Re: [swinog] 'Foreign' IP Addresses assigned to swiss customers?

2012-07-06 Diskussionsfäden Markus Wild
A few thoughts from me...

> Hmm, I wonder.. which ISP do operate IP address ranges in switzerland which 
> are registered at RIPE to some other entity not located in switzerland?
> Which Swiss ISP do offer services outside Switzerland using IP Ranges that 
> are 
> registered @ RIPE with Country: CH?

So as not to blame any currently existing companies, lets use the
example of kpnqwest (rip). We used to be part of a supra national LIR
in Switzerland. This LIR was registered to a "foreign company" (I think
it was registered to the dutch BV). It was entirely company internal
policy not to mix and match IP address assignments (also helped at that
time by the fact that we didn't have merged autonomous systems before
the big blowup). So, we operated just like any other Swiss ISP, but if
you just looked at the RIPE DB you wouldn't get that impression, and
could actually get the impression we would be assigning dutch IP
addresses to Swiss customers (depending on what objects you looked at).

Now, there are a few supra national companies left, perhaps they
operate similarly? And if they do merge AS numbers, it gets even more
difficult from the outside to judge how they're assigning their IP
addresses. Also, I wouldn't be surprised to see such companies actually
purposely blurring country borders when IPv4 addresses run out and they
might start to use "austrian" addresses for their Swiss customers?

The other example: corporate VPNs managed by ISPs, including VPN
dial-in possibilities. I think the ISP would in this case be able to
certify that it assigned the IP addresses to a company operating
in Switzerland. However, it can't make any claims as to how that
company uses those addresses.. But where draw the line? I can have a
Swiss DSL IP at home and setup VPN access for myself, and use that
address from abroad?


swinog mailing list

[swinog] 'Foreign' IP Addresses assigned to swiss customers?

2012-07-06 Diskussionsfäden Benoit Panizzon

Lately we have received a increased numbers of requests from customer employed 
by some banks and working in homeoffice a home office via remote access to 
their bank, asking us to confirm that we only assign 'swiss' IP addresses to 
our customers.

Well I usualy replied to those customers, that they can check the status of 
their IP address at RIPE and check to which country their allocation or 
assignment is registered. Apparently this is not enough. FINMA has made it a 
requirement, that if some bank employee wants to work from home, they need a 
written confirmation from their ISP that this ISP is not assigning IP 
addresses to customers outside switzerland and that the IP address the 
customer is using is operated in switzerland and cannot be used from abroad or 
assigned to customers outside switzerland.

I got in contact with one of those bank's security department to explain to 
them, that of course we correctly register our IP ranges at RIPE and that no, 
we cannot guarantee that our customers do not operate VPN or Proxies etc, 
which would make it possible to use IP addresses from abroad. And of course we 
have business customers with branch offices all over the world which could be 
using their IP Range to route part of it outside switzerland to such an 
I wanted to know why the information about ranges as registered @ RIPE are not 
good enough for the FINMA and how we could positively answer the question that 
we do not assign IP addresses to devices outside switzerland.

I was told, that there apparently are plenty of ISP in Switzerland, which 
assign 'foreign' IP addresses to their customers and that there are also 
switzerland based ISP which use their 'swiss' IP allocations to provide 
internet access to customers located outside switzerland, which causes legal 
problems if such an IP is used to access servers run under FINMA policies.

This is why FINMA requests that an ISP confirms that he uses his IP addresses 
exclusively for CPE located in switzerland. they 

Hmm, I wonder.. which ISP do operate IP address ranges in switzerland which 
are registered at RIPE to some other entity not located in switzerland?
Which Swiss ISP do offer services outside Switzerland using IP Ranges that are 
registered @ RIPE with Country: CH?

Or have I found a 'papiertiger' policy written by someone with no clue how IP 
assignment by RIPE works?

Mit freundlichen GrĂ¼ssen

Benoit Panizzon
I m p r o W a r e   A G-

Zurlindenstrasse 29 Tel  +41 61 826 93 07
CH-4133 PrattelnFax  +41 61 826 93 02
Schweiz Web

swinog mailing list

Re: [swinog] Presentation from last SWNOG meeting

2012-07-06 Diskussionsfäden Roman Hochuli
Hello All

> I am looking for the presentation from last meeting. It seams that they
> are not available at the usual place. Any change here or "work in progress"?

It's the later... Sorry for the delay. Will get back to you when we
sorted it out.


swinog mailing list