BGP communities, which only tag routes based on the geographic location of the destination IP address.
Suppose a company wants to block traffic from a specific country, such as Senegal, to its network. The company can use BGP FlowSpec to create a filtering rule that drops any traffic from Senegal based on the country’s IP address ranges.
The first step is to obtain a list of IP address ranges associated with Senegal. This can be done using various online resources that provide IP geolocation information, such as the MaxMind GeoIP or IP2Location databases.
Once the IP address ranges for Senegal have been obtained, the company can create a BGP FlowSpec rule on the FlowSpec controller that matches traffic from those ranges and drops it. Additional traffic parameters, such as TCP/UDP ports, can be specified to match traffic more precisely.
Once the FlowSpec rule is created, it can be distributed to the FlowSpec clients using BGP. The FlowSpec clients then apply the rule to incoming traffic based on the specified criteria and drop any traffic that matches the rule.
To implement BGP GeoBlocking, accurate geolocation data is required to determine the country or region associated with IP addresses. Commercial geolocation databases like MaxMindDB or ip2location, as well as open-source alternatives and public IP geolocation APIs, can provide the necessary geolocation data.
MaxMind offers a variety of GeoIP databases, including the GeoIP2 database and its free version GeoLite2. The GeoIP2 database is the paid version and provides more accurate information than the GeoLite2.
The choice between the GeoIP2 Lite and GeoIP2 databases, therefore, depends on the specific needs of the application and the level of detail and accuracy required. For applications that only require basic geolocation information, the free GeoIP2 Lite database may be sufficient. However, the paid GeoIP2 database may be necessary for more advanced applications requiring more detailed and accurate information.
The tool on this page enables you to compare the accuracy of the following MaxMind database offerings by country:
Accuracy is calculated by checking known web user IP address and location pairs against the data within MaxMind’s database offerings. For example, for Georgia’s country and Broadband IPs, if the databases have a resolution of 250 km, the GeoLite2 City database offers an accuracy of 91%, while the GeoIP2 City database provides 96% accuracy.
It’s worth noting that the accuracy of IP geolocation is generally higher for broadband IP addresses and lower for cellular networks. For the databases mentioned, the accuracy for cellular networks is within the 88%-89% range.
Both GeoIP2 and GeoLite2 Country, City, and ASN databases are updated twice weekly, every Tuesday and Friday.
IP2Location is a provider of IP geolocation databases that offer both commercial and free versions (IP2Location™ LITE). The commercial IP2Location databases provide more accurate data compared to the free version. They have over 99.5% accuracy in country-level detection and are updated on the first day of the calendar month.
The IP2Location LITE version is free for non-commercial use. It offers a limited set of data fields compared to the commercial version. In terms of accuracy, the IP2Location LITE version provides a 98% accuracy rate for country-level detection, which means it can accurately identify the country where an IP address is located. [1]
Policies by Country, as part of the Flowspec Policies functionality, provide IRP users with the straightforward automated geo-blocking capability at the BGP level. Such policies allow network operators to restrict internet traffic by manipulating routing decisions based on geographic regions, particularly countries (Fig 1). Network administrators can define packet filtering rules based on additional parameters, such as protocols, port numbers, and destination prefixes, enabling a more granular approach. Specific prefixes or ASNs can be added to exemption lists so that the traffic associated with such entries would not get affected by the configured rules. Moreover, users can access lists of prefixes and ASNs related to each specific country for every policy, facilitating more informed routing decisions.
Figure 1 – Policies by Country
Figure 2 – Policy by Country | Affected Prefixes view
With the recent addition of the Policies by Country functionality in the Noction Intelligent Routing Platform, network operators can easily apply country-based policies to their routing decisions, resulting in a more secure and stable network environment. This added functionality not only facilitates compliance with various regulations but also protects network resources and improves overall network performance.