Blog

Geo-blocking at the BGP Level

Geo-blocking at the BGP level is an approach that allows network operators to restrict or control internet traffic by manipulating routing decisions based on geographic regions, particularly countries. By selectively dropping specific prefixes or Autonomous System Numbers (ASNs), network operators can avoid routes that pass through certain countries. Additionally, this feature allows users to view lists of prefixes associated with a specific country, facilitating more informed routing decisions.

Geo-blocking at the BGP level is an approach that allows network operators to restrict or control internet traffic by manipulating routing decisions based on geographic regions, particularly countries. By selectively dropping specific prefixes or Autonomous System Numbers (ASNs), network operators can avoid routes that pass through certain countries. Additionally, this feature allows users to view lists of prefixes associated with a specific country, facilitating more informed routing decisions.

Motivations Behind BGP Geo-blocking

Specific motivations for implementing geo-blocking at the BGP level can vary depending on the industry, the company, and the particular circumstances.

Some reasons for implementing geo-blocking at the BGP level include:

  • Compliance with local laws and regulations: BGP-based geo-blocking can be used to restrict traffic from certain countries or regions to comply with local laws and regulations. For example, a company may need to block traffic from countries subject to trade sanctions or embargoes.
  • Protecting network resources: Geo-blocking at the BGP level can protect network resources from security threats or excessive traffic. By blocking traffic from certain countries or regions, companies can reduce the risk of cyberattacks or DDoS attacks originating from those regions.
  • Improving network performance: BGP-based geo-blocking can improve network performance by redirecting traffic to closer or more efficient network paths. By blocking traffic from certain countries or regions, companies can reduce network congestion and improve latency for users in other regions.

Implementation

Geo-blocking using BGP Communities

There are several ways to implement BGP-based geo-blocking. One approach to implementing geo-blocking is using BGP communities. They tag specific routes based on the geographic location of their destination IP addresses. This can be done by creating a list of IP address ranges associated with each country or region and using BGP communities to tag routes that match those IP address ranges with the corresponding country code.

For example, suppose a company wants to block traffic from China to its network. The company can obtain a list of IP address ranges associated with China and use BGP communities to tag routes that match those IP address ranges with the particular community number. The company can then apply a routing policy that drops any traffic with that community from entering its network.

Alternatively, the company can use BGP communities to redirect traffic to a different network path based on the country of origin or destination. For example, the company can tag routes with the “US” community to redirect traffic from the US to a different network path with better performance or lower latency.

Geo-blocking using BGP FlowSpec

BGP FlowSpec is another option for implementing geo-blocking at the BGP level. It is a BGP extension that allows network administrators to define rules for packet filtering based on various criteria. With BGP FlowSpec, network administrators can specify filtering rules based on parameters such as IP addresses, protocols, and port numbers. This allows for a more granular approach to traffic filtering compared to BGP communities, which only tag routes based on the geographic location of the destination IP address.

Suppose a company wants to block traffic from a specific country, such as Senegal, to its network. The company can use BGP FlowSpec to create a filtering rule that drops any traffic from Senegal based on the country’s IP address ranges.

The first step is to obtain a list of IP address ranges associated with Senegal. This can be done using various online resources that provide IP geolocation information, such as the MaxMind GeoIP or IP2Location databases.

Once the IP address ranges for Senegal have been obtained, the company can create a BGP FlowSpec rule on the FlowSpec controller that matches traffic from those ranges and drops it. Additional traffic parameters, such as TCP/UDP ports, can be specified to match traffic more precisely.

Once the FlowSpec rule is created, it can be distributed to the FlowSpec clients using BGP. The FlowSpec clients then apply the rule to incoming traffic based on the specified criteria and drop any traffic that matches the rule.

Geo-location Databases

To implement BGP GeoBlocking, accurate geolocation data is required to determine the country or region associated with IP addresses. Commercial geolocation databases like MaxMindDB or ip2location, as well as open-source alternatives and public IP geolocation APIs, can provide the necessary geolocation data.

MaxMind’s Geolocation Databases

MaxMind offers a variety of GeoIP databases, including the GeoIP2 database and its free version GeoLite2. The GeoIP2 database is the paid version and provides more accurate information than the GeoLite2.

The choice between the GeoIP2 Lite and GeoIP2 databases, therefore, depends on the specific needs of the application and the level of detail and accuracy required. For applications that only require basic geolocation information, the free GeoIP2 Lite database may be sufficient. However, the paid GeoIP2 database may be necessary for more advanced applications requiring more detailed and accurate information.

The tool on this page enables you to compare the accuracy of the following MaxMind database offerings by country:

GeoIP2 City Plus web service
GeoIP2 City
GeoLite2 City

Accuracy is calculated by checking known web user IP address and location pairs against the data within MaxMind’s database offerings. For example, for Georgia’s country and Broadband IPs, if the databases have a resolution of 250 km, the GeoLite2 City database offers an accuracy of 91%, while the GeoIP2 City database provides 96% accuracy.

It’s worth noting that the accuracy of IP geolocation is generally higher for broadband IP addresses and lower for cellular networks. For the databases mentioned, the accuracy for cellular networks is within the 88%-89% range.

Both GeoIP2 and GeoLite2 Country, City, and ASN databases are updated twice weekly, every Tuesday and Friday.

Ip2location Geolocation Databases

IP2Location is a provider of IP geolocation databases that offer both commercial and free versions (IP2Location™ LITE). The commercial IP2Location databases provide more accurate data compared to the free version. They have over 99.5% accuracy in country-level detection and are updated on the first day of the calendar month.

The IP2Location LITE version is free for non-commercial use. It offers a limited set of data fields compared to the commercial version. In terms of accuracy, the IP2Location LITE version provides a 98% accuracy rate for country-level detection, which means it can accurately identify the country where an IP address is located. [1]

Policies by Country within Noction Intelligent Routing Platform v.4.2

Policies by Country, as part of the Flowspec Policies functionality, provide IRP users with the straightforward automated geo-blocking capability at the BGP level. Such policies allow network operators to restrict internet traffic by manipulating routing decisions based on geographic regions, particularly countries (Fig 1). Network administrators can define packet filtering rules based on additional parameters, such as protocols, port numbers, and destination prefixes, enabling a more granular approach. Specific prefixes or ASNs can be added to exemption lists so that the traffic associated with such entries would not get affected by the configured rules. Moreover, users can access lists of prefixes and ASNs related to each specific country for every policy, facilitating more informed routing decisions.

Figure 1 – Policies by Country

Once enabled, each policy contains statistics on the number of affected prefixes that can be viewed for specific details on the actual list of prefixes as well as ASNs that the prefixes belong to. The history of changes is maintained for each policy.

Figure 2 – Policy by Country | Affected Prefixes view

The implementation of geo-blocking at the BGP level offers network operators a powerful tool to exert control over the internet traffic. By utilizing BGP communities and BGP FlowSpec, operators can efficiently tag and filter routes based on IP address ranges, effectively restricting access based on geographic regions.

With the recent addition of the Policies by Country functionality in the Noction Intelligent Routing Platform, network operators can easily apply country-based policies to their routing decisions, resulting in a more secure and stable network environment. This added functionality not only facilitates compliance with various regulations but also protects network resources and improves overall network performance.