Re: Netflix VPN detection - actual engineer needed

[Valdis . Kletnieks]

On Fri, 03 Jun 2016 17:21:16 -0700, Blair Trosper said:
> ...IF (and that's a big IF in the Bay Area at least) you can get the newest
> modems.  Easier said than done.

http://www.amazon.com/ARRIS-SURFboard-SB6141-DOCSIS-Cable/dp/B00AJHDZSI/

$68.75 and Done.  And the damned thing even pays for itself by not paying a 
rental
every month.


pgpWvj2tUgHk1.pgp
Description: PGP signature

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

And yeah, most every US ISP *can* route IPv6, but they just haven't for
absolutely no reason.

On Fri, Jun 3, 2016 at 11:11 PM Cryptographrix 
wrote:

> Surely they could - for some reason they haven't.
>
> It's not better - it's desperate.
>
> But it's more than nothing.
>
> Of course, there's always the possibility that I/we will be left with 300
> septillion IPv6 IPs and nobody to route them.
>
>
> On Fri, Jun 3, 2016 at 10:58 PM Mansoor Nathani 
> wrote:
>
>> How is this better than getting native IPv6 from a provider? If they are
>> willing to run a BGP session with you (that too with a private ASN), surely
>> they can offer native IPv6 as well.
>>
>> On Fri, Jun 3, 2016 at 10:19 PM, Cryptographrix > > wrote:
>>
>>> "A /48 is officially the smallest"...but apparently smaller gets
>>> advertised all over, and I imagine esp for private ASNs...so we buy a
>>> /40 and 256 people here get /48s?
>>>
>>> That would also be hilarious if Netflix blocking HE resulted in 256-some
>>> people each getting a /48.
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix 
>>> wrote:
>>>
 Nope - You'd have the /56 and only people within your /56 (or /64 if
 you sliced it up nicely) would be able to do things with it routed by your
 ISP.

 Of course this means we'll have to get our ISPs to listen for our BGP
 advertisement...


 On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani <
 mnathani.li...@gmail.com> wrote:

> Wouldn't the /56 get blocked as soon as Netflix detects multiple
> accounts logging in from the same IPv6 range?
>
> On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix <
> cryptograph...@gmail.com> wrote:
>
>> This is a good idea. We should do this.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
>> raymond.beaud...@icarustech.com> wrote:
>>
>> > Make it a /56 each and you've got a deal. Hell, I'll throw in a
>> round of
>> > drinks.
>> >
>> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
>> cryptograph...@gmail.com>
>> > wrote:
>> >
>> >> We should crowdsource a /40 and split it up into /64's for each of
>> us.
>> >>
>> >>
>> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman > >
>> >> wrote:
>> >>
>> >> > If early adopter PI IPv6 was the same price as early adopter PI
>> v4
>> >> space,
>> >> > my wife would be totally on board with this solution.
>> >> >
>> >> > Matthew Kaufman
>> >> >
>> >> > (Sent from my iPhone)
>> >> >
>> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan 
>> wrote:
>> >> > >
>> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
>> >> > >
>> >> > >
>> >> > > *Spencer Ryan* | Senior Systems Administrator |
>> sr...@arbor.net
>> >> > > *Arbor Networks*
>> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> >> > > www.arbornetworks.com
>> >> > >
>> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
>> >> > > raymond.beaud...@icarustech.com> wrote:
>> >> > >
>> >> > >> As an alternative, there are multiple cloud service offerings
>> that
>> >> will
>> >> > >> advertise your IPv6 allocations on your behalf direct to a
>> server in
>> >> > their
>> >> > >> data centers. It seems pretty tongue-in-cheek, and
>> satisfying, to
>> >> turn
>> >> > >> up a *> >> > >> favorite virtual router instance> *and then route through it.
>> The
>> >> > Internet
>> >> > >> is such an amazing place.
>> >> > >>
>> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
>> >> > cryptograph...@gmail.com>
>> >> > >> wrote:
>> >> > >>
>> >> > >>> Yeah I RAWRed to them pretty hard whilst being as
>> understanding to
>> >> the
>> >> > CS
>> >> > >>> rep that it wasn't their fault.
>> >> > >>>
>> >> > >>> They thought I was weird as anything.
>> >> > >>>
>> >> > >>> If there are any Verizon FiOS network engineers on the
>> thread, a
>> >> fellow
>> >> > >>> Verizon employee would thank you kindly for an off-thread
>> email
>> >> > regarding
>> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
>> drink-of-choice,
>> >> you
>> >> > >>> configure my account to listen for route advertisement).
>> >> > >>>
>> >> > >>> Strange that it has to come to this to get "legit" IPv6
>> service.
>> >> > >>>
>> >> > >>>
>> >> > >>>
>> >> > >>>
>> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>> >> > >>> raymond.beaud...@icarustech.com> wrote:
>> >> > >>>
>> >> >  I wasn't originally affected on my he.net tunnel, but this
>> >> evening it
>> >> >  started blocking. The 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Surely they could - for some reason they haven't.

It's not better - it's desperate.

But it's more than nothing.

Of course, there's always the possibility that I/we will be left with 300
septillion IPv6 IPs and nobody to route them.


On Fri, Jun 3, 2016 at 10:58 PM Mansoor Nathani 
wrote:

> How is this better than getting native IPv6 from a provider? If they are
> willing to run a BGP session with you (that too with a private ASN), surely
> they can offer native IPv6 as well.
>
> On Fri, Jun 3, 2016 at 10:19 PM, Cryptographrix 
> wrote:
>
>> "A /48 is officially the smallest"...but apparently smaller gets
>> advertised all over, and I imagine esp for private ASNs...so we buy a
>> /40 and 256 people here get /48s?
>>
>> That would also be hilarious if Netflix blocking HE resulted in 256-some
>> people each getting a /48.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix 
>> wrote:
>>
>>> Nope - You'd have the /56 and only people within your /56 (or /64 if you
>>> sliced it up nicely) would be able to do things with it routed by your ISP.
>>>
>>> Of course this means we'll have to get our ISPs to listen for our BGP
>>> advertisement...
>>>
>>>
>>> On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani <
>>> mnathani.li...@gmail.com> wrote:
>>>
 Wouldn't the /56 get blocked as soon as Netflix detects multiple
 accounts logging in from the same IPv6 range?

 On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix <
 cryptograph...@gmail.com> wrote:

> This is a good idea. We should do this.
>
>
>
> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
> raymond.beaud...@icarustech.com> wrote:
>
> > Make it a /56 each and you've got a deal. Hell, I'll throw in a
> round of
> > drinks.
> >
> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
> cryptograph...@gmail.com>
> > wrote:
> >
> >> We should crowdsource a /40 and split it up into /64's for each of
> us.
> >>
> >>
> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
> >> wrote:
> >>
> >> > If early adopter PI IPv6 was the same price as early adopter PI v4
> >> space,
> >> > my wife would be totally on board with this solution.
> >> >
> >> > Matthew Kaufman
> >> >
> >> > (Sent from my iPhone)
> >> >
> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan 
> wrote:
> >> > >
> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
> >> > >
> >> > >
> >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >> > > *Arbor Networks*
> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >> > > www.arbornetworks.com
> >> > >
> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> >> > > raymond.beaud...@icarustech.com> wrote:
> >> > >
> >> > >> As an alternative, there are multiple cloud service offerings
> that
> >> will
> >> > >> advertise your IPv6 allocations on your behalf direct to a
> server in
> >> > their
> >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying,
> to
> >> turn
> >> > >> up a * >> > >> favorite virtual router instance> *and then route through it.
> The
> >> > Internet
> >> > >> is such an amazing place.
> >> > >>
> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
> >> > cryptograph...@gmail.com>
> >> > >> wrote:
> >> > >>
> >> > >>> Yeah I RAWRed to them pretty hard whilst being as
> understanding to
> >> the
> >> > CS
> >> > >>> rep that it wasn't their fault.
> >> > >>>
> >> > >>> They thought I was weird as anything.
> >> > >>>
> >> > >>> If there are any Verizon FiOS network engineers on the
> thread, a
> >> fellow
> >> > >>> Verizon employee would thank you kindly for an off-thread
> email
> >> > regarding
> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
> drink-of-choice,
> >> you
> >> > >>> configure my account to listen for route advertisement).
> >> > >>>
> >> > >>> Strange that it has to come to this to get "legit" IPv6
> service.
> >> > >>>
> >> > >>>
> >> > >>>
> >> > >>>
> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> >> > >>> raymond.beaud...@icarustech.com> wrote:
> >> > >>>
> >> >  I wasn't originally affected on my he.net tunnel, but this
> >> evening it
> >> >  started blocking. The recommended ACLs are a functional
> temporary
> >> >  workaround, but I've also opened a request with Netflix.
> >> > 
> >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
> >> > gan...@spawar.navy.mil>
> >> >  wrote:
> >> > 
> >> > > So far I am not seeing a Netflix block on my he.net tunnel

Re: Netflix VPN detection - actual engineer needed

[Mansoor Nathani]

How is this better than getting native IPv6 from a provider? If they are
willing to run a BGP session with you (that too with a private ASN), surely
they can offer native IPv6 as well.

On Fri, Jun 3, 2016 at 10:19 PM, Cryptographrix 
wrote:

> "A /48 is officially the smallest"...but apparently smaller gets
> advertised all over, and I imagine esp for private ASNs...so we buy a
> /40 and 256 people here get /48s?
>
> That would also be hilarious if Netflix blocking HE resulted in 256-some
> people each getting a /48.
>
>
>
> On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix 
> wrote:
>
>> Nope - You'd have the /56 and only people within your /56 (or /64 if you
>> sliced it up nicely) would be able to do things with it routed by your ISP.
>>
>> Of course this means we'll have to get our ISPs to listen for our BGP
>> advertisement...
>>
>>
>> On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani 
>> wrote:
>>
>>> Wouldn't the /56 get blocked as soon as Netflix detects multiple
>>> accounts logging in from the same IPv6 range?
>>>
>>> On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix >> > wrote:
>>>
 This is a good idea. We should do this.



 On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
 raymond.beaud...@icarustech.com> wrote:

 > Make it a /56 each and you've got a deal. Hell, I'll throw in a round
 of
 > drinks.
 >
 > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
 cryptograph...@gmail.com>
 > wrote:
 >
 >> We should crowdsource a /40 and split it up into /64's for each of
 us.
 >>
 >>
 >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
 >> wrote:
 >>
 >> > If early adopter PI IPv6 was the same price as early adopter PI v4
 >> space,
 >> > my wife would be totally on board with this solution.
 >> >
 >> > Matthew Kaufman
 >> >
 >> > (Sent from my iPhone)
 >> >
 >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan 
 wrote:
 >> > >
 >> > > Well if you have PI space just use HE's BGP tunnel offerings.
 >> > >
 >> > >
 >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
 >> > > *Arbor Networks*
 >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
 >> > > www.arbornetworks.com
 >> > >
 >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
 >> > > raymond.beaud...@icarustech.com> wrote:
 >> > >
 >> > >> As an alternative, there are multiple cloud service offerings
 that
 >> will
 >> > >> advertise your IPv6 allocations on your behalf direct to a
 server in
 >> > their
 >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying,
 to
 >> turn
 >> > >> up a *>>> >> > >> favorite virtual router instance> *and then route through it.
 The
 >> > Internet
 >> > >> is such an amazing place.
 >> > >>
 >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
 >> > cryptograph...@gmail.com>
 >> > >> wrote:
 >> > >>
 >> > >>> Yeah I RAWRed to them pretty hard whilst being as
 understanding to
 >> the
 >> > CS
 >> > >>> rep that it wasn't their fault.
 >> > >>>
 >> > >>> They thought I was weird as anything.
 >> > >>>
 >> > >>> If there are any Verizon FiOS network engineers on the thread,
 a
 >> fellow
 >> > >>> Verizon employee would thank you kindly for an off-thread email
 >> > regarding
 >> > >>> BGP advertisement (I'll buy the IPv6 block and the
 drink-of-choice,
 >> you
 >> > >>> configure my account to listen for route advertisement).
 >> > >>>
 >> > >>> Strange that it has to come to this to get "legit" IPv6
 service.
 >> > >>>
 >> > >>>
 >> > >>>
 >> > >>>
 >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
 >> > >>> raymond.beaud...@icarustech.com> wrote:
 >> > >>>
 >> >  I wasn't originally affected on my he.net tunnel, but this
 >> evening it
 >> >  started blocking. The recommended ACLs are a functional
 temporary
 >> >  workaround, but I've also opened a request with Netflix.
 >> > 
 >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
 >> > gan...@spawar.navy.mil>
 >> >  wrote:
 >> > 
 >> > > So far I am not seeing a Netflix block on my he.net tunnel
 yet. I
 >> >  connect
 >> > > to the Los Angeles node, so maybe not all of HE's address
 space is
 >> > >> being
 >> > > blocked.
 >> > >
 >> > > Not going to be disabling IPv6 here either. + HAD native
 IPv6 from
 >> > >> Time
 >> > > Warner, but they decided to in their wisdom to disable IPv6
 >> service
 >> > >> for
 >> > > anyone that has an Arris SB6183 due to an Arris firmware

Re: Netflix VPN detection - actual engineer needed

[Jimmy Hess]

On Fri, Jun 3, 2016 at 3:05 PM, Spencer Ryan  wrote:
> There is no way for Netflix to know the difference between you being in NY
> and using the tunnel, and you living in Hong Kong and using the tunnel.

No way, really?Come now.
The latency difference between New York and Hong Kong are very different.

If your minimum/bottomed-out RTT is less than 100ms away from a
Netflix server,  which can be measured using TCP protocol-based
metrics,  then you are not using a VPN.This could be used as a
filter to reduce false positives.

Also, if you are using a tunnel service, then it is Unlikely your only
connectivity is IPv6,
therefore, when they suspect an IPv6 VPN,   they could  use methods of
figuring out your IPv4 address  it could be an option  simply do
something along the
lines of a background HTTP request

along the lines of
$.ajax({type: "GET",  url:
"http://ipv4onlyhostname.netflix.example.com/x.cgi"}, data: {
timestamp:blah, action: 'get_proof_of_IPv4_address',
blahblah_sessionid:  blah } )

Then analyze the IPv4 connection before returning a proof of IP
address as a signed token.

Within the main page or system, allow the connection.   This method
proves your device is not
merely circumventing region controls through a simple VPN.

You at least have access to a computer in the allowed region a few
seconds before initiating the connection.

Or you know  just redirect the IPV6 tunnel-provider connections at
Netflix' end to an IPv4-only hostname period,  so V6 is not used for
these users.


Furthermore,  they could make a USB dongle with a GPS receiver on it
that will answer a location-based challenge request,  that you're
expected to hook up to your computer feed from an outside antenna.
I don't let them off the hook, too easily.

> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
--
-JH

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

"Yeah, I'm actually only going to use 6 of them, between all of my phones,
my Roku, and my laptop, but I'll advertise for all 1.2Septillion"

On Fri, Jun 3, 2016 at 10:21 PM Cryptographrix 
wrote:

> "Hello Time Warner?I happen to have 1.2Septillion IPv6 IPs I need to
> advertise"
>
>
> On Fri, Jun 3, 2016 at 10:19 PM Cryptographrix 
> wrote:
>
>> "A /48 is officially the smallest"...but apparently smaller gets
>> advertised all over, and I imagine esp for private ASNs...so we buy a
>> /40 and 256 people here get /48s?
>>
>> That would also be hilarious if Netflix blocking HE resulted in 256-some
>> people each getting a /48.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix 
>> wrote:
>>
>>> Nope - You'd have the /56 and only people within your /56 (or /64 if you
>>> sliced it up nicely) would be able to do things with it routed by your ISP.
>>>
>>> Of course this means we'll have to get our ISPs to listen for our BGP
>>> advertisement...
>>>
>>>
>>> On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani <
>>> mnathani.li...@gmail.com> wrote:
>>>
 Wouldn't the /56 get blocked as soon as Netflix detects multiple
 accounts logging in from the same IPv6 range?

 On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix <
 cryptograph...@gmail.com> wrote:

> This is a good idea. We should do this.
>
>
>
> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
> raymond.beaud...@icarustech.com> wrote:
>
> > Make it a /56 each and you've got a deal. Hell, I'll throw in a
> round of
> > drinks.
> >
> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
> cryptograph...@gmail.com>
> > wrote:
> >
> >> We should crowdsource a /40 and split it up into /64's for each of
> us.
> >>
> >>
> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
> >> wrote:
> >>
> >> > If early adopter PI IPv6 was the same price as early adopter PI v4
> >> space,
> >> > my wife would be totally on board with this solution.
> >> >
> >> > Matthew Kaufman
> >> >
> >> > (Sent from my iPhone)
> >> >
> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan 
> wrote:
> >> > >
> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
> >> > >
> >> > >
> >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >> > > *Arbor Networks*
> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >> > > www.arbornetworks.com
> >> > >
> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> >> > > raymond.beaud...@icarustech.com> wrote:
> >> > >
> >> > >> As an alternative, there are multiple cloud service offerings
> that
> >> will
> >> > >> advertise your IPv6 allocations on your behalf direct to a
> server in
> >> > their
> >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying,
> to
> >> turn
> >> > >> up a * >> > >> favorite virtual router instance> *and then route through it.
> The
> >> > Internet
> >> > >> is such an amazing place.
> >> > >>
> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
> >> > cryptograph...@gmail.com>
> >> > >> wrote:
> >> > >>
> >> > >>> Yeah I RAWRed to them pretty hard whilst being as
> understanding to
> >> the
> >> > CS
> >> > >>> rep that it wasn't their fault.
> >> > >>>
> >> > >>> They thought I was weird as anything.
> >> > >>>
> >> > >>> If there are any Verizon FiOS network engineers on the
> thread, a
> >> fellow
> >> > >>> Verizon employee would thank you kindly for an off-thread
> email
> >> > regarding
> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
> drink-of-choice,
> >> you
> >> > >>> configure my account to listen for route advertisement).
> >> > >>>
> >> > >>> Strange that it has to come to this to get "legit" IPv6
> service.
> >> > >>>
> >> > >>>
> >> > >>>
> >> > >>>
> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> >> > >>> raymond.beaud...@icarustech.com> wrote:
> >> > >>>
> >> >  I wasn't originally affected on my he.net tunnel, but this
> >> evening it
> >> >  started blocking. The recommended ACLs are a functional
> temporary
> >> >  workaround, but I've also opened a request with Netflix.
> >> > 
> >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
> >> > gan...@spawar.navy.mil>
> >> >  wrote:
> >> > 
> >> > > So far I am not seeing a Netflix block on my he.net tunnel
> yet. I
> >> >  connect
> >> > > to the Los Angeles node, so maybe not all of HE's address
> space is
> >> > >> being
> >> > > blocked.
> >> > >
> 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

"Hello Time Warner?I happen to have 1.2Septillion IPv6 IPs I need to
advertise"


On Fri, Jun 3, 2016 at 10:19 PM Cryptographrix 
wrote:

> "A /48 is officially the smallest"...but apparently smaller gets
> advertised all over, and I imagine esp for private ASNs...so we buy a
> /40 and 256 people here get /48s?
>
> That would also be hilarious if Netflix blocking HE resulted in 256-some
> people each getting a /48.
>
>
>
> On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix 
> wrote:
>
>> Nope - You'd have the /56 and only people within your /56 (or /64 if you
>> sliced it up nicely) would be able to do things with it routed by your ISP.
>>
>> Of course this means we'll have to get our ISPs to listen for our BGP
>> advertisement...
>>
>>
>> On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani 
>> wrote:
>>
>>> Wouldn't the /56 get blocked as soon as Netflix detects multiple
>>> accounts logging in from the same IPv6 range?
>>>
>>> On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix >> > wrote:
>>>
 This is a good idea. We should do this.



 On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
 raymond.beaud...@icarustech.com> wrote:

 > Make it a /56 each and you've got a deal. Hell, I'll throw in a round
 of
 > drinks.
 >
 > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
 cryptograph...@gmail.com>
 > wrote:
 >
 >> We should crowdsource a /40 and split it up into /64's for each of
 us.
 >>
 >>
 >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
 >> wrote:
 >>
 >> > If early adopter PI IPv6 was the same price as early adopter PI v4
 >> space,
 >> > my wife would be totally on board with this solution.
 >> >
 >> > Matthew Kaufman
 >> >
 >> > (Sent from my iPhone)
 >> >
 >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan 
 wrote:
 >> > >
 >> > > Well if you have PI space just use HE's BGP tunnel offerings.
 >> > >
 >> > >
 >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
 >> > > *Arbor Networks*
 >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
 >> > > www.arbornetworks.com
 >> > >
 >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
 >> > > raymond.beaud...@icarustech.com> wrote:
 >> > >
 >> > >> As an alternative, there are multiple cloud service offerings
 that
 >> will
 >> > >> advertise your IPv6 allocations on your behalf direct to a
 server in
 >> > their
 >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying,
 to
 >> turn
 >> > >> up a *>>> >> > >> favorite virtual router instance> *and then route through it.
 The
 >> > Internet
 >> > >> is such an amazing place.
 >> > >>
 >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
 >> > cryptograph...@gmail.com>
 >> > >> wrote:
 >> > >>
 >> > >>> Yeah I RAWRed to them pretty hard whilst being as
 understanding to
 >> the
 >> > CS
 >> > >>> rep that it wasn't their fault.
 >> > >>>
 >> > >>> They thought I was weird as anything.
 >> > >>>
 >> > >>> If there are any Verizon FiOS network engineers on the thread,
 a
 >> fellow
 >> > >>> Verizon employee would thank you kindly for an off-thread email
 >> > regarding
 >> > >>> BGP advertisement (I'll buy the IPv6 block and the
 drink-of-choice,
 >> you
 >> > >>> configure my account to listen for route advertisement).
 >> > >>>
 >> > >>> Strange that it has to come to this to get "legit" IPv6
 service.
 >> > >>>
 >> > >>>
 >> > >>>
 >> > >>>
 >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
 >> > >>> raymond.beaud...@icarustech.com> wrote:
 >> > >>>
 >> >  I wasn't originally affected on my he.net tunnel, but this
 >> evening it
 >> >  started blocking. The recommended ACLs are a functional
 temporary
 >> >  workaround, but I've also opened a request with Netflix.
 >> > 
 >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
 >> > gan...@spawar.navy.mil>
 >> >  wrote:
 >> > 
 >> > > So far I am not seeing a Netflix block on my he.net tunnel
 yet. I
 >> >  connect
 >> > > to the Los Angeles node, so maybe not all of HE's address
 space is
 >> > >> being
 >> > > blocked.
 >> > >
 >> > > Not going to be disabling IPv6 here either. + HAD native
 IPv6 from
 >> > >> Time
 >> > > Warner, but they decided to in their wisdom to disable IPv6
 >> service
 >> > >> for
 >> > > anyone that has an Arris SB6183 due to an Arris firmware
 bug.  And
 >> > >> they
 >> >  are
 >> > > taking their sweet time 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

"A /48 is officially the smallest"...but apparently smaller gets advertised
all over, and I imagine esp for private ASNs...so we buy a /40 and 256
people here get /48s?

That would also be hilarious if Netflix blocking HE resulted in 256-some
people each getting a /48.



On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix 
wrote:

> Nope - You'd have the /56 and only people within your /56 (or /64 if you
> sliced it up nicely) would be able to do things with it routed by your ISP.
>
> Of course this means we'll have to get our ISPs to listen for our BGP
> advertisement...
>
>
> On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani 
> wrote:
>
>> Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts
>> logging in from the same IPv6 range?
>>
>> On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix 
>> wrote:
>>
>>> This is a good idea. We should do this.
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
>>> raymond.beaud...@icarustech.com> wrote:
>>>
>>> > Make it a /56 each and you've got a deal. Hell, I'll throw in a round
>>> of
>>> > drinks.
>>> >
>>> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
>>> cryptograph...@gmail.com>
>>> > wrote:
>>> >
>>> >> We should crowdsource a /40 and split it up into /64's for each of us.
>>> >>
>>> >>
>>> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
>>> >> wrote:
>>> >>
>>> >> > If early adopter PI IPv6 was the same price as early adopter PI v4
>>> >> space,
>>> >> > my wife would be totally on board with this solution.
>>> >> >
>>> >> > Matthew Kaufman
>>> >> >
>>> >> > (Sent from my iPhone)
>>> >> >
>>> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
>>> >> > >
>>> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
>>> >> > >
>>> >> > >
>>> >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>>> >> > > *Arbor Networks*
>>> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
>>> >> > > www.arbornetworks.com
>>> >> > >
>>> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
>>> >> > > raymond.beaud...@icarustech.com> wrote:
>>> >> > >
>>> >> > >> As an alternative, there are multiple cloud service offerings
>>> that
>>> >> will
>>> >> > >> advertise your IPv6 allocations on your behalf direct to a
>>> server in
>>> >> > their
>>> >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to
>>> >> turn
>>> >> > >> up a *>> >> > >> favorite virtual router instance> *and then route through it. The
>>> >> > Internet
>>> >> > >> is such an amazing place.
>>> >> > >>
>>> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
>>> >> > cryptograph...@gmail.com>
>>> >> > >> wrote:
>>> >> > >>
>>> >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding
>>> to
>>> >> the
>>> >> > CS
>>> >> > >>> rep that it wasn't their fault.
>>> >> > >>>
>>> >> > >>> They thought I was weird as anything.
>>> >> > >>>
>>> >> > >>> If there are any Verizon FiOS network engineers on the thread, a
>>> >> fellow
>>> >> > >>> Verizon employee would thank you kindly for an off-thread email
>>> >> > regarding
>>> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
>>> drink-of-choice,
>>> >> you
>>> >> > >>> configure my account to listen for route advertisement).
>>> >> > >>>
>>> >> > >>> Strange that it has to come to this to get "legit" IPv6 service.
>>> >> > >>>
>>> >> > >>>
>>> >> > >>>
>>> >> > >>>
>>> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>>> >> > >>> raymond.beaud...@icarustech.com> wrote:
>>> >> > >>>
>>> >> >  I wasn't originally affected on my he.net tunnel, but this
>>> >> evening it
>>> >> >  started blocking. The recommended ACLs are a functional
>>> temporary
>>> >> >  workaround, but I've also opened a request with Netflix.
>>> >> > 
>>> >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
>>> >> > gan...@spawar.navy.mil>
>>> >> >  wrote:
>>> >> > 
>>> >> > > So far I am not seeing a Netflix block on my he.net tunnel
>>> yet. I
>>> >> >  connect
>>> >> > > to the Los Angeles node, so maybe not all of HE's address
>>> space is
>>> >> > >> being
>>> >> > > blocked.
>>> >> > >
>>> >> > > Not going to be disabling IPv6 here either. + HAD native IPv6
>>> from
>>> >> > >> Time
>>> >> > > Warner, but they decided to in their wisdom to disable IPv6
>>> >> service
>>> >> > >> for
>>> >> > > anyone that has an Arris SB6183 due to an Arris firmware
>>> bug.  And
>>> >> > >> they
>>> >> >  are
>>> >> > > taking their sweet time pushing out the fixed firmware update
>>> that
>>> >> >  Comcast
>>> >> > > and Cox seemed to be able to push to their customers last
>>> fall.
>>> >> > >
>>> >> > > -Mark Ganzer
>>> >> > >
>>> >> > >
>>> >> > >> On 6/3/2016 4:49 PM, Cryptographrix wrote:
>>> >> > >>
>>> >> > >> Depends - how many US users have native 

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

Typically, yes.
On Jun 3, 2016 10:15 PM, "Mansoor Nathani"  wrote:

> The smallest IPv6 prefix for advertising on the Internet via BGP is a /48,
> isn't it?
>
> On Fri, Jun 3, 2016 at 10:11 PM, Cryptographrix 
> wrote:
>
> > Nope - You'd have the /56 and only people within your /56 (or /64 if you
> > sliced it up nicely) would be able to do things with it routed by your
> ISP.
> >
> > Of course this means we'll have to get our ISPs to listen for our BGP
> > advertisement...
> >
> >
> > On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani <
> mnathani.li...@gmail.com>
> > wrote:
> >
> >> Wouldn't the /56 get blocked as soon as Netflix detects multiple
> accounts
> >> logging in from the same IPv6 range?
> >>
> >> On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix <
> cryptograph...@gmail.com>
> >> wrote:
> >>
> >>> This is a good idea. We should do this.
> >>>
> >>>
> >>>
> >>> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
> >>> raymond.beaud...@icarustech.com> wrote:
> >>>
> >>> > Make it a /56 each and you've got a deal. Hell, I'll throw in a round
> >>> of
> >>> > drinks.
> >>> >
> >>> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
> >>> cryptograph...@gmail.com>
> >>> > wrote:
> >>> >
> >>> >> We should crowdsource a /40 and split it up into /64's for each of
> us.
> >>> >>
> >>> >>
> >>> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
> >>> >> wrote:
> >>> >>
> >>> >> > If early adopter PI IPv6 was the same price as early adopter PI v4
> >>> >> space,
> >>> >> > my wife would be totally on board with this solution.
> >>> >> >
> >>> >> > Matthew Kaufman
> >>> >> >
> >>> >> > (Sent from my iPhone)
> >>> >> >
> >>> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan 
> wrote:
> >>> >> > >
> >>> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
> >>> >> > >
> >>> >> > >
> >>> >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >>> >> > > *Arbor Networks*
> >>> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >>> >> > > www.arbornetworks.com
> >>> >> > >
> >>> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> >>> >> > > raymond.beaud...@icarustech.com> wrote:
> >>> >> > >
> >>> >> > >> As an alternative, there are multiple cloud service offerings
> >>> that
> >>> >> will
> >>> >> > >> advertise your IPv6 allocations on your behalf direct to a
> >>> server in
> >>> >> > their
> >>> >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying,
> to
> >>> >> turn
> >>> >> > >> up a * >>> >> > >> favorite virtual router instance> *and then route through it.
> The
> >>> >> > Internet
> >>> >> > >> is such an amazing place.
> >>> >> > >>
> >>> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
> >>> >> > cryptograph...@gmail.com>
> >>> >> > >> wrote:
> >>> >> > >>
> >>> >> > >>> Yeah I RAWRed to them pretty hard whilst being as
> understanding
> >>> to
> >>> >> the
> >>> >> > CS
> >>> >> > >>> rep that it wasn't their fault.
> >>> >> > >>>
> >>> >> > >>> They thought I was weird as anything.
> >>> >> > >>>
> >>> >> > >>> If there are any Verizon FiOS network engineers on the
> thread, a
> >>> >> fellow
> >>> >> > >>> Verizon employee would thank you kindly for an off-thread
> email
> >>> >> > regarding
> >>> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
> >>> drink-of-choice,
> >>> >> you
> >>> >> > >>> configure my account to listen for route advertisement).
> >>> >> > >>>
> >>> >> > >>> Strange that it has to come to this to get "legit" IPv6
> service.
> >>> >> > >>>
> >>> >> > >>>
> >>> >> > >>>
> >>> >> > >>>
> >>> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> >>> >> > >>> raymond.beaud...@icarustech.com> wrote:
> >>> >> > >>>
> >>> >> >  I wasn't originally affected on my he.net tunnel, but this
> >>> >> evening it
> >>> >> >  started blocking. The recommended ACLs are a functional
> >>> temporary
> >>> >> >  workaround, but I've also opened a request with Netflix.
> >>> >> > 
> >>> >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
> >>> >> > gan...@spawar.navy.mil>
> >>> >> >  wrote:
> >>> >> > 
> >>> >> > > So far I am not seeing a Netflix block on my he.net tunnel
> >>> yet. I
> >>> >> >  connect
> >>> >> > > to the Los Angeles node, so maybe not all of HE's address
> >>> space is
> >>> >> > >> being
> >>> >> > > blocked.
> >>> >> > >
> >>> >> > > Not going to be disabling IPv6 here either. + HAD native
> IPv6
> >>> from
> >>> >> > >> Time
> >>> >> > > Warner, but they decided to in their wisdom to disable IPv6
> >>> >> service
> >>> >> > >> for
> >>> >> > > anyone that has an Arris SB6183 due to an Arris firmware
> >>> bug.  And
> >>> >> > >> they
> >>> >> >  are
> >>> >> > > taking their sweet time pushing out the fixed firmware
> update
> >>> that
> >>> >> >  Comcast
> >>> >> > > and Cox seemed to be able to push to their customers last
> >>> 

Re: Netflix VPN detection - actual engineer needed

[Mansoor Nathani]

The smallest IPv6 prefix for advertising on the Internet via BGP is a /48,
isn't it?

On Fri, Jun 3, 2016 at 10:11 PM, Cryptographrix 
wrote:

> Nope - You'd have the /56 and only people within your /56 (or /64 if you
> sliced it up nicely) would be able to do things with it routed by your ISP.
>
> Of course this means we'll have to get our ISPs to listen for our BGP
> advertisement...
>
>
> On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani 
> wrote:
>
>> Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts
>> logging in from the same IPv6 range?
>>
>> On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix 
>> wrote:
>>
>>> This is a good idea. We should do this.
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
>>> raymond.beaud...@icarustech.com> wrote:
>>>
>>> > Make it a /56 each and you've got a deal. Hell, I'll throw in a round
>>> of
>>> > drinks.
>>> >
>>> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
>>> cryptograph...@gmail.com>
>>> > wrote:
>>> >
>>> >> We should crowdsource a /40 and split it up into /64's for each of us.
>>> >>
>>> >>
>>> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
>>> >> wrote:
>>> >>
>>> >> > If early adopter PI IPv6 was the same price as early adopter PI v4
>>> >> space,
>>> >> > my wife would be totally on board with this solution.
>>> >> >
>>> >> > Matthew Kaufman
>>> >> >
>>> >> > (Sent from my iPhone)
>>> >> >
>>> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
>>> >> > >
>>> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
>>> >> > >
>>> >> > >
>>> >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>>> >> > > *Arbor Networks*
>>> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
>>> >> > > www.arbornetworks.com
>>> >> > >
>>> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
>>> >> > > raymond.beaud...@icarustech.com> wrote:
>>> >> > >
>>> >> > >> As an alternative, there are multiple cloud service offerings
>>> that
>>> >> will
>>> >> > >> advertise your IPv6 allocations on your behalf direct to a
>>> server in
>>> >> > their
>>> >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to
>>> >> turn
>>> >> > >> up a *>> >> > >> favorite virtual router instance> *and then route through it. The
>>> >> > Internet
>>> >> > >> is such an amazing place.
>>> >> > >>
>>> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
>>> >> > cryptograph...@gmail.com>
>>> >> > >> wrote:
>>> >> > >>
>>> >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding
>>> to
>>> >> the
>>> >> > CS
>>> >> > >>> rep that it wasn't their fault.
>>> >> > >>>
>>> >> > >>> They thought I was weird as anything.
>>> >> > >>>
>>> >> > >>> If there are any Verizon FiOS network engineers on the thread, a
>>> >> fellow
>>> >> > >>> Verizon employee would thank you kindly for an off-thread email
>>> >> > regarding
>>> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
>>> drink-of-choice,
>>> >> you
>>> >> > >>> configure my account to listen for route advertisement).
>>> >> > >>>
>>> >> > >>> Strange that it has to come to this to get "legit" IPv6 service.
>>> >> > >>>
>>> >> > >>>
>>> >> > >>>
>>> >> > >>>
>>> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>>> >> > >>> raymond.beaud...@icarustech.com> wrote:
>>> >> > >>>
>>> >> >  I wasn't originally affected on my he.net tunnel, but this
>>> >> evening it
>>> >> >  started blocking. The recommended ACLs are a functional
>>> temporary
>>> >> >  workaround, but I've also opened a request with Netflix.
>>> >> > 
>>> >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
>>> >> > gan...@spawar.navy.mil>
>>> >> >  wrote:
>>> >> > 
>>> >> > > So far I am not seeing a Netflix block on my he.net tunnel
>>> yet. I
>>> >> >  connect
>>> >> > > to the Los Angeles node, so maybe not all of HE's address
>>> space is
>>> >> > >> being
>>> >> > > blocked.
>>> >> > >
>>> >> > > Not going to be disabling IPv6 here either. + HAD native IPv6
>>> from
>>> >> > >> Time
>>> >> > > Warner, but they decided to in their wisdom to disable IPv6
>>> >> service
>>> >> > >> for
>>> >> > > anyone that has an Arris SB6183 due to an Arris firmware
>>> bug.  And
>>> >> > >> they
>>> >> >  are
>>> >> > > taking their sweet time pushing out the fixed firmware update
>>> that
>>> >> >  Comcast
>>> >> > > and Cox seemed to be able to push to their customers last
>>> fall.
>>> >> > >
>>> >> > > -Mark Ganzer
>>> >> > >
>>> >> > >
>>> >> > >> On 6/3/2016 4:49 PM, Cryptographrix wrote:
>>> >> > >>
>>> >> > >> Depends - how many US users have native IPv6 through their
>>> ISPs?
>>> >> > >>
>>> >> > >> If I remember correctly (I can't find the source at the
>>> moment),
>>> >> > >> HE.net
>>> >> > >> represents something 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Nope - You'd have the /56 and only people within your /56 (or /64 if you
sliced it up nicely) would be able to do things with it routed by your ISP.

Of course this means we'll have to get our ISPs to listen for our BGP
advertisement...


On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani 
wrote:

> Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts
> logging in from the same IPv6 range?
>
> On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix 
> wrote:
>
>> This is a good idea. We should do this.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
>> raymond.beaud...@icarustech.com> wrote:
>>
>> > Make it a /56 each and you've got a deal. Hell, I'll throw in a round of
>> > drinks.
>> >
>> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <
>> cryptograph...@gmail.com>
>> > wrote:
>> >
>> >> We should crowdsource a /40 and split it up into /64's for each of us.
>> >>
>> >>
>> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
>> >> wrote:
>> >>
>> >> > If early adopter PI IPv6 was the same price as early adopter PI v4
>> >> space,
>> >> > my wife would be totally on board with this solution.
>> >> >
>> >> > Matthew Kaufman
>> >> >
>> >> > (Sent from my iPhone)
>> >> >
>> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
>> >> > >
>> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
>> >> > >
>> >> > >
>> >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> >> > > *Arbor Networks*
>> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> >> > > www.arbornetworks.com
>> >> > >
>> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
>> >> > > raymond.beaud...@icarustech.com> wrote:
>> >> > >
>> >> > >> As an alternative, there are multiple cloud service offerings that
>> >> will
>> >> > >> advertise your IPv6 allocations on your behalf direct to a server
>> in
>> >> > their
>> >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to
>> >> turn
>> >> > >> up a *> >> > >> favorite virtual router instance> *and then route through it. The
>> >> > Internet
>> >> > >> is such an amazing place.
>> >> > >>
>> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
>> >> > cryptograph...@gmail.com>
>> >> > >> wrote:
>> >> > >>
>> >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding
>> to
>> >> the
>> >> > CS
>> >> > >>> rep that it wasn't their fault.
>> >> > >>>
>> >> > >>> They thought I was weird as anything.
>> >> > >>>
>> >> > >>> If there are any Verizon FiOS network engineers on the thread, a
>> >> fellow
>> >> > >>> Verizon employee would thank you kindly for an off-thread email
>> >> > regarding
>> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
>> drink-of-choice,
>> >> you
>> >> > >>> configure my account to listen for route advertisement).
>> >> > >>>
>> >> > >>> Strange that it has to come to this to get "legit" IPv6 service.
>> >> > >>>
>> >> > >>>
>> >> > >>>
>> >> > >>>
>> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>> >> > >>> raymond.beaud...@icarustech.com> wrote:
>> >> > >>>
>> >> >  I wasn't originally affected on my he.net tunnel, but this
>> >> evening it
>> >> >  started blocking. The recommended ACLs are a functional
>> temporary
>> >> >  workaround, but I've also opened a request with Netflix.
>> >> > 
>> >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
>> >> > gan...@spawar.navy.mil>
>> >> >  wrote:
>> >> > 
>> >> > > So far I am not seeing a Netflix block on my he.net tunnel
>> yet. I
>> >> >  connect
>> >> > > to the Los Angeles node, so maybe not all of HE's address
>> space is
>> >> > >> being
>> >> > > blocked.
>> >> > >
>> >> > > Not going to be disabling IPv6 here either. + HAD native IPv6
>> from
>> >> > >> Time
>> >> > > Warner, but they decided to in their wisdom to disable IPv6
>> >> service
>> >> > >> for
>> >> > > anyone that has an Arris SB6183 due to an Arris firmware bug.
>> And
>> >> > >> they
>> >> >  are
>> >> > > taking their sweet time pushing out the fixed firmware update
>> that
>> >> >  Comcast
>> >> > > and Cox seemed to be able to push to their customers last fall.
>> >> > >
>> >> > > -Mark Ganzer
>> >> > >
>> >> > >
>> >> > >> On 6/3/2016 4:49 PM, Cryptographrix wrote:
>> >> > >>
>> >> > >> Depends - how many US users have native IPv6 through their
>> ISPs?
>> >> > >>
>> >> > >> If I remember correctly (I can't find the source at the
>> moment),
>> >> > >> HE.net
>> >> > >> represents something like 70% of IPv6 traffic in the US.
>> >> > >>
>> >> > >> And yeah, not doing that - actually in the middle of an IPv6
>> >> project
>> >> > >> at
>> >> > >> work at the moment that's a bit important to me.
>> >> > >>
>> >> > >>
>> >> > >>
>> >> > >>
>> >> > >> On Fri, Jun 3, 2016 at 7:45 PM Baldur 

Re: Netflix VPN detection - actual engineer needed

[Mansoor Nathani]

Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts
logging in from the same IPv6 range?

On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix 
wrote:

> This is a good idea. We should do this.
>
>
>
> On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
> raymond.beaud...@icarustech.com> wrote:
>
> > Make it a /56 each and you've got a deal. Hell, I'll throw in a round of
> > drinks.
> >
> > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix  >
> > wrote:
> >
> >> We should crowdsource a /40 and split it up into /64's for each of us.
> >>
> >>
> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
> >> wrote:
> >>
> >> > If early adopter PI IPv6 was the same price as early adopter PI v4
> >> space,
> >> > my wife would be totally on board with this solution.
> >> >
> >> > Matthew Kaufman
> >> >
> >> > (Sent from my iPhone)
> >> >
> >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
> >> > >
> >> > > Well if you have PI space just use HE's BGP tunnel offerings.
> >> > >
> >> > >
> >> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >> > > *Arbor Networks*
> >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >> > > www.arbornetworks.com
> >> > >
> >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> >> > > raymond.beaud...@icarustech.com> wrote:
> >> > >
> >> > >> As an alternative, there are multiple cloud service offerings that
> >> will
> >> > >> advertise your IPv6 allocations on your behalf direct to a server
> in
> >> > their
> >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to
> >> turn
> >> > >> up a * >> > >> favorite virtual router instance> *and then route through it. The
> >> > Internet
> >> > >> is such an amazing place.
> >> > >>
> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
> >> > cryptograph...@gmail.com>
> >> > >> wrote:
> >> > >>
> >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding to
> >> the
> >> > CS
> >> > >>> rep that it wasn't their fault.
> >> > >>>
> >> > >>> They thought I was weird as anything.
> >> > >>>
> >> > >>> If there are any Verizon FiOS network engineers on the thread, a
> >> fellow
> >> > >>> Verizon employee would thank you kindly for an off-thread email
> >> > regarding
> >> > >>> BGP advertisement (I'll buy the IPv6 block and the
> drink-of-choice,
> >> you
> >> > >>> configure my account to listen for route advertisement).
> >> > >>>
> >> > >>> Strange that it has to come to this to get "legit" IPv6 service.
> >> > >>>
> >> > >>>
> >> > >>>
> >> > >>>
> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> >> > >>> raymond.beaud...@icarustech.com> wrote:
> >> > >>>
> >> >  I wasn't originally affected on my he.net tunnel, but this
> >> evening it
> >> >  started blocking. The recommended ACLs are a functional temporary
> >> >  workaround, but I've also opened a request with Netflix.
> >> > 
> >> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
> >> > gan...@spawar.navy.mil>
> >> >  wrote:
> >> > 
> >> > > So far I am not seeing a Netflix block on my he.net tunnel
> yet. I
> >> >  connect
> >> > > to the Los Angeles node, so maybe not all of HE's address space
> is
> >> > >> being
> >> > > blocked.
> >> > >
> >> > > Not going to be disabling IPv6 here either. + HAD native IPv6
> from
> >> > >> Time
> >> > > Warner, but they decided to in their wisdom to disable IPv6
> >> service
> >> > >> for
> >> > > anyone that has an Arris SB6183 due to an Arris firmware bug.
> And
> >> > >> they
> >> >  are
> >> > > taking their sweet time pushing out the fixed firmware update
> that
> >> >  Comcast
> >> > > and Cox seemed to be able to push to their customers last fall.
> >> > >
> >> > > -Mark Ganzer
> >> > >
> >> > >
> >> > >> On 6/3/2016 4:49 PM, Cryptographrix wrote:
> >> > >>
> >> > >> Depends - how many US users have native IPv6 through their
> ISPs?
> >> > >>
> >> > >> If I remember correctly (I can't find the source at the
> moment),
> >> > >> HE.net
> >> > >> represents something like 70% of IPv6 traffic in the US.
> >> > >>
> >> > >> And yeah, not doing that - actually in the middle of an IPv6
> >> project
> >> > >> at
> >> > >> work at the moment that's a bit important to me.
> >> > >>
> >> > >>
> >> > >>
> >> > >>
> >> > >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> >> >  baldur.nordd...@gmail.com
> >> > >> wrote:
> >> > >>
> >> > >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> >> >  cryptograph...@gmail.com>:
> >> > >>>
> >> >  The information I'm getting from Netflix support now is
> >> explicitly
> >> > >>> telling
> >> > >>>
> >> >  me to turn off IPv6 - someone might want to stop them before
> >> they
> >> >  completely kill US IPv6 adoption.
> >> > 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

This is a good idea. We should do this.



On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin <
raymond.beaud...@icarustech.com> wrote:

> Make it a /56 each and you've got a deal. Hell, I'll throw in a round of
> drinks.
>
> On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix 
> wrote:
>
>> We should crowdsource a /40 and split it up into /64's for each of us.
>>
>>
>> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman 
>> wrote:
>>
>> > If early adopter PI IPv6 was the same price as early adopter PI v4
>> space,
>> > my wife would be totally on board with this solution.
>> >
>> > Matthew Kaufman
>> >
>> > (Sent from my iPhone)
>> >
>> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
>> > >
>> > > Well if you have PI space just use HE's BGP tunnel offerings.
>> > >
>> > >
>> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> > > *Arbor Networks*
>> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> > > www.arbornetworks.com
>> > >
>> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
>> > > raymond.beaud...@icarustech.com> wrote:
>> > >
>> > >> As an alternative, there are multiple cloud service offerings that
>> will
>> > >> advertise your IPv6 allocations on your behalf direct to a server in
>> > their
>> > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to
>> turn
>> > >> up a *> > >> favorite virtual router instance> *and then route through it. The
>> > Internet
>> > >> is such an amazing place.
>> > >>
>> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
>> > cryptograph...@gmail.com>
>> > >> wrote:
>> > >>
>> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding to
>> the
>> > CS
>> > >>> rep that it wasn't their fault.
>> > >>>
>> > >>> They thought I was weird as anything.
>> > >>>
>> > >>> If there are any Verizon FiOS network engineers on the thread, a
>> fellow
>> > >>> Verizon employee would thank you kindly for an off-thread email
>> > regarding
>> > >>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice,
>> you
>> > >>> configure my account to listen for route advertisement).
>> > >>>
>> > >>> Strange that it has to come to this to get "legit" IPv6 service.
>> > >>>
>> > >>>
>> > >>>
>> > >>>
>> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>> > >>> raymond.beaud...@icarustech.com> wrote:
>> > >>>
>> >  I wasn't originally affected on my he.net tunnel, but this
>> evening it
>> >  started blocking. The recommended ACLs are a functional temporary
>> >  workaround, but I've also opened a request with Netflix.
>> > 
>> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
>> > gan...@spawar.navy.mil>
>> >  wrote:
>> > 
>> > > So far I am not seeing a Netflix block on my he.net tunnel yet. I
>> >  connect
>> > > to the Los Angeles node, so maybe not all of HE's address space is
>> > >> being
>> > > blocked.
>> > >
>> > > Not going to be disabling IPv6 here either. + HAD native IPv6 from
>> > >> Time
>> > > Warner, but they decided to in their wisdom to disable IPv6
>> service
>> > >> for
>> > > anyone that has an Arris SB6183 due to an Arris firmware bug.  And
>> > >> they
>> >  are
>> > > taking their sweet time pushing out the fixed firmware update that
>> >  Comcast
>> > > and Cox seemed to be able to push to their customers last fall.
>> > >
>> > > -Mark Ganzer
>> > >
>> > >
>> > >> On 6/3/2016 4:49 PM, Cryptographrix wrote:
>> > >>
>> > >> Depends - how many US users have native IPv6 through their ISPs?
>> > >>
>> > >> If I remember correctly (I can't find the source at the moment),
>> > >> HE.net
>> > >> represents something like 70% of IPv6 traffic in the US.
>> > >>
>> > >> And yeah, not doing that - actually in the middle of an IPv6
>> project
>> > >> at
>> > >> work at the moment that's a bit important to me.
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
>> >  baldur.nordd...@gmail.com
>> > >> wrote:
>> > >>
>> > >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
>> >  cryptograph...@gmail.com>:
>> > >>>
>> >  The information I'm getting from Netflix support now is
>> explicitly
>> > >>> telling
>> > >>>
>> >  me to turn off IPv6 - someone might want to stop them before
>> they
>> >  completely kill US IPv6 adoption.
>> > >>> Not allowing he.net tunnels is not killing ipv6. You just need
>> > need
>> > >>> native
>> > >>> ipv6.
>> > >>>
>> > >>> On the other hand it would be nice if Netflix would try the
>> other
>> > >>> protocol
>> > >>> before blocking.
>> > >>
>> >
>> >
>>
>
>

Re: Netflix VPN detection - actual engineer needed

[Raymond Beaudoin]

Make it a /56 each and you've got a deal. Hell, I'll throw in a round of
drinks.

On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix 
wrote:

> We should crowdsource a /40 and split it up into /64's for each of us.
>
>
> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman  wrote:
>
> > If early adopter PI IPv6 was the same price as early adopter PI v4 space,
> > my wife would be totally on board with this solution.
> >
> > Matthew Kaufman
> >
> > (Sent from my iPhone)
> >
> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
> > >
> > > Well if you have PI space just use HE's BGP tunnel offerings.
> > >
> > >
> > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> > > *Arbor Networks*
> > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > > www.arbornetworks.com
> > >
> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> > > raymond.beaud...@icarustech.com> wrote:
> > >
> > >> As an alternative, there are multiple cloud service offerings that
> will
> > >> advertise your IPv6 allocations on your behalf direct to a server in
> > their
> > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
> > >> up a * > >> favorite virtual router instance> *and then route through it. The
> > Internet
> > >> is such an amazing place.
> > >>
> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
> > cryptograph...@gmail.com>
> > >> wrote:
> > >>
> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding to
> the
> > CS
> > >>> rep that it wasn't their fault.
> > >>>
> > >>> They thought I was weird as anything.
> > >>>
> > >>> If there are any Verizon FiOS network engineers on the thread, a
> fellow
> > >>> Verizon employee would thank you kindly for an off-thread email
> > regarding
> > >>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice,
> you
> > >>> configure my account to listen for route advertisement).
> > >>>
> > >>> Strange that it has to come to this to get "legit" IPv6 service.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> > >>> raymond.beaud...@icarustech.com> wrote:
> > >>>
> >  I wasn't originally affected on my he.net tunnel, but this evening
> it
> >  started blocking. The recommended ACLs are a functional temporary
> >  workaround, but I've also opened a request with Netflix.
> > 
> >  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
> > gan...@spawar.navy.mil>
> >  wrote:
> > 
> > > So far I am not seeing a Netflix block on my he.net tunnel yet. I
> >  connect
> > > to the Los Angeles node, so maybe not all of HE's address space is
> > >> being
> > > blocked.
> > >
> > > Not going to be disabling IPv6 here either. + HAD native IPv6 from
> > >> Time
> > > Warner, but they decided to in their wisdom to disable IPv6 service
> > >> for
> > > anyone that has an Arris SB6183 due to an Arris firmware bug.  And
> > >> they
> >  are
> > > taking their sweet time pushing out the fixed firmware update that
> >  Comcast
> > > and Cox seemed to be able to push to their customers last fall.
> > >
> > > -Mark Ganzer
> > >
> > >
> > >> On 6/3/2016 4:49 PM, Cryptographrix wrote:
> > >>
> > >> Depends - how many US users have native IPv6 through their ISPs?
> > >>
> > >> If I remember correctly (I can't find the source at the moment),
> > >> HE.net
> > >> represents something like 70% of IPv6 traffic in the US.
> > >>
> > >> And yeah, not doing that - actually in the middle of an IPv6
> project
> > >> at
> > >> work at the moment that's a bit important to me.
> > >>
> > >>
> > >>
> > >>
> > >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> >  baldur.nordd...@gmail.com
> > >> wrote:
> > >>
> > >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> >  cryptograph...@gmail.com>:
> > >>>
> >  The information I'm getting from Netflix support now is
> explicitly
> > >>> telling
> > >>>
> >  me to turn off IPv6 - someone might want to stop them before
> they
> >  completely kill US IPv6 adoption.
> > >>> Not allowing he.net tunnels is not killing ipv6. You just need
> > need
> > >>> native
> > >>> ipv6.
> > >>>
> > >>> On the other hand it would be nice if Netflix would try the other
> > >>> protocol
> > >>> before blocking.
> > >>
> >
> >
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

We should crowdsource a /40 and split it up into /64's for each of us.


On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman  wrote:

> If early adopter PI IPv6 was the same price as early adopter PI v4 space,
> my wife would be totally on board with this solution.
>
> Matthew Kaufman
>
> (Sent from my iPhone)
>
> > On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
> >
> > Well if you have PI space just use HE's BGP tunnel offerings.
> >
> >
> > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> > *Arbor Networks*
> > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > www.arbornetworks.com
> >
> > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> > raymond.beaud...@icarustech.com> wrote:
> >
> >> As an alternative, there are multiple cloud service offerings that will
> >> advertise your IPv6 allocations on your behalf direct to a server in
> their
> >> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
> >> up a * >> favorite virtual router instance> *and then route through it. The
> Internet
> >> is such an amazing place.
> >>
> >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <
> cryptograph...@gmail.com>
> >> wrote:
> >>
> >>> Yeah I RAWRed to them pretty hard whilst being as understanding to the
> CS
> >>> rep that it wasn't their fault.
> >>>
> >>> They thought I was weird as anything.
> >>>
> >>> If there are any Verizon FiOS network engineers on the thread, a fellow
> >>> Verizon employee would thank you kindly for an off-thread email
> regarding
> >>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
> >>> configure my account to listen for route advertisement).
> >>>
> >>> Strange that it has to come to this to get "legit" IPv6 service.
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> >>> raymond.beaud...@icarustech.com> wrote:
> >>>
>  I wasn't originally affected on my he.net tunnel, but this evening it
>  started blocking. The recommended ACLs are a functional temporary
>  workaround, but I've also opened a request with Netflix.
> 
>  On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <
> gan...@spawar.navy.mil>
>  wrote:
> 
> > So far I am not seeing a Netflix block on my he.net tunnel yet. I
>  connect
> > to the Los Angeles node, so maybe not all of HE's address space is
> >> being
> > blocked.
> >
> > Not going to be disabling IPv6 here either. + HAD native IPv6 from
> >> Time
> > Warner, but they decided to in their wisdom to disable IPv6 service
> >> for
> > anyone that has an Arris SB6183 due to an Arris firmware bug.  And
> >> they
>  are
> > taking their sweet time pushing out the fixed firmware update that
>  Comcast
> > and Cox seemed to be able to push to their customers last fall.
> >
> > -Mark Ganzer
> >
> >
> >> On 6/3/2016 4:49 PM, Cryptographrix wrote:
> >>
> >> Depends - how many US users have native IPv6 through their ISPs?
> >>
> >> If I remember correctly (I can't find the source at the moment),
> >> HE.net
> >> represents something like 70% of IPv6 traffic in the US.
> >>
> >> And yeah, not doing that - actually in the middle of an IPv6 project
> >> at
> >> work at the moment that's a bit important to me.
> >>
> >>
> >>
> >>
> >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
>  baldur.nordd...@gmail.com
> >> wrote:
> >>
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
>  cryptograph...@gmail.com>:
> >>>
>  The information I'm getting from Netflix support now is explicitly
> >>> telling
> >>>
>  me to turn off IPv6 - someone might want to stop them before they
>  completely kill US IPv6 adoption.
> >>> Not allowing he.net tunnels is not killing ipv6. You just need
> need
> >>> native
> >>> ipv6.
> >>>
> >>> On the other hand it would be nice if Netflix would try the other
> >>> protocol
> >>> before blocking.
> >>
>
>

Re: Netflix VPN detection - actual engineer needed

[Matthew Kaufman]

If early adopter PI IPv6 was the same price as early adopter PI v4 space, my 
wife would be totally on board with this solution.

Matthew Kaufman

(Sent from my iPhone)

> On Jun 3, 2016, at 6:27 PM, Spencer Ryan  wrote:
> 
> Well if you have PI space just use HE's BGP tunnel offerings.
> 
> 
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
> 
> On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> raymond.beaud...@icarustech.com> wrote:
> 
>> As an alternative, there are multiple cloud service offerings that will
>> advertise your IPv6 allocations on your behalf direct to a server in their
>> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
>> up a *> favorite virtual router instance> *and then route through it. The Internet
>> is such an amazing place.
>> 
>> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix 
>> wrote:
>> 
>>> Yeah I RAWRed to them pretty hard whilst being as understanding to the CS
>>> rep that it wasn't their fault.
>>> 
>>> They thought I was weird as anything.
>>> 
>>> If there are any Verizon FiOS network engineers on the thread, a fellow
>>> Verizon employee would thank you kindly for an off-thread email regarding
>>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
>>> configure my account to listen for route advertisement).
>>> 
>>> Strange that it has to come to this to get "legit" IPv6 service.
>>> 
>>> 
>>> 
>>> 
>>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>>> raymond.beaud...@icarustech.com> wrote:
>>> 
 I wasn't originally affected on my he.net tunnel, but this evening it
 started blocking. The recommended ACLs are a functional temporary
 workaround, but I've also opened a request with Netflix.
 
 On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer 
 wrote:
 
> So far I am not seeing a Netflix block on my he.net tunnel yet. I
 connect
> to the Los Angeles node, so maybe not all of HE's address space is
>> being
> blocked.
> 
> Not going to be disabling IPv6 here either. + HAD native IPv6 from
>> Time
> Warner, but they decided to in their wisdom to disable IPv6 service
>> for
> anyone that has an Arris SB6183 due to an Arris firmware bug.  And
>> they
 are
> taking their sweet time pushing out the fixed firmware update that
 Comcast
> and Cox seemed to be able to push to their customers last fall.
> 
> -Mark Ganzer
> 
> 
>> On 6/3/2016 4:49 PM, Cryptographrix wrote:
>> 
>> Depends - how many US users have native IPv6 through their ISPs?
>> 
>> If I remember correctly (I can't find the source at the moment),
>> HE.net
>> represents something like 70% of IPv6 traffic in the US.
>> 
>> And yeah, not doing that - actually in the middle of an IPv6 project
>> at
>> work at the moment that's a bit important to me.
>> 
>> 
>> 
>> 
>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
 baldur.nordd...@gmail.com
>> wrote:
>> 
>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
 cryptograph...@gmail.com>:
>>> 
 The information I'm getting from Netflix support now is explicitly
>>> telling
>>> 
 me to turn off IPv6 - someone might want to stop them before they
 completely kill US IPv6 adoption.
>>> Not allowing he.net tunnels is not killing ipv6. You just need need
>>> native
>>> ipv6.
>>> 
>>> On the other hand it would be nice if Netflix would try the other
>>> protocol
>>> before blocking.
>> 

Re: Netflix VPN detection - actual engineer needed

[Raymond Beaudoin]

Fair point, Spencer! Only Netflix engineers could tell us how they're
determining networks to be blocked, but I'm paranoid they're dynamically
updating based  AS PATH. I figured HE's ASN may have made the naughty list.
Admittedly, that would be pretty drastic. Time to do some testing. :>

On Fri, Jun 3, 2016 at 8:27 PM, Spencer Ryan  wrote:

> Well if you have PI space just use HE's BGP tunnel offerings.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> raymond.beaud...@icarustech.com> wrote:
>
>> As an alternative, there are multiple cloud service offerings that will
>> advertise your IPv6 allocations on your behalf direct to a server in their
>> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
>> up a *> favorite virtual router instance> *and then route through it. The Internet
>>
>> is such an amazing place.
>>
>> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix 
>> wrote:
>>
>> > Yeah I RAWRed to them pretty hard whilst being as understanding to the
>> CS
>> > rep that it wasn't their fault.
>> >
>> > They thought I was weird as anything.
>> >
>> > If there are any Verizon FiOS network engineers on the thread, a fellow
>> > Verizon employee would thank you kindly for an off-thread email
>> regarding
>> > BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
>> > configure my account to listen for route advertisement).
>> >
>> > Strange that it has to come to this to get "legit" IPv6 service.
>> >
>> >
>> >
>> >
>> > On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>> > raymond.beaud...@icarustech.com> wrote:
>> >
>> >> I wasn't originally affected on my he.net tunnel, but this evening it
>> >> started blocking. The recommended ACLs are a functional temporary
>> >> workaround, but I've also opened a request with Netflix.
>> >>
>> >> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer > >
>> >> wrote:
>> >>
>> >> > So far I am not seeing a Netflix block on my he.net tunnel yet. I
>> >> connect
>> >> > to the Los Angeles node, so maybe not all of HE's address space is
>> being
>> >> > blocked.
>> >> >
>> >> > Not going to be disabling IPv6 here either. + HAD native IPv6 from
>> Time
>> >> > Warner, but they decided to in their wisdom to disable IPv6 service
>> for
>> >> > anyone that has an Arris SB6183 due to an Arris firmware bug.  And
>> they
>> >> are
>> >> > taking their sweet time pushing out the fixed firmware update that
>> >> Comcast
>> >> > and Cox seemed to be able to push to their customers last fall.
>> >> >
>> >> > -Mark Ganzer
>> >> >
>> >> >
>> >> > On 6/3/2016 4:49 PM, Cryptographrix wrote:
>> >> >
>> >> >> Depends - how many US users have native IPv6 through their ISPs?
>> >> >>
>> >> >> If I remember correctly (I can't find the source at the moment),
>> HE.net
>> >> >> represents something like 70% of IPv6 traffic in the US.
>> >> >>
>> >> >> And yeah, not doing that - actually in the middle of an IPv6
>> project at
>> >> >> work at the moment that's a bit important to me.
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
>> >> baldur.nordd...@gmail.com
>> >> >> >
>> >> >> wrote:
>> >> >>
>> >> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
>> >> cryptograph...@gmail.com>:
>> >> >>>
>> >>  The information I'm getting from Netflix support now is explicitly
>> >> 
>> >> >>> telling
>> >> >>>
>> >>  me to turn off IPv6 - someone might want to stop them before they
>> >>  completely kill US IPv6 adoption.
>> >> 
>> >> >>> Not allowing he.net tunnels is not killing ipv6. You just need
>> need
>> >> >>> native
>> >> >>> ipv6.
>> >> >>>
>> >> >>> On the other hand it would be nice if Netflix would try the other
>> >> >>> protocol
>> >> >>> before blocking.
>> >> >>>
>> >> >>>
>> >> >
>> >>
>> >
>>
>
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Honestly I was trying to make that sound like a "missed connections" ad
there for a moment, but seriously I'd buy a /40 right now if possible to
have non-tunneled IPv6 if I could.

It's so weird being on US internet - your content distributor makes you
feel like a criminal because their content provider has standing orders to
deny you from viewing the content they provide and the only other thing you
can do about it is turn off the thing that gives you access to the way you
make the money to pay for their stuff.



On Fri, Jun 3, 2016 at 9:25 PM Raymond Beaudoin <
raymond.beaud...@icarustech.com> wrote:

> As an alternative, there are multiple cloud service offerings that will
> advertise your IPv6 allocations on your behalf direct to a server in their
> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn up a 
> * favorite virtual router instance> *and then route through it. The
> Internet is such an amazing place.
>
> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix 
> wrote:
>
>> Yeah I RAWRed to them pretty hard whilst being as understanding to the CS
>> rep that it wasn't their fault.
>>
>> They thought I was weird as anything.
>>
>> If there are any Verizon FiOS network engineers on the thread, a fellow
>> Verizon employee would thank you kindly for an off-thread email regarding
>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
>> configure my account to listen for route advertisement).
>>
>> Strange that it has to come to this to get "legit" IPv6 service.
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>> raymond.beaud...@icarustech.com> wrote:
>>
>>> I wasn't originally affected on my he.net tunnel, but this evening it
>>> started blocking. The recommended ACLs are a functional temporary
>>> workaround, but I've also opened a request with Netflix.
>>>
>>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer 
>>> wrote:
>>>
>>> > So far I am not seeing a Netflix block on my he.net tunnel yet. I
>>> connect
>>> > to the Los Angeles node, so maybe not all of HE's address space is
>>> being
>>> > blocked.
>>> >
>>> > Not going to be disabling IPv6 here either. + HAD native IPv6 from Time
>>> > Warner, but they decided to in their wisdom to disable IPv6 service for
>>> > anyone that has an Arris SB6183 due to an Arris firmware bug.  And
>>> they are
>>> > taking their sweet time pushing out the fixed firmware update that
>>> Comcast
>>> > and Cox seemed to be able to push to their customers last fall.
>>> >
>>> > -Mark Ganzer
>>> >
>>> >
>>> > On 6/3/2016 4:49 PM, Cryptographrix wrote:
>>> >
>>> >> Depends - how many US users have native IPv6 through their ISPs?
>>> >>
>>> >> If I remember correctly (I can't find the source at the moment),
>>> HE.net
>>> >> represents something like 70% of IPv6 traffic in the US.
>>> >>
>>> >> And yeah, not doing that - actually in the middle of an IPv6 project
>>> at
>>> >> work at the moment that's a bit important to me.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
>>> baldur.nordd...@gmail.com
>>> >> >
>>> >> wrote:
>>> >>
>>> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
>>> cryptograph...@gmail.com>:
>>> >>>
>>>  The information I'm getting from Netflix support now is explicitly
>>> 
>>> >>> telling
>>> >>>
>>>  me to turn off IPv6 - someone might want to stop them before they
>>>  completely kill US IPv6 adoption.
>>> 
>>> >>> Not allowing he.net tunnels is not killing ipv6. You just need need
>>> >>> native
>>> >>> ipv6.
>>> >>>
>>> >>> On the other hand it would be nice if Netflix would try the other
>>> >>> protocol
>>> >>> before blocking.
>>> >>>
>>> >>>
>>> >
>>>
>>
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

Well if you have PI space just use HE's BGP tunnel offerings.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
raymond.beaud...@icarustech.com> wrote:

> As an alternative, there are multiple cloud service offerings that will
> advertise your IPv6 allocations on your behalf direct to a server in their
> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
> up a * favorite virtual router instance> *and then route through it. The Internet
> is such an amazing place.
>
> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix 
> wrote:
>
> > Yeah I RAWRed to them pretty hard whilst being as understanding to the CS
> > rep that it wasn't their fault.
> >
> > They thought I was weird as anything.
> >
> > If there are any Verizon FiOS network engineers on the thread, a fellow
> > Verizon employee would thank you kindly for an off-thread email regarding
> > BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
> > configure my account to listen for route advertisement).
> >
> > Strange that it has to come to this to get "legit" IPv6 service.
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> > raymond.beaud...@icarustech.com> wrote:
> >
> >> I wasn't originally affected on my he.net tunnel, but this evening it
> >> started blocking. The recommended ACLs are a functional temporary
> >> workaround, but I've also opened a request with Netflix.
> >>
> >> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer 
> >> wrote:
> >>
> >> > So far I am not seeing a Netflix block on my he.net tunnel yet. I
> >> connect
> >> > to the Los Angeles node, so maybe not all of HE's address space is
> being
> >> > blocked.
> >> >
> >> > Not going to be disabling IPv6 here either. + HAD native IPv6 from
> Time
> >> > Warner, but they decided to in their wisdom to disable IPv6 service
> for
> >> > anyone that has an Arris SB6183 due to an Arris firmware bug.  And
> they
> >> are
> >> > taking their sweet time pushing out the fixed firmware update that
> >> Comcast
> >> > and Cox seemed to be able to push to their customers last fall.
> >> >
> >> > -Mark Ganzer
> >> >
> >> >
> >> > On 6/3/2016 4:49 PM, Cryptographrix wrote:
> >> >
> >> >> Depends - how many US users have native IPv6 through their ISPs?
> >> >>
> >> >> If I remember correctly (I can't find the source at the moment),
> HE.net
> >> >> represents something like 70% of IPv6 traffic in the US.
> >> >>
> >> >> And yeah, not doing that - actually in the middle of an IPv6 project
> at
> >> >> work at the moment that's a bit important to me.
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> >> baldur.nordd...@gmail.com
> >> >> >
> >> >> wrote:
> >> >>
> >> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> >> cryptograph...@gmail.com>:
> >> >>>
> >>  The information I'm getting from Netflix support now is explicitly
> >> 
> >> >>> telling
> >> >>>
> >>  me to turn off IPv6 - someone might want to stop them before they
> >>  completely kill US IPv6 adoption.
> >> 
> >> >>> Not allowing he.net tunnels is not killing ipv6. You just need need
> >> >>> native
> >> >>> ipv6.
> >> >>>
> >> >>> On the other hand it would be nice if Netflix would try the other
> >> >>> protocol
> >> >>> before blocking.
> >> >>>
> >> >>>
> >> >
> >>
> >
>

Re: Netflix VPN detection - actual engineer needed

[Raymond Beaudoin]

As an alternative, there are multiple cloud service offerings that will
advertise your IPv6 allocations on your behalf direct to a server in their
data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
up a * *and then route through it. The Internet
is such an amazing place.

On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix 
wrote:

> Yeah I RAWRed to them pretty hard whilst being as understanding to the CS
> rep that it wasn't their fault.
>
> They thought I was weird as anything.
>
> If there are any Verizon FiOS network engineers on the thread, a fellow
> Verizon employee would thank you kindly for an off-thread email regarding
> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
> configure my account to listen for route advertisement).
>
> Strange that it has to come to this to get "legit" IPv6 service.
>
>
>
>
> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> raymond.beaud...@icarustech.com> wrote:
>
>> I wasn't originally affected on my he.net tunnel, but this evening it
>> started blocking. The recommended ACLs are a functional temporary
>> workaround, but I've also opened a request with Netflix.
>>
>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer 
>> wrote:
>>
>> > So far I am not seeing a Netflix block on my he.net tunnel yet. I
>> connect
>> > to the Los Angeles node, so maybe not all of HE's address space is being
>> > blocked.
>> >
>> > Not going to be disabling IPv6 here either. + HAD native IPv6 from Time
>> > Warner, but they decided to in their wisdom to disable IPv6 service for
>> > anyone that has an Arris SB6183 due to an Arris firmware bug.  And they
>> are
>> > taking their sweet time pushing out the fixed firmware update that
>> Comcast
>> > and Cox seemed to be able to push to their customers last fall.
>> >
>> > -Mark Ganzer
>> >
>> >
>> > On 6/3/2016 4:49 PM, Cryptographrix wrote:
>> >
>> >> Depends - how many US users have native IPv6 through their ISPs?
>> >>
>> >> If I remember correctly (I can't find the source at the moment), HE.net
>> >> represents something like 70% of IPv6 traffic in the US.
>> >>
>> >> And yeah, not doing that - actually in the middle of an IPv6 project at
>> >> work at the moment that's a bit important to me.
>> >>
>> >>
>> >>
>> >>
>> >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
>> baldur.nordd...@gmail.com
>> >> >
>> >> wrote:
>> >>
>> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
>> cryptograph...@gmail.com>:
>> >>>
>>  The information I'm getting from Netflix support now is explicitly
>> 
>> >>> telling
>> >>>
>>  me to turn off IPv6 - someone might want to stop them before they
>>  completely kill US IPv6 adoption.
>> 
>> >>> Not allowing he.net tunnels is not killing ipv6. You just need need
>> >>> native
>> >>> ipv6.
>> >>>
>> >>> On the other hand it would be nice if Netflix would try the other
>> >>> protocol
>> >>> before blocking.
>> >>>
>> >>>
>> >
>>
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS
rep that it wasn't their fault.

They thought I was weird as anything.

If there are any Verizon FiOS network engineers on the thread, a fellow
Verizon employee would thank you kindly for an off-thread email regarding
BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
configure my account to listen for route advertisement).

Strange that it has to come to this to get "legit" IPv6 service.




On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
raymond.beaud...@icarustech.com> wrote:

> I wasn't originally affected on my he.net tunnel, but this evening it
> started blocking. The recommended ACLs are a functional temporary
> workaround, but I've also opened a request with Netflix.
>
> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer 
> wrote:
>
> > So far I am not seeing a Netflix block on my he.net tunnel yet. I
> connect
> > to the Los Angeles node, so maybe not all of HE's address space is being
> > blocked.
> >
> > Not going to be disabling IPv6 here either. + HAD native IPv6 from Time
> > Warner, but they decided to in their wisdom to disable IPv6 service for
> > anyone that has an Arris SB6183 due to an Arris firmware bug.  And they
> are
> > taking their sweet time pushing out the fixed firmware update that
> Comcast
> > and Cox seemed to be able to push to their customers last fall.
> >
> > -Mark Ganzer
> >
> >
> > On 6/3/2016 4:49 PM, Cryptographrix wrote:
> >
> >> Depends - how many US users have native IPv6 through their ISPs?
> >>
> >> If I remember correctly (I can't find the source at the moment), HE.net
> >> represents something like 70% of IPv6 traffic in the US.
> >>
> >> And yeah, not doing that - actually in the middle of an IPv6 project at
> >> work at the moment that's a bit important to me.
> >>
> >>
> >>
> >>
> >> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> baldur.nordd...@gmail.com
> >> >
> >> wrote:
> >>
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix"  >:
> >>>
>  The information I'm getting from Netflix support now is explicitly
> 
> >>> telling
> >>>
>  me to turn off IPv6 - someone might want to stop them before they
>  completely kill US IPv6 adoption.
> 
> >>> Not allowing he.net tunnels is not killing ipv6. You just need need
> >>> native
> >>> ipv6.
> >>>
> >>> On the other hand it would be nice if Netflix would try the other
> >>> protocol
> >>> before blocking.
> >>>
> >>>
> >
>

Re: Netflix VPN detection - actual engineer needed

[Raymond Beaudoin]

I wasn't originally affected on my he.net tunnel, but this evening it
started blocking. The recommended ACLs are a functional temporary
workaround, but I've also opened a request with Netflix.

On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer 
wrote:

> So far I am not seeing a Netflix block on my he.net tunnel yet. I connect
> to the Los Angeles node, so maybe not all of HE's address space is being
> blocked.
>
> Not going to be disabling IPv6 here either. + HAD native IPv6 from Time
> Warner, but they decided to in their wisdom to disable IPv6 service for
> anyone that has an Arris SB6183 due to an Arris firmware bug.  And they are
> taking their sweet time pushing out the fixed firmware update that Comcast
> and Cox seemed to be able to push to their customers last fall.
>
> -Mark Ganzer
>
>
> On 6/3/2016 4:49 PM, Cryptographrix wrote:
>
>> Depends - how many US users have native IPv6 through their ISPs?
>>
>> If I remember correctly (I can't find the source at the moment), HE.net
>> represents something like 70% of IPv6 traffic in the US.
>>
>> And yeah, not doing that - actually in the middle of an IPv6 project at
>> work at the moment that's a bit important to me.
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl > >
>> wrote:
>>
>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" :
>>>
 The information I'm getting from Netflix support now is explicitly

>>> telling
>>>
 me to turn off IPv6 - someone might want to stop them before they
 completely kill US IPv6 adoption.

>>> Not allowing he.net tunnels is not killing ipv6. You just need need
>>> native
>>> ipv6.
>>>
>>> On the other hand it would be nice if Netflix would try the other
>>> protocol
>>> before blocking.
>>>
>>>
>

Re: Netflix VPN detection - actual engineer needed

[Mark T. Ganzer]

So far I am not seeing a Netflix block on my he.net tunnel yet. I 
connect to the Los Angeles node, so maybe not all of HE's address space 
is being blocked.


Not going to be disabling IPv6 here either. + HAD native IPv6 from Time 
Warner, but they decided to in their wisdom to disable IPv6 service for 
anyone that has an Arris SB6183 due to an Arris firmware bug.  And they 
are taking their sweet time pushing out the fixed firmware update that 
Comcast and Cox seemed to be able to push to their customers last fall.


-Mark Ganzer

On 6/3/2016 4:49 PM, Cryptographrix wrote:

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net
represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at
work at the moment that's a bit important to me.




On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl 
wrote:


Den 4. jun. 2016 01.26 skrev "Cryptographrix" :

The information I'm getting from Netflix support now is explicitly

telling

me to turn off IPv6 - someone might want to stop them before they
completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native
ipv6.

On the other hand it would be nice if Netflix would try the other protocol
before blocking.

Re: Netflix VPN detection - actual engineer needed

[Josh Reynolds]

You might be one of a handful.
On Jun 3, 2016 7:35 PM, "Gary E. Miller"  wrote:

> Yo Spencer!
>
> On Fri, 3 Jun 2016 20:13:03 -0400
> Spencer Ryan  wrote:
>
> > Yes but HE doesn't serve residential users directly.
>
> Really?  I am the only one?  Doubtful.
>
> RGDS
> GARY
> ---
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
> g...@rellim.com  Tel:+1 541 382 8588
>

Re: Netflix VPN detection - actual engineer needed

[Lyndon Nerenberg]

> On Jun 3, 2016, at 4:59 PM, jim deleskie  wrote:
> 
> I don't suspect many folks that are outside of this list would likely have
> any idea how to set up a v6 tunnel.  Those of us on the list, likely have a
> much greater ability to influence v6 adoption or not via day job
> deployments then Netflix supporting v6 tunnels or not.

In western Canada, Telus is on a big push to deploy IPv6.  TekSavvy less so.  
But it's happening.

I cancelled my Netflix subscription last summer.  I needed native IPv6 more 
than I needed Grace and Frankie.

Which isn't to say I didn't want to watch Grace and Frankie more than having 
IPv6 access to machines I need to have access to in order to earn the money I 
need to pay to (not) watch Grace and Frankie ...

--lyndon

Re: Netflix VPN detection - actual engineer needed

[Alistair Mackenzie]

+1

On 4 June 2016 at 01:35, Owen DeLong  wrote:

> I think the day that Netflix tells me to turn off IPv6 or doesn’t serve me
> content
> because one of my routes to the internet for IPv6 is via an HE tunnel (the
> other
> two are different tunnels, but all of my IPv4 also goes through tunnels)
> will be the
> day I tell Netflix that I will turn them off instead.
>
> Let’s face it folks, if we want to encourage Netflix to tell the content
> providers
> to give up the silly geo-shit, then we have to stop patronizing channels
> that do
> silly geo-shit.
>
> The only real impact is to vote with your $$$ and tell the companies you
> are
> unsubscribing from exactly why you are unsubscribing.
>
> So far, I haven’t run into an issue where I couldn’t get what I wanted to
> watch
> via a tunnel I was able to set up. When/If Netflix gets good enough to
> detect
> and block my tunnel, I’ll stop using Netflix and stop paying them. I’ll
> also
> make sure that they know why.
>
> I’m sure if they lose enough customers for this reason, they’ll choose to
> do something
> about it with their content providers. After all, the fewer subscribers
> Netflix has,
> the less they pay the content providers, too.
>
> Sure, nobody cares about my $10/month or whatever it’s up to these days,
> but if a
> few thousand of us start walking off and it starts to look like a trend,
> it can
> change things.
>
> Owen
>
> > On Jun 3, 2016, at 17:17 , Cryptographrix 
> wrote:
> >
> > Very true. Telling people to turn off IPv6 support through their customer
> > service portal is completely infuriating for those that can't get IPv6
> > through their ISP and need it.
> >
> >
> > On Fri, Jun 3, 2016 at 8:13 PM Spencer Ryan  wrote:
> >
> >> Yes but HE doesn't serve residential users directly. To a normal person
> HE
> >> is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier.
> They
> >> may move the most v6 traffic, but Comcast is the largest ISP actually
> >> getting v6 to end users.
> >>
> >>
> >> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >> *Arbor Networks*
> >> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >> www.arbornetworks.com
> >>
> >> On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix <
> cryptograph...@gmail.com>
> >> wrote:
> >>
> >>> I don't remember the source, but I do remember that even with Comcast's
> >>> deployment, HE still represented the majority of IPv6 traffic in the
> US.
> >>>
> >>> Of course, it could just be a bunch of us heavy IPv6 users.
> >>>
> >>>
> >>>
> >>> On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan  wrote:
> >>>
>  Comcast is near 100% on their DOCSIS network (Busniess and
> residential).
>  That should be the largest single ISP for IPv6 for end users in the
> USA.
> 
> 
>  *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>  *Arbor Networks*
>  +1.734.794.5033 (d) | +1.734.846.2053 (m)
>  www.arbornetworks.com
> 
>  On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix <
> cryptograph...@gmail.com
> > wrote:
> 
> > Depends - how many US users have native IPv6 through their ISPs?
> >
> > If I remember correctly (I can't find the source at the moment),
> HE.net
> > represents something like 70% of IPv6 traffic in the US.
> >
> > And yeah, not doing that - actually in the middle of an IPv6 project
> at
> > work at the moment that's a bit important to me.
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> > baldur.nordd...@gmail.com>
> > wrote:
> >
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> > cryptograph...@gmail.com>:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net tunnels is not killing ipv6. You just need need
> > native
> >> ipv6.
> >>
> >> On the other hand it would be nice if Netflix would try the other
> > protocol
> >> before blocking.
> >>
> >
> 
> 
> >>
>
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Yeah today I cancelled Netflix for exactly this reason.

On Fri, Jun 3, 2016 at 8:35 PM Owen DeLong  wrote:

> I think the day that Netflix tells me to turn off IPv6 or doesn’t serve me
> content
> because one of my routes to the internet for IPv6 is via an HE tunnel (the
> other
> two are different tunnels, but all of my IPv4 also goes through tunnels)
> will be the
> day I tell Netflix that I will turn them off instead.
>
> Let’s face it folks, if we want to encourage Netflix to tell the content
> providers
> to give up the silly geo-shit, then we have to stop patronizing channels
> that do
> silly geo-shit.
>
> The only real impact is to vote with your $$$ and tell the companies you
> are
> unsubscribing from exactly why you are unsubscribing.
>
> So far, I haven’t run into an issue where I couldn’t get what I wanted to
> watch
> via a tunnel I was able to set up. When/If Netflix gets good enough to
> detect
> and block my tunnel, I’ll stop using Netflix and stop paying them. I’ll
> also
> make sure that they know why.
>
> I’m sure if they lose enough customers for this reason, they’ll choose to
> do something
> about it with their content providers. After all, the fewer subscribers
> Netflix has,
> the less they pay the content providers, too.
>
> Sure, nobody cares about my $10/month or whatever it’s up to these days,
> but if a
> few thousand of us start walking off and it starts to look like a trend,
> it can
> change things.
>
> Owen
>
> > On Jun 3, 2016, at 17:17 , Cryptographrix 
> wrote:
> >
> > Very true. Telling people to turn off IPv6 support through their customer
> > service portal is completely infuriating for those that can't get IPv6
> > through their ISP and need it.
> >
> >
> > On Fri, Jun 3, 2016 at 8:13 PM Spencer Ryan  wrote:
> >
> >> Yes but HE doesn't serve residential users directly. To a normal person
> HE
> >> is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier.
> They
> >> may move the most v6 traffic, but Comcast is the largest ISP actually
> >> getting v6 to end users.
> >>
> >>
> >> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >> *Arbor Networks*
> >> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >> www.arbornetworks.com
> >>
> >> On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix <
> cryptograph...@gmail.com>
> >> wrote:
> >>
> >>> I don't remember the source, but I do remember that even with Comcast's
> >>> deployment, HE still represented the majority of IPv6 traffic in the
> US.
> >>>
> >>> Of course, it could just be a bunch of us heavy IPv6 users.
> >>>
> >>>
> >>>
> >>> On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan  wrote:
> >>>
>  Comcast is near 100% on their DOCSIS network (Busniess and
> residential).
>  That should be the largest single ISP for IPv6 for end users in the
> USA.
> 
> 
>  *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>  *Arbor Networks*
>  +1.734.794.5033 (d) | +1.734.846.2053 (m)
>  www.arbornetworks.com
> 
>  On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix <
> cryptograph...@gmail.com
> > wrote:
> 
> > Depends - how many US users have native IPv6 through their ISPs?
> >
> > If I remember correctly (I can't find the source at the moment),
> HE.net
> > represents something like 70% of IPv6 traffic in the US.
> >
> > And yeah, not doing that - actually in the middle of an IPv6 project
> at
> > work at the moment that's a bit important to me.
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> > baldur.nordd...@gmail.com>
> > wrote:
> >
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> > cryptograph...@gmail.com>:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net tunnels is not killing ipv6. You just need need
> > native
> >> ipv6.
> >>
> >> On the other hand it would be nice if Netflix would try the other
> > protocol
> >> before blocking.
> >>
> >
> 
> 
> >>
>
>

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

I think the day that Netflix tells me to turn off IPv6 or doesn’t serve me 
content
because one of my routes to the internet for IPv6 is via an HE tunnel (the other
two are different tunnels, but all of my IPv4 also goes through tunnels) will 
be the
day I tell Netflix that I will turn them off instead.

Let’s face it folks, if we want to encourage Netflix to tell the content 
providers
to give up the silly geo-shit, then we have to stop patronizing channels that do
silly geo-shit.

The only real impact is to vote with your $$$ and tell the companies you are
unsubscribing from exactly why you are unsubscribing.

So far, I haven’t run into an issue where I couldn’t get what I wanted to watch
via a tunnel I was able to set up. When/If Netflix gets good enough to detect
and block my tunnel, I’ll stop using Netflix and stop paying them. I’ll also
make sure that they know why.

I’m sure if they lose enough customers for this reason, they’ll choose to do 
something
about it with their content providers. After all, the fewer subscribers Netflix 
has,
the less they pay the content providers, too.

Sure, nobody cares about my $10/month or whatever it’s up to these days, but if 
a
few thousand of us start walking off and it starts to look like a trend, it can
change things.

Owen

> On Jun 3, 2016, at 17:17 , Cryptographrix  wrote:
> 
> Very true. Telling people to turn off IPv6 support through their customer
> service portal is completely infuriating for those that can't get IPv6
> through their ISP and need it.
> 
> 
> On Fri, Jun 3, 2016 at 8:13 PM Spencer Ryan  wrote:
> 
>> Yes but HE doesn't serve residential users directly. To a normal person HE
>> is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier. They
>> may move the most v6 traffic, but Comcast is the largest ISP actually
>> getting v6 to end users.
>> 
>> 
>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>> 
>> On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix 
>> wrote:
>> 
>>> I don't remember the source, but I do remember that even with Comcast's
>>> deployment, HE still represented the majority of IPv6 traffic in the US.
>>> 
>>> Of course, it could just be a bunch of us heavy IPv6 users.
>>> 
>>> 
>>> 
>>> On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan  wrote:
>>> 
 Comcast is near 100% on their DOCSIS network (Busniess and residential).
 That should be the largest single ISP for IPv6 for end users in the USA.
 
 
 *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
 *Arbor Networks*
 +1.734.794.5033 (d) | +1.734.846.2053 (m)
 www.arbornetworks.com
 
 On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix  wrote:
 
> Depends - how many US users have native IPv6 through their ISPs?
> 
> If I remember correctly (I can't find the source at the moment), HE.net
> represents something like 70% of IPv6 traffic in the US.
> 
> And yeah, not doing that - actually in the middle of an IPv6 project at
> work at the moment that's a bit important to me.
> 
> 
> 
> 
> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> baldur.nordd...@gmail.com>
> wrote:
> 
>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> cryptograph...@gmail.com>:
>>> 
>>> The information I'm getting from Netflix support now is explicitly
>> telling
>>> me to turn off IPv6 - someone might want to stop them before they
>>> completely kill US IPv6 adoption.
>> 
>> Not allowing he.net tunnels is not killing ipv6. You just need need
> native
>> ipv6.
>> 
>> On the other hand it would be nice if Netflix would try the other
> protocol
>> before blocking.
>> 
> 
 
 
>> 

Re: Netflix VPN detection - actual engineer needed

[Gary E. Miller]

Yo Spencer!

On Fri, 3 Jun 2016 20:13:03 -0400
Spencer Ryan  wrote:

> Yes but HE doesn't serve residential users directly. 

Really?  I am the only one?  Doubtful.

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588


pgp_6A1NuMF_m.pgp
Description: OpenPGP digital signature

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

...IF (and that's a big IF in the Bay Area at least) you can get the newest
modems.  Easier said than done.

On Fri, Jun 3, 2016 at 5:03 PM, Spencer Ryan  wrote:

> Comcast is near 100% on their DOCSIS network (Busniess and residential).
> That should be the largest single ISP for IPv6 for end users in the USA.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix 
> wrote:
>
> > Depends - how many US users have native IPv6 through their ISPs?
> >
> > If I remember correctly (I can't find the source at the moment), HE.net
> > represents something like 70% of IPv6 traffic in the US.
> >
> > And yeah, not doing that - actually in the middle of an IPv6 project at
> > work at the moment that's a bit important to me.
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> baldur.nordd...@gmail.com>
> > wrote:
> >
> > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> cryptograph...@gmail.com
> > >:
> > > >
> > > > The information I'm getting from Netflix support now is explicitly
> > > telling
> > > > me to turn off IPv6 - someone might want to stop them before they
> > > > completely kill US IPv6 adoption.
> > >
> > > Not allowing he.net tunnels is not killing ipv6. You just need need
> > native
> > > ipv6.
> > >
> > > On the other hand it would be nice if Netflix would try the other
> > protocol
> > > before blocking.
> > >
> >
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Very true. Telling people to turn off IPv6 support through their customer
service portal is completely infuriating for those that can't get IPv6
through their ISP and need it.


On Fri, Jun 3, 2016 at 8:13 PM Spencer Ryan  wrote:

> Yes but HE doesn't serve residential users directly. To a normal person HE
> is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier. They
> may move the most v6 traffic, but Comcast is the largest ISP actually
> getting v6 to end users.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix 
> wrote:
>
>> I don't remember the source, but I do remember that even with Comcast's
>> deployment, HE still represented the majority of IPv6 traffic in the US.
>>
>> Of course, it could just be a bunch of us heavy IPv6 users.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan  wrote:
>>
>>> Comcast is near 100% on their DOCSIS network (Busniess and residential).
>>> That should be the largest single ISP for IPv6 for end users in the USA.
>>>
>>>
>>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>>> *Arbor Networks*
>>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>>> www.arbornetworks.com
>>>
>>> On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix >> > wrote:
>>>
 Depends - how many US users have native IPv6 through their ISPs?

 If I remember correctly (I can't find the source at the moment), HE.net
 represents something like 70% of IPv6 traffic in the US.

 And yeah, not doing that - actually in the middle of an IPv6 project at
 work at the moment that's a bit important to me.




 On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
 baldur.nordd...@gmail.com>
 wrote:

 > Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
 cryptograph...@gmail.com>:
 > >
 > > The information I'm getting from Netflix support now is explicitly
 > telling
 > > me to turn off IPv6 - someone might want to stop them before they
 > > completely kill US IPv6 adoption.
 >
 > Not allowing he.net tunnels is not killing ipv6. You just need need
 native
 > ipv6.
 >
 > On the other hand it would be nice if Netflix would try the other
 protocol
 > before blocking.
 >

>>>
>>>
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

Yes but HE doesn't serve residential users directly. To a normal person HE
is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier. They
may move the most v6 traffic, but Comcast is the largest ISP actually
getting v6 to end users.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix 
wrote:

> I don't remember the source, but I do remember that even with Comcast's
> deployment, HE still represented the majority of IPv6 traffic in the US.
>
> Of course, it could just be a bunch of us heavy IPv6 users.
>
>
>
> On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan  wrote:
>
>> Comcast is near 100% on their DOCSIS network (Busniess and residential).
>> That should be the largest single ISP for IPv6 for end users in the USA.
>>
>>
>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>>
>> On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix 
>> wrote:
>>
>>> Depends - how many US users have native IPv6 through their ISPs?
>>>
>>> If I remember correctly (I can't find the source at the moment), HE.net
>>> represents something like 70% of IPv6 traffic in the US.
>>>
>>> And yeah, not doing that - actually in the middle of an IPv6 project at
>>> work at the moment that's a bit important to me.
>>>
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
>>> baldur.nordd...@gmail.com>
>>> wrote:
>>>
>>> > Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
>>> cryptograph...@gmail.com>:
>>> > >
>>> > > The information I'm getting from Netflix support now is explicitly
>>> > telling
>>> > > me to turn off IPv6 - someone might want to stop them before they
>>> > > completely kill US IPv6 adoption.
>>> >
>>> > Not allowing he.net tunnels is not killing ipv6. You just need need
>>> native
>>> > ipv6.
>>> >
>>> > On the other hand it would be nice if Netflix would try the other
>>> protocol
>>> > before blocking.
>>> >
>>>
>>
>>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

I don't remember the source, but I do remember that even with Comcast's
deployment, HE still represented the majority of IPv6 traffic in the US.

Of course, it could just be a bunch of us heavy IPv6 users.



On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan  wrote:

> Comcast is near 100% on their DOCSIS network (Busniess and residential).
> That should be the largest single ISP for IPv6 for end users in the USA.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix 
> wrote:
>
>> Depends - how many US users have native IPv6 through their ISPs?
>>
>> If I remember correctly (I can't find the source at the moment), HE.net
>> represents something like 70% of IPv6 traffic in the US.
>>
>> And yeah, not doing that - actually in the middle of an IPv6 project at
>> work at the moment that's a bit important to me.
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl > >
>> wrote:
>>
>> > Den 4. jun. 2016 01.26 skrev "Cryptographrix" > >:
>> > >
>> > > The information I'm getting from Netflix support now is explicitly
>> > telling
>> > > me to turn off IPv6 - someone might want to stop them before they
>> > > completely kill US IPv6 adoption.
>> >
>> > Not allowing he.net tunnels is not killing ipv6. You just need need
>> native
>> > ipv6.
>> >
>> > On the other hand it would be nice if Netflix would try the other
>> protocol
>> > before blocking.
>> >
>>
>
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

Comcast is near 100% on their DOCSIS network (Busniess and residential).
That should be the largest single ISP for IPv6 for end users in the USA.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix 
wrote:

> Depends - how many US users have native IPv6 through their ISPs?
>
> If I remember correctly (I can't find the source at the moment), HE.net
> represents something like 70% of IPv6 traffic in the US.
>
> And yeah, not doing that - actually in the middle of an IPv6 project at
> work at the moment that's a bit important to me.
>
>
>
>
> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl 
> wrote:
>
> > Den 4. jun. 2016 01.26 skrev "Cryptographrix"  >:
> > >
> > > The information I'm getting from Netflix support now is explicitly
> > telling
> > > me to turn off IPv6 - someone might want to stop them before they
> > > completely kill US IPv6 adoption.
> >
> > Not allowing he.net tunnels is not killing ipv6. You just need need
> native
> > ipv6.
> >
> > On the other hand it would be nice if Netflix would try the other
> protocol
> > before blocking.
> >
>

Re: Netflix VPN detection - actual engineer needed

[jim deleskie]

I don't suspect many folks that are outside of this list would likely have
any idea how to set up a v6 tunnel.  Those of us on the list, likely have a
much greater ability to influence v6 adoption or not via day job
deployments then Netflix supporting v6 tunnels or not.

On Fri, Jun 3, 2016 at 8:49 PM, Cryptographrix 
wrote:

> Depends - how many US users have native IPv6 through their ISPs?
>
> If I remember correctly (I can't find the source at the moment), HE.net
> represents something like 70% of IPv6 traffic in the US.
>
> And yeah, not doing that - actually in the middle of an IPv6 project at
> work at the moment that's a bit important to me.
>
>
>
>
> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl 
> wrote:
>
> > Den 4. jun. 2016 01.26 skrev "Cryptographrix"  >:
> > >
> > > The information I'm getting from Netflix support now is explicitly
> > telling
> > > me to turn off IPv6 - someone might want to stop them before they
> > > completely kill US IPv6 adoption.
> >
> > Not allowing he.net tunnels is not killing ipv6. You just need need
> native
> > ipv6.
> >
> > On the other hand it would be nice if Netflix would try the other
> protocol
> > before blocking.
> >
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

(and this is coming from someone that has serious issues with IPv6 but
understands that we need to move forward)


On Fri, Jun 3, 2016 at 7:49 PM Cryptographrix 
wrote:

> Depends - how many US users have native IPv6 through their ISPs?
>
> If I remember correctly (I can't find the source at the moment), HE.net
> represents something like 70% of IPv6 traffic in the US.
>
> And yeah, not doing that - actually in the middle of an IPv6 project at
> work at the moment that's a bit important to me.
>
>
>
>
> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl 
> wrote:
>
>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" :
>> >
>> > The information I'm getting from Netflix support now is explicitly
>> telling
>> > me to turn off IPv6 - someone might want to stop them before they
>> > completely kill US IPv6 adoption.
>>
>> Not allowing he.net tunnels is not killing ipv6. You just need need
>> native
>> ipv6.
>>
>> On the other hand it would be nice if Netflix would try the other protocol
>> before blocking.
>>
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net
represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at
work at the moment that's a bit important to me.




On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl 
wrote:

> Den 4. jun. 2016 01.26 skrev "Cryptographrix" :
> >
> > The information I'm getting from Netflix support now is explicitly
> telling
> > me to turn off IPv6 - someone might want to stop them before they
> > completely kill US IPv6 adoption.
>
> Not allowing he.net tunnels is not killing ipv6. You just need need native
> ipv6.
>
> On the other hand it would be nice if Netflix would try the other protocol
> before blocking.
>

Re: Netflix VPN detection - actual engineer needed

[Matthew Kaufman]

Good for them. For things like Apple TV you need to turn it off at the router 
of course.

Matthew Kaufman

(Sent from my iPhone)

> On Jun 3, 2016, at 4:25 PM, Cryptographrix  wrote:
> 
> The information I'm getting from Netflix support now is explicitly telling
> me to turn off IPv6 - someone might want to stop them before they
> completely kill US IPv6 adoption.
> 
> 
> On Fri, Jun 3, 2016 at 7:15 PM Cryptographrix 
> wrote:
> 
>>> "What you are NOT allowed to do is impose new requirements on our
>> Internet to support your business licensing models and make it our problem"
>> 
>> They're not imposing new regulation on your internet to support their
>> business licensing models - they're imposing existing (and international)
>> regulations on someone else's business that existing distributors provide
>> controls for.
>> 
>> And that many existing online distributors provide controls for - hence
>> why they should be using the most local method of locating a person - ask
>> for permission to get the location from their device first (as is possible
>> nowadays), then try to get the location from any one of other fallback
>> methods (namely, IP geolocation).
>> 

Re: Netflix VPN detection - actual engineer needed

[Baldur Norddahl]

Den 4. jun. 2016 01.26 skrev "Cryptographrix" :
>
> The information I'm getting from Netflix support now is explicitly telling
> me to turn off IPv6 - someone might want to stop them before they
> completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native
ipv6.

On the other hand it would be nice if Netflix would try the other protocol
before blocking.

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

The information I'm getting from Netflix support now is explicitly telling
me to turn off IPv6 - someone might want to stop them before they
completely kill US IPv6 adoption.


On Fri, Jun 3, 2016 at 7:15 PM Cryptographrix 
wrote:

> > "What you are NOT allowed to do is impose new requirements on our
> Internet to support your business licensing models and make it our problem"
>
> They're not imposing new regulation on your internet to support their
> business licensing models - they're imposing existing (and international)
> regulations on someone else's business that existing distributors provide
> controls for.
>
> And that many existing online distributors provide controls for - hence
> why they should be using the most local method of locating a person - ask
> for permission to get the location from their device first (as is possible
> nowadays), then try to get the location from any one of other fallback
> methods (namely, IP geolocation).
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

> "What you are NOT allowed to do is impose new requirements on our
Internet to support your business licensing models and make it our problem"

They're not imposing new regulation on your internet to support their
business licensing models - they're imposing existing (and international)
regulations on someone else's business that existing distributors provide
controls for.

And that many existing online distributors provide controls for - hence why
they should be using the most local method of locating a person - ask for
permission to get the location from their device first (as is possible
nowadays), then try to get the location from any one of other fallback
methods (namely, IP geolocation).

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

"What you are NOT allowed to do is impose new requirements on our Internet
to support your business licensing models and make it our problem"

They're not imposing *new* regulation on *your* internet to support their
business licensing models - they're imposing *existing* (and international)
regulations on someone else's business that *existing* distributors provide
controls for.

And that many *existing* online distributors provide controls for - hence
why they should be using the *most local* method of locating a person - ask
for permission to get the location from their *device first* (as is
possible nowadays), then try to get the location from any one of other
fallback methods (namely, IP geolocation).


On Fri, Jun 3, 2016 at 6:22 PM Naslund, Steve  wrote:

> ISPs should not be in the business of helping distributors come up with
> “novel ways” to help them regionalize.  It’s counterproductive to the ISPs
> main purpose which is to get their customers “the whole Internet”, from
> anywhere to anywhere no matter where you are.
>
> As far as TV channels, that is an unrelated issue because they have their
> own distribution network, they can freely choose what cable systems and
> what satellite systems they want to license to.  What you are NOT allowed
> to do is impose new requirements on our Internet to support your business
> licensing models and make it our problem.  This is no different than
> someone like Microsoft saying “hey service providers, we don’t want you to
> carry any network traffic from illegal copies of Outlook” and expecting us
> to figure it out.  I know as service providers we have to be sensitive to
> our customers but Netflix is also a service provider and should be taking
> the heat from their own customers.  Netflix authored a broken process and
> now we should be expected to re-engineer the network to eliminate V6 tunnel
> brokers?!?!?!  I don’t think so Netflix.
>
> If I was still an ISP today, I would be sending all of my customers a memo
> explaining how badly Netflix VPN detection works and why it is so hard for
> us to help with it and why they should be complaining to Netflix.
>
> Steven Naslund
>
> From: Cryptographrix [mailto:cryptograph...@gmail.com]
> Sent: Friday, June 03, 2016 5:06 PM
> To: Naslund, Steve; nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> There's really no point in whining about content providers and
> regionalization as long as TV channels are still a thing.
>
> I get that the internet totally annihilated borders of all kind (including
> the book store), but some businesses change slower than others, and content
> production is still back in the black-and-white TV days because even new
> content producers don't have that new of a business model.
>
> But nor are ISPs coming up with novel ways for distributors to offer more
> reliable regionalization services (and most of them were in the content
> regionalization business long before the Internet came around).
>
> Pick one of those two problems and make a business to solve them.
>
> Until then, Netflix's developers could at least use the "novel" solution
> of tiering the most accurate forms of location before hitting IP
> geolocation.
>
>
>
>
> On Fri, Jun 3, 2016 at 5:52 PM Naslund, Steve  > wrote:
> Actually it's time for Netflix to get out of the network transport
> business and tell the content providers to get over it or not get carried
> on Netflix.  It used to be that Netflix needed content providers, now I am
> starting to believe it might be the other way around.  Netflix might have
> to take a page from the satellite guys and start calling them out
> publicly.  i.e. "Netflix will no longer be able to provide you with Warner
> Bros. content because they are dinosaurs that are worried that someone
> might be watching in the wrong country.  We are pleased to offer you
> content from producers that are not complete morons"
>
> As the content producers lose more and more control over the distribution
> channel they are going to take whatever terms are necessary to get them on
> Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish.  If you are not
> on any or all of those platforms, you are going to be dead meat.   Who
> would be hurt worse, Netflix or the movie producer that got seen nowhere on
> their latest film.  To me, this is the last gasp of an industry that lost
> control of its distribution channel years ago and is still trying to impose
> that control.
>
> Steven Naslund
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org]
> On Behalf Of Mark Andrews
> Sent: Friday, June 03, 2016 4:28 PM
> To: Laszlo Hanyecz
> Cc: nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
>
> It's time for Netflix to offer IPv6 tunnels.  That way they can correlate
> IPv4 and IPv6 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

> 1.Device needs to have GPS, WiFi, or both.  A lot don’t.

Doesn't need to be mandatory, but it's elective to use and yes - AGPS/Wifi
is much more accurate than IP geolocation where available, by a long shot
https://gigaom.com/2012/08/17/how-much-better-is-gps-over-wi-fi-positioning-yelp-knows/


IP Geolocation is accurate to the city, at best, and is often completely
off if you live in a metropolitan area

> 2.   SSID needs to be in a database.  What is the ratio of SSIDs in
the databases vs total SSIDs worldwide.  Bet a large percentage are not
there.

This isn't even an issue in the US - what do you think those Google cars
collect besides pictures?:
https://www.wired.com/2014/04/threatlevel_0401_streetview/

> 3.   People can change an SSID or WiFi AP at any time.  How long
exactly until I get my database entry updated.

Yes they can change SSIDs, which is why Wifi-based geolocation doesn't
profile a location based on individual SSIDs or *just* SSIDs (many also
include MAC addresses to - see the aforementioned court case).

> 4.   Any indoor area that does not have WiFi coverage cannot be
located, period, end of story.

Wireless-ISPs are now a thing. You can be in the mountains of Colorado and
have your location established better with Wifi than your IP geolocation
will provide.

You'd be surprised how many wireless SSIDs you'll receive in the most
remote places.

Then again, there are places in metropolitan areas where there is
absolutely no wifi.

Sure, fall back to IP geolocation there.

You're trying to find edge cases - I get it - but in most places your edge
cases don't exist.

If you have a device with wifi on it and it is connected to the internet
even with Ethernet, in the US you have no assurance that it can not use
Wifi to determine your location much more precisely than IP geolocation.

Period.



On Fri, Jun 3, 2016 at 6:35 PM Cryptographrix 
wrote:

> But wait, content providers *do that.*
>
> *Microsoft too...for illegal copies of Outlook, even...*
>
> How do we know they do that?
>
> Because your ISP can be held liable if they are contacted by a content
> provider and do not follow graduated response guidelines either issued by
> the nation the ISP resides in or governed by industry agreements and *do
> not* shut off your service if you are found to be pirating content.
>
> But all of this is moot against the point you mentioned: Netflix authored
> a broken process.
>
> There are at least 3 much more accurate ways to establish regional
> provenance for any packet - and of course all of them can be hacked - but
> those same content providers have established in their audit requirements
> that they're perfectly willing to accept the risks involved.
>
>
>
>
>
> On Fri, Jun 3, 2016 at 6:18 PM Cryptographrix 
> wrote:
>
>> "
>> there is no reliable geo-location method for Netflix to use"
>>
>> Any microprocessor that is connected to the Internet is subject to being
>> hacked - let's just turn off all of our computers, since we're talking in
>> absolutes.
>>
>> From the perspective of the "lawyers and MBA types that negotiate
>> agreements with Netflix and similar services" (to quote Eric), there
>> *are* reliable methods within a specific risk profile, and those include
>> (thanks to Google and Apple, whom most of the content providers *also* have
>> agreements with) AGPS based on Wifi and other industry now-standard methods.
>>
>> I don't think there _is_ a contractual requirement to attempt to block
>> VPN traffic. I think there's a contractual requirement to provide
>> geographic controls for content, which is a completely different
>> discussion, and is what those same cable and satellite TV providers (many
>> of which _are_ the ISPs for Netflix's customer base) provide.
>>
>> As has been pointed out, Slingbox is an excellent proxy for over-the-air
>> and cable-tv video, but you don't see content providers pressuring
>> regulation on them because they limit their risk with the station or cable
>> TV provider.
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve 
>> wrote:
>>
>>> That is true.  The problem is that traditionally the ISPs have to deal
>>> with customers that can’t get to the content they want.  Netflix ridiculous
>>> detection schemes do nothing but create tons of work for the service
>>> provider which in turn creates stupid work-arounds and network
>>> configurations that are ill conceived.  Myself, I had to shut off IPv6 at
>>> home to get things to work reliably several times for dumb reasons.   Kind
>>> of hard to preach the v6 message when I had to shut it off myself several
>>> time to get my own stuff to work Ok.  Netflix just decided that creating
>>> issues for a subset of their customers was better than having the real
>>> fight with the content providers.
>>>
>>> My point is that there is no reliable geo-location method for Netflix to
>>> use, at least there 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

But wait, content providers *do that.*

*Microsoft too...for illegal copies of Outlook, even...*

How do we know they do that?

Because your ISP can be held liable if they are contacted by a content
provider and do not follow graduated response guidelines either issued by
the nation the ISP resides in or governed by industry agreements and *do
not* shut off your service if you are found to be pirating content.

But all of this is moot against the point you mentioned: Netflix authored a
broken process.

There are at least 3 much more accurate ways to establish regional
provenance for any packet - and of course all of them can be hacked - but
those same content providers have established in their audit requirements
that they're perfectly willing to accept the risks involved.





On Fri, Jun 3, 2016 at 6:18 PM Cryptographrix 
wrote:

> "
> there is no reliable geo-location method for Netflix to use"
>
> Any microprocessor that is connected to the Internet is subject to being
> hacked - let's just turn off all of our computers, since we're talking in
> absolutes.
>
> From the perspective of the "lawyers and MBA types that negotiate
> agreements with Netflix and similar services" (to quote Eric), there *are* 
> reliable
> methods within a specific risk profile, and those include (thanks to Google
> and Apple, whom most of the content providers *also* have agreements
> with) AGPS based on Wifi and other industry now-standard methods.
>
> I don't think there _is_ a contractual requirement to attempt to block VPN
> traffic. I think there's a contractual requirement to provide geographic
> controls for content, which is a completely different discussion, and is
> what those same cable and satellite TV providers (many of which _are_ the
> ISPs for Netflix's customer base) provide.
>
> As has been pointed out, Slingbox is an excellent proxy for over-the-air
> and cable-tv video, but you don't see content providers pressuring
> regulation on them because they limit their risk with the station or cable
> TV provider.
>
>
>
>
> On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve 
> wrote:
>
>> That is true.  The problem is that traditionally the ISPs have to deal
>> with customers that can’t get to the content they want.  Netflix ridiculous
>> detection schemes do nothing but create tons of work for the service
>> provider which in turn creates stupid work-arounds and network
>> configurations that are ill conceived.  Myself, I had to shut off IPv6 at
>> home to get things to work reliably several times for dumb reasons.   Kind
>> of hard to preach the v6 message when I had to shut it off myself several
>> time to get my own stuff to work Ok.  Netflix just decided that creating
>> issues for a subset of their customers was better than having the real
>> fight with the content providers.
>>
>> My point is that there is no reliable geo-location method for Netflix to
>> use, at least there never has been yet.  Good luck ever getting that to
>> work behind the great firewall of China.
>>
>> Steven Naslund
>> Chicago IL
>>
>> From: Cryptographrix [mailto:cryptograph...@gmail.com]
>> Sent: Friday, June 03, 2016 4:56 PM
>> To: Naslund, Steve; nanog@nanog.org
>> Subject: Re: Netflix VPN detection - actual engineer needed
>>
>> Oh I'm not suggesting for a microsecond that any provenance of location
>> can not be hacked, but I totally think that - until the content providers
>> change their business model to not rely on regional controls - they could
>> at least use a more accurate source for that information than my IP(4 or 6)
>> address.
>>
>> I just don't think that this is an appropriate venue to discuss the value
>> of their business model as that's something their business needs to work on
>> changing internally, and fighting it (at least for the moment) will only
>> land Netflix in court.
>>
>> In short, I'm pointing the finger at Netflix's developers for coming up
>> with such a lazy control for geolocation.
>>
>> On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve > > wrote:
>> Wifi location depends on a bunch of problematic things.  First, your SSID
>> needs to get collected and put in a database somewhere.  That itself is a
>> crap shoot.  Next, you can stop google (and some other wifi databases) from
>> collecting the data by putting _nomap at the end of your SSID.  Lastly, not
>> everyone has wifi or iOS or GPS or whatever location method you can think
>> of.  BTW, my apple TV is on a wired Ethernet, not wifi.
>>
>> Point is, for whatever location technology you want to use be it IP, GPS,
>> WiFi location, sextant…..they can be inaccurate and they can be faked and
>> there are privacy concerns with all of them.  What the content producers
>> need to figure out is that regionalization DOES NOT WORK ANYMORE!  The
>> original point was that they could have different release dates in
>> different areas at different prices and 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

Fine, tell the lawyers and MBA types that if their reliable methods become 
unreliable they are not the ISPs problem and that their “risk profile” is the 
number of customer they lose.

I would like to see some sort of statistic that says AGPS is more reliable than 
IP location.  I really doubt it for the following reasons.


1.Device needs to have GPS, WiFi, or both.  A lot don’t.

2.   SSID needs to be in a database.  What is the ratio of SSIDs in the 
databases vs total SSIDs worldwide.  Bet a large percentage are not there.

3.   People can change an SSID or WiFi AP at any time.  How long exactly 
until I get my database entry updated.

4.   Any indoor area that does not have WiFi coverage cannot be located, 
period, end of story.

I guarantee you that Apple does not know where my Apple TV units or any of my 
Sony TVs are because they are on hard Ethernet cables with WiFi disabled so if 
they told the lawyers that, they lied.

Steven Naslund
Chicago IL



From: Cryptographrix [mailto:cryptograph...@gmail.com]
Sent: Friday, June 03, 2016 5:18 PM
To: Naslund, Steve; nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

"there is no reliable geo-location method for Netflix to use"

Any microprocessor that is connected to the Internet is subject to being hacked 
- let's just turn off all of our computers, since we're talking in absolutes.

From the perspective of the "lawyers and MBA types that negotiate agreements 
with Netflix and similar services" (to quote Eric), there are reliable methods 
within a specific risk profile, and those include (thanks to Google and Apple, 
whom most of the content providers also have agreements with) AGPS based on 
Wifi and other industry now-standard methods.

I don't think there _is_ a contractual requirement to attempt to block VPN 
traffic. I think there's a contractual requirement to provide geographic 
controls for content, which is a completely different discussion, and is what 
those same cable and satellite TV providers (many of which _are_ the ISPs for 
Netflix's customer base) provide.

As has been pointed out, Slingbox is an excellent proxy for over-the-air and 
cable-tv video, but you don't see content providers pressuring regulation on 
them because they limit their risk with the station or cable TV provider.




On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve 
> wrote:
That is true.  The problem is that traditionally the ISPs have to deal with 
customers that can’t get to the content they want.  Netflix ridiculous 
detection schemes do nothing but create tons of work for the service provider 
which in turn creates stupid work-arounds and network configurations that are 
ill conceived.  Myself, I had to shut off IPv6 at home to get things to work 
reliably several times for dumb reasons.   Kind of hard to preach the v6 
message when I had to shut it off myself several time to get my own stuff to 
work Ok.  Netflix just decided that creating issues for a subset of their 
customers was better than having the real fight with the content providers.

My point is that there is no reliable geo-location method for Netflix to use, 
at least there never has been yet.  Good luck ever getting that to work behind 
the great firewall of China.

Steven Naslund
Chicago IL

From: Cryptographrix 
[mailto:cryptograph...@gmail.com]
Sent: Friday, June 03, 2016 4:56 PM
To: Naslund, Steve; nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

Oh I'm not suggesting for a microsecond that any provenance of location can not 
be hacked, but I totally think that - until the content providers change their 
business model to not rely on regional controls - they could at least use a 
more accurate source for that information than my IP(4 or 6) address.

I just don't think that this is an appropriate venue to discuss the value of 
their business model as that's something their business needs to work on 
changing internally, and fighting it (at least for the moment) will only land 
Netflix in court.

In short, I'm pointing the finger at Netflix's developers for coming up with 
such a lazy control for geolocation.

On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve 
>>
 wrote:
Wifi location depends on a bunch of problematic things.  First, your SSID needs 
to get collected and put in a database somewhere.  That itself is a crap shoot. 
 Next, you can stop google (and some other wifi databases) from collecting the 
data by putting _nomap at the end of your SSID.  Lastly, not everyone has wifi 
or iOS or GPS or whatever location method you can think of.  BTW, my apple TV 
is on a wired Ethernet, not wifi.

Point is, for whatever location technology you want to use be it IP, GPS, WiFi 
location, sextant…..they can be 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

ISPs should not be in the business of helping distributors come up with “novel 
ways” to help them regionalize.  It’s counterproductive to the ISPs main 
purpose which is to get their customers “the whole Internet”, from anywhere to 
anywhere no matter where you are.

As far as TV channels, that is an unrelated issue because they have their own 
distribution network, they can freely choose what cable systems and what 
satellite systems they want to license to.  What you are NOT allowed to do is 
impose new requirements on our Internet to support your business licensing 
models and make it our problem.  This is no different than someone like 
Microsoft saying “hey service providers, we don’t want you to carry any network 
traffic from illegal copies of Outlook” and expecting us to figure it out.  I 
know as service providers we have to be sensitive to our customers but Netflix 
is also a service provider and should be taking the heat from their own 
customers.  Netflix authored a broken process and now we should be expected to 
re-engineer the network to eliminate V6 tunnel brokers?!?!?!  I don’t think so 
Netflix.

If I was still an ISP today, I would be sending all of my customers a memo 
explaining how badly Netflix VPN detection works and why it is so hard for us 
to help with it and why they should be complaining to Netflix.

Steven Naslund

From: Cryptographrix [mailto:cryptograph...@gmail.com]
Sent: Friday, June 03, 2016 5:06 PM
To: Naslund, Steve; nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

There's really no point in whining about content providers and regionalization 
as long as TV channels are still a thing.

I get that the internet totally annihilated borders of all kind (including the 
book store), but some businesses change slower than others, and content 
production is still back in the black-and-white TV days because even new 
content producers don't have that new of a business model.

But nor are ISPs coming up with novel ways for distributors to offer more 
reliable regionalization services (and most of them were in the content 
regionalization business long before the Internet came around).

Pick one of those two problems and make a business to solve them.

Until then, Netflix's developers could at least use the "novel" solution of 
tiering the most accurate forms of location before hitting IP geolocation.




On Fri, Jun 3, 2016 at 5:52 PM Naslund, Steve 
> wrote:
Actually it's time for Netflix to get out of the network transport business and 
tell the content providers to get over it or not get carried on Netflix.  It 
used to be that Netflix needed content providers, now I am starting to believe 
it might be the other way around.  Netflix might have to take a page from the 
satellite guys and start calling them out publicly.  i.e. "Netflix will no 
longer be able to provide you with Warner Bros. content because they are 
dinosaurs that are worried that someone might be watching in the wrong country. 
 We are pleased to offer you content from producers that are not complete 
morons"

As the content producers lose more and more control over the distribution 
channel they are going to take whatever terms are necessary to get them on 
Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish.  If you are not on 
any or all of those platforms, you are going to be dead meat.   Who would be 
hurt worse, Netflix or the movie producer that got seen nowhere on their latest 
film.  To me, this is the last gasp of an industry that lost control of its 
distribution channel years ago and is still trying to impose that control.

Steven Naslund

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On 
Behalf Of Mark Andrews
Sent: Friday, June 03, 2016 4:28 PM
To: Laszlo Hanyecz
Cc: nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed


It's time for Netflix to offer IPv6 tunnels.  That way they can correlate IPv4 
and IPv6 addresses.  Longest match will result is the correct source address 
being selected if they do the job correctly.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: 
ma...@isc.org

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

"there is no reliable geo-location method for Netflix to use"

Any microprocessor that is connected to the Internet is subject to being
hacked - let's just turn off all of our computers, since we're talking in
absolutes.

>From the perspective of the "lawyers and MBA types that negotiate
agreements with Netflix and similar services" (to quote Eric), there
*are* reliable
methods within a specific risk profile, and those include (thanks to Google
and Apple, whom most of the content providers *also* have agreements with)
AGPS based on Wifi and other industry now-standard methods.

I don't think there _is_ a contractual requirement to attempt to block VPN
traffic. I think there's a contractual requirement to provide geographic
controls for content, which is a completely different discussion, and is
what those same cable and satellite TV providers (many of which _are_ the
ISPs for Netflix's customer base) provide.

As has been pointed out, Slingbox is an excellent proxy for over-the-air
and cable-tv video, but you don't see content providers pressuring
regulation on them because they limit their risk with the station or cable
TV provider.




On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve  wrote:

> That is true.  The problem is that traditionally the ISPs have to deal
> with customers that can’t get to the content they want.  Netflix ridiculous
> detection schemes do nothing but create tons of work for the service
> provider which in turn creates stupid work-arounds and network
> configurations that are ill conceived.  Myself, I had to shut off IPv6 at
> home to get things to work reliably several times for dumb reasons.   Kind
> of hard to preach the v6 message when I had to shut it off myself several
> time to get my own stuff to work Ok.  Netflix just decided that creating
> issues for a subset of their customers was better than having the real
> fight with the content providers.
>
> My point is that there is no reliable geo-location method for Netflix to
> use, at least there never has been yet.  Good luck ever getting that to
> work behind the great firewall of China.
>
> Steven Naslund
> Chicago IL
>
> From: Cryptographrix [mailto:cryptograph...@gmail.com]
> Sent: Friday, June 03, 2016 4:56 PM
> To: Naslund, Steve; nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Oh I'm not suggesting for a microsecond that any provenance of location
> can not be hacked, but I totally think that - until the content providers
> change their business model to not rely on regional controls - they could
> at least use a more accurate source for that information than my IP(4 or 6)
> address.
>
> I just don't think that this is an appropriate venue to discuss the value
> of their business model as that's something their business needs to work on
> changing internally, and fighting it (at least for the moment) will only
> land Netflix in court.
>
> In short, I'm pointing the finger at Netflix's developers for coming up
> with such a lazy control for geolocation.
>
> On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve  > wrote:
> Wifi location depends on a bunch of problematic things.  First, your SSID
> needs to get collected and put in a database somewhere.  That itself is a
> crap shoot.  Next, you can stop google (and some other wifi databases) from
> collecting the data by putting _nomap at the end of your SSID.  Lastly, not
> everyone has wifi or iOS or GPS or whatever location method you can think
> of.  BTW, my apple TV is on a wired Ethernet, not wifi.
>
> Point is, for whatever location technology you want to use be it IP, GPS,
> WiFi location, sextant…..they can be inaccurate and they can be faked and
> there are privacy concerns with all of them.  What the content producers
> need to figure out is that regionalization DOES NOT WORK ANYMORE!  The
> original point was that they could have different release dates in
> different areas at different prices and availability.  They are going to
> have to get over it because they will lose the technological arms race.
>
> There is no reason you could not beat all of the location systems with a
> simple proxy.  A proxy makes a Netflix connection from an allowed IP,
> location or whatever and then builds a new video/audio stream out the back
> end to the client anywhere in the world.  Simple to implement and damn near
> impossible to beat.  Ever hear of Slingbox?
>
> Steven Naslund
> Chicago IL
>
> From: Cryptographrix [mailto:cryptograph...@gmail.com cryptograph...@gmail.com>]
> Sent: Friday, June 03, 2016 3:42 PM
> To: Naslund, Steve; nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Apple TVs get their location indoors using the same method they use for
> other iOS devices when indoors - wifi ssid/Mac scanning.
>
> Non-iOS devices are often capable of this as well.
>
> (As someone that spends >67% of his time underground 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

I kind of doubt it.  If any major studio knew that their movie would not be on 
one of those platforms I think it would be a major problem for them right now.  
One theater out of thousands is not a problem.  iTunes or Netflix has to be 
what50% of online distribution today.  That's gotta hurt.  iTunes already 
changed the music game and was able to impose their will concerning producer 
side DRM and other policies.  I'm sure Apple and Netflix have at least that 
much power in the movie space already.

Steven Naslund




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett
Sent: Friday, June 03, 2016 5:00 PM
Cc: nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

It might be a few years yet before the new channels have that much power. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Steve Naslund"  
To: nanog@nanog.org 
Sent: Friday, June 3, 2016 4:51:38 PM 
Subject: RE: Netflix VPN detection - actual engineer needed 

Actually it's time for Netflix to get out of the network transport business and 
tell the content providers to get over it or not get carried on Netflix. It 
used to be that Netflix needed content providers, now I am starting to believe 
it might be the other way around. Netflix might have to take a page from the 
satellite guys and start calling them out publicly. i.e. "Netflix will no 
longer be able to provide you with Warner Bros. content because they are 
dinosaurs that are worried that someone might be watching in the wrong country. 
We are pleased to offer you content from producers that are not complete 
morons" 

As the content producers lose more and more control over the distribution 
channel they are going to take whatever terms are necessary to get them on 
Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on 
any or all of those platforms, you are going to be dead meat. Who would be hurt 
worse, Netflix or the movie producer that got seen nowhere on their latest 
film. To me, this is the last gasp of an industry that lost control of its 
distribution channel years ago and is still trying to impose that control. 

Steven Naslund 

-Original Message- 
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mark Andrews 
Sent: Friday, June 03, 2016 4:28 PM 
To: Laszlo Hanyecz 
Cc: nanog@nanog.org 
Subject: Re: Netflix VPN detection - actual engineer needed 


It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 
and IPv6 addresses. Longest match will result is the correct source address 
being selected if they do the job correctly. 

-- 
Mark Andrews, ISC 
1 Seymour St., Dundas Valley, NSW 2117, Australia 
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org 

Re: Netflix VPN detection - actual engineer needed

[Eric Kuhnke]

>From a network operational perspective we are only seeing the tip of the
iceberg. There are vast hordes of lawyers and MBA types employed by the
largest content creators (TV channels, movie studios) which negotiate
agreements with Netflix and similar services.

 Unless you happen to be a sysadmin inside one of these entities with
access to the contracts and documents, all of this is totally opaque from a
network engineering viewpoint.

I do not think the contractual requirement to *attempt* to block VPN
traffic will change until a significantly larger percentage of US customers
abandon paying for their cable TV & satellite TV monthly packages.


On Fri, Jun 3, 2016 at 2:56 PM, Cryptographrix 
wrote:

> I just don't think that this is an appropriate venue to discuss the value
> of their business model as that's something their business needs to work on
> changing internally, and fighting it (at least for the moment) will only
> land Netflix in court.
>
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

There's really no point in whining about content providers and
regionalization as long as TV channels are still a thing.

I get that the internet totally annihilated borders of all kind (including
the book store), but some businesses change slower than others, and content
production is still back in the black-and-white TV days because even new
content producers don't have that new of a business model.

But nor are ISPs coming up with novel ways for distributors to offer more
reliable regionalization services (and most of them were in the content
regionalization business long before the Internet came around).

Pick one of those two problems and make a business to solve them.

Until then, Netflix's developers could at least use the "novel" solution of
tiering the most accurate forms of location before hitting IP geolocation.





On Fri, Jun 3, 2016 at 5:52 PM Naslund, Steve  wrote:

> Actually it's time for Netflix to get out of the network transport
> business and tell the content providers to get over it or not get carried
> on Netflix.  It used to be that Netflix needed content providers, now I am
> starting to believe it might be the other way around.  Netflix might have
> to take a page from the satellite guys and start calling them out
> publicly.  i.e. "Netflix will no longer be able to provide you with Warner
> Bros. content because they are dinosaurs that are worried that someone
> might be watching in the wrong country.  We are pleased to offer you
> content from producers that are not complete morons"
>
> As the content producers lose more and more control over the distribution
> channel they are going to take whatever terms are necessary to get them on
> Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish.  If you are not
> on any or all of those platforms, you are going to be dead meat.   Who
> would be hurt worse, Netflix or the movie producer that got seen nowhere on
> their latest film.  To me, this is the last gasp of an industry that lost
> control of its distribution channel years ago and is still trying to impose
> that control.
>
> Steven Naslund
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mark Andrews
> Sent: Friday, June 03, 2016 4:28 PM
> To: Laszlo Hanyecz
> Cc: nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
>
> It's time for Netflix to offer IPv6 tunnels.  That way they can correlate
> IPv4 and IPv6 addresses.  Longest match will result is the correct source
> address being selected if they do the job correctly.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

That is true.  The problem is that traditionally the ISPs have to deal with 
customers that can’t get to the content they want.  Netflix ridiculous 
detection schemes do nothing but create tons of work for the service provider 
which in turn creates stupid work-arounds and network configurations that are 
ill conceived.  Myself, I had to shut off IPv6 at home to get things to work 
reliably several times for dumb reasons.   Kind of hard to preach the v6 
message when I had to shut it off myself several time to get my own stuff to 
work Ok.  Netflix just decided that creating issues for a subset of their 
customers was better than having the real fight with the content providers.

My point is that there is no reliable geo-location method for Netflix to use, 
at least there never has been yet.  Good luck ever getting that to work behind 
the great firewall of China.

Steven Naslund
Chicago IL

From: Cryptographrix [mailto:cryptograph...@gmail.com]
Sent: Friday, June 03, 2016 4:56 PM
To: Naslund, Steve; nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

Oh I'm not suggesting for a microsecond that any provenance of location can not 
be hacked, but I totally think that - until the content providers change their 
business model to not rely on regional controls - they could at least use a 
more accurate source for that information than my IP(4 or 6) address.

I just don't think that this is an appropriate venue to discuss the value of 
their business model as that's something their business needs to work on 
changing internally, and fighting it (at least for the moment) will only land 
Netflix in court.

In short, I'm pointing the finger at Netflix's developers for coming up with 
such a lazy control for geolocation.

On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve 
> wrote:
Wifi location depends on a bunch of problematic things.  First, your SSID needs 
to get collected and put in a database somewhere.  That itself is a crap shoot. 
 Next, you can stop google (and some other wifi databases) from collecting the 
data by putting _nomap at the end of your SSID.  Lastly, not everyone has wifi 
or iOS or GPS or whatever location method you can think of.  BTW, my apple TV 
is on a wired Ethernet, not wifi.

Point is, for whatever location technology you want to use be it IP, GPS, WiFi 
location, sextant…..they can be inaccurate and they can be faked and there are 
privacy concerns with all of them.  What the content producers need to figure 
out is that regionalization DOES NOT WORK ANYMORE!  The original point was that 
they could have different release dates in different areas at different prices 
and availability.  They are going to have to get over it because they will lose 
the technological arms race.

There is no reason you could not beat all of the location systems with a simple 
proxy.  A proxy makes a Netflix connection from an allowed IP, location or 
whatever and then builds a new video/audio stream out the back end to the 
client anywhere in the world.  Simple to implement and damn near impossible to 
beat.  Ever hear of Slingbox?

Steven Naslund
Chicago IL

From: Cryptographrix 
[mailto:cryptograph...@gmail.com]
Sent: Friday, June 03, 2016 3:42 PM
To: Naslund, Steve; nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

Apple TVs get their location indoors using the same method they use for other 
iOS devices when indoors - wifi ssid/Mac scanning.

Non-iOS devices are often capable of this as well.

(As someone that spends >67% of his time underground and whose Apple TV 
requests my location from my underground bedroom and is very accurate)

On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve 
>>
 wrote:
Their app could request your devices location.  Problem is a lot of devices 
(like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't 
know where they are and it cannot easily be added (indoor GPS is still 
difficult/expensive) and even if they could should they be believed.  I think 
the bigger issue is whether any kind of regional controls are enforceable or 
effective any more.

Steven Naslund
Chicago IL

-Original Message-
From: NANOG 
[mailto:nanog-boun...@nanog.org>]
 On Behalf Of Cryptographrix
Sent: Friday, June 03, 2016 3:21 PM
To: Spencer Ryan
Cc: North American Network Operators' Group
Subject: Re: Netflix VPN detection - actual engineer needed

Come now, content providers really just care that they have access to regional 
controls more so than their ability to blanket-deny access (ok, minus the MLB 
who are just insane).

And part of those regional controls deal with the accuracy of the location 
information.

If 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

+1 to this idea.

On Fri, Jun 3, 2016 at 5:29 PM Mark Andrews  wrote:

>
> It's time for Netflix to offer IPv6 tunnels.  That way they can
> correlate IPv4 and IPv6 addresses.  Longest match will result is
> the correct source address being selected if they do the job
> correctly.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

Re: Netflix VPN detection - actual engineer needed

[Mike Hammett]

It might be a few years yet before the new channels have that much power. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Steve Naslund"  
To: nanog@nanog.org 
Sent: Friday, June 3, 2016 4:51:38 PM 
Subject: RE: Netflix VPN detection - actual engineer needed 

Actually it's time for Netflix to get out of the network transport business and 
tell the content providers to get over it or not get carried on Netflix. It 
used to be that Netflix needed content providers, now I am starting to believe 
it might be the other way around. Netflix might have to take a page from the 
satellite guys and start calling them out publicly. i.e. "Netflix will no 
longer be able to provide you with Warner Bros. content because they are 
dinosaurs that are worried that someone might be watching in the wrong country. 
We are pleased to offer you content from producers that are not complete 
morons" 

As the content producers lose more and more control over the distribution 
channel they are going to take whatever terms are necessary to get them on 
Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on 
any or all of those platforms, you are going to be dead meat. Who would be hurt 
worse, Netflix or the movie producer that got seen nowhere on their latest 
film. To me, this is the last gasp of an industry that lost control of its 
distribution channel years ago and is still trying to impose that control. 

Steven Naslund 

-Original Message- 
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mark Andrews 
Sent: Friday, June 03, 2016 4:28 PM 
To: Laszlo Hanyecz 
Cc: nanog@nanog.org 
Subject: Re: Netflix VPN detection - actual engineer needed 


It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 
and IPv6 addresses. Longest match will result is the correct source address 
being selected if they do the job correctly. 

-- 
Mark Andrews, ISC 
1 Seymour St., Dundas Valley, NSW 2117, Australia 
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Oh I'm not suggesting for a microsecond that any provenance of location can
not be hacked, but I totally think that - until the content providers
change their business model to not rely on regional controls - they could
at least use a more accurate source for that information than my IP(4 or 6)
address.

I just don't think that this is an appropriate venue to discuss the value
of their business model as that's something their business needs to work on
changing internally, and fighting it (at least for the moment) will only
land Netflix in court.

In short, I'm pointing the finger at Netflix's developers for coming up
with such a lazy control for geolocation.

On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve  wrote:

> Wifi location depends on a bunch of problematic things.  First, your SSID
> needs to get collected and put in a database somewhere.  That itself is a
> crap shoot.  Next, you can stop google (and some other wifi databases) from
> collecting the data by putting _nomap at the end of your SSID.  Lastly, not
> everyone has wifi or iOS or GPS or whatever location method you can think
> of.  BTW, my apple TV is on a wired Ethernet, not wifi.
>
> Point is, for whatever location technology you want to use be it IP, GPS,
> WiFi location, sextant…..they can be inaccurate and they can be faked and
> there are privacy concerns with all of them.  What the content producers
> need to figure out is that regionalization DOES NOT WORK ANYMORE!  The
> original point was that they could have different release dates in
> different areas at different prices and availability.  They are going to
> have to get over it because they will lose the technological arms race.
>
> There is no reason you could not beat all of the location systems with a
> simple proxy.  A proxy makes a Netflix connection from an allowed IP,
> location or whatever and then builds a new video/audio stream out the back
> end to the client anywhere in the world.  Simple to implement and damn near
> impossible to beat.  Ever hear of Slingbox?
>
> Steven Naslund
> Chicago IL
>
> From: Cryptographrix [mailto:cryptograph...@gmail.com]
> Sent: Friday, June 03, 2016 3:42 PM
> To: Naslund, Steve; nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Apple TVs get their location indoors using the same method they use for
> other iOS devices when indoors - wifi ssid/Mac scanning.
>
> Non-iOS devices are often capable of this as well.
>
> (As someone that spends >67% of his time underground and whose Apple TV
> requests my location from my underground bedroom and is very accurate)
>
> On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve  > wrote:
> Their app could request your devices location.  Problem is a lot of
> devices (like TVs, Apple TVs, most DVD player, i.e. device with built in
> Netflix) don't know where they are and it cannot easily be added (indoor
> GPS is still difficult/expensive) and even if they could should they be
> believed.  I think the bigger issue is whether any kind of regional
> controls are enforceable or effective any more.
>
> Steven Naslund
> Chicago IL
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org]
> On Behalf Of Cryptographrix
> Sent: Friday, June 03, 2016 3:21 PM
> To: Spencer Ryan
> Cc: North American Network Operators' Group
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Come now, content providers really just care that they have access to
> regional controls more so than their ability to blanket-deny access (ok,
> minus the MLB who are just insane).
>
> And part of those regional controls deal with the accuracy of the location
> information.
>
> If their app can request my device's precise location, it doesn't need to
> infer my location from my IP any more.
>
> As a matter of fact, it's only detrimental to them for it to do so,
> because of the lack of accuracy from geo databases and the various reasons
> that people use VPNs nowadays (i.e. for some devices that you can't even
> turn VPN connections off for - OR in the case of IPv6, when you can't reach
> a segment of the Internet without it).
>
>
> On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan > wrote:
>
> > There is a large difference between "the VPN run at your house" and
> > "Arguably the most popular, free, mostly anonymous tunnel broker service"
> >
> > If it were up to the content providers, they probably would block any
> > IP they saw a VPN server listening on.
> >
> >
> > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net sr...@arbor.net> *Arbor
> > Networks*
> > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > www.arbornetworks.com
> >
> > On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix
> > >
> > wrote:
> >
> >> I have a VPN connection at my house. There's no 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

Actually it's time for Netflix to get out of the network transport business and 
tell the content providers to get over it or not get carried on Netflix.  It 
used to be that Netflix needed content providers, now I am starting to believe 
it might be the other way around.  Netflix might have to take a page from the 
satellite guys and start calling them out publicly.  i.e. "Netflix will no 
longer be able to provide you with Warner Bros. content because they are 
dinosaurs that are worried that someone might be watching in the wrong country. 
 We are pleased to offer you content from producers that are not complete 
morons"

As the content producers lose more and more control over the distribution 
channel they are going to take whatever terms are necessary to get them on 
Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish.  If you are not on 
any or all of those platforms, you are going to be dead meat.   Who would be 
hurt worse, Netflix or the movie producer that got seen nowhere on their latest 
film.  To me, this is the last gasp of an industry that lost control of its 
distribution channel years ago and is still trying to impose that control.

Steven Naslund 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mark Andrews
Sent: Friday, June 03, 2016 4:28 PM
To: Laszlo Hanyecz
Cc: nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed


It's time for Netflix to offer IPv6 tunnels.  That way they can correlate IPv4 
and IPv6 addresses.  Longest match will result is the correct source address 
being selected if they do the job correctly.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

> Do they honestly believe that they can prevent some guy in Pakistan from
seeing a movie they want?

The content providers do. And given the choice between "Try and stop vpn
users" and "We are pulling all our content" I know which most people would
rather.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jun 3, 2016 at 5:40 PM, Naslund, Steve  wrote:

> True,  I thought digital distribution almost killed them.  Then they
> started to understand that Netflix and iTunes are the new normal and got on
> board (kicking and screaming).  Now, they get all torn up over the
> completely outdated concept of regionalization that should have died along
> with physical media distribution.  Do they honestly believe that they can
> prevent some guy in Pakistan from seeing a movie they want?  Don't they
> know that in most third world areas you can find PRE-RELEASE DVDs before
> stuff hits the theaters in the U.S.?  You would think that they would
> welcome someone actually using a legitimate distribution medium rather than
> the traditional black market method.
>
>
> Steven Naslund
> Chicago IL
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett
> Sent: Friday, June 03, 2016 4:17 PM
> Cc: nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> As bad as some are in the telecom industry, they don't hold a candle to
> those in the content industry.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> - Original Message -
>
> From: "Steve Naslund" 
> To: nanog@nanog.org
> Sent: Friday, June 3, 2016 3:55:43 PM
> Subject: RE: Netflix VPN detection - actual engineer needed
>
> Wifi location depends on a bunch of problematic things. First, your SSID
> needs to get collected and put in a database somewhere. That itself is a
> crap shoot. Next, you can stop google (and some other wifi databases) from
> collecting the data by putting _nomap at the end of your SSID. Lastly, not
> everyone has wifi or iOS or GPS or whatever location method you can think
> of. BTW, my apple TV is on a wired Ethernet, not wifi.
>
> Point is, for whatever location technology you want to use be it IP, GPS,
> WiFi location, sextant…..they can be inaccurate and they can be faked and
> there are privacy concerns with all of them. What the content producers
> need to figure out is that regionalization DOES NOT WORK ANYMORE! The
> original point was that they could have different release dates in
> different areas at different prices and availability. They are going to
> have to get over it because they will lose the technological arms race.
>
> There is no reason you could not beat all of the location systems with a
> simple proxy. A proxy makes a Netflix connection from an allowed IP,
> location or whatever and then builds a new video/audio stream out the back
> end to the client anywhere in the world. Simple to implement and damn near
> impossible to beat. Ever hear of Slingbox?
>
> Steven Naslund
> Chicago IL
>
> From: Cryptographrix [mailto:cryptograph...@gmail.com]
> Sent: Friday, June 03, 2016 3:42 PM
> To: Naslund, Steve; nanog@nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Apple TVs get their location indoors using the same method they use for
> other iOS devices when indoors - wifi ssid/Mac scanning.
>
> Non-iOS devices are often capable of this as well.
>
> (As someone that spends >67% of his time underground and whose Apple TV
> requests my location from my underground bedroom and is very accurate)
>
> On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve  > wrote:
> Their app could request your devices location. Problem is a lot of devices
> (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix)
> don't know where they are and it cannot easily be added (indoor GPS is
> still difficult/expensive) and even if they could should they be believed.
> I think the bigger issue is whether any kind of regional controls are
> enforceable or effective any more.
>
> Steven Naslund
> Chicago IL
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org]
> On Behalf Of Cryptographrix
> Sent: Friday, June 03, 2016 3:21 PM
> To: Spencer Ryan
> Cc: North American Network Operators' Group
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Come now, content providers really just care that they have access to
> regional controls more so than their ability to blanket-deny access (ok,
> minus the MLB who are just insane).
>
> And part of those regional controls deal with the accuracy of the location
> information.
>
> If their app can request my device's precise location, it doesn't need to
> infer 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

True,  I thought digital distribution almost killed them.  Then they started to 
understand that Netflix and iTunes are the new normal and got on board (kicking 
and screaming).  Now, they get all torn up over the completely outdated concept 
of regionalization that should have died along with physical media 
distribution.  Do they honestly believe that they can prevent some guy in 
Pakistan from seeing a movie they want?  Don't they know that in most third 
world areas you can find PRE-RELEASE DVDs before stuff hits the theaters in the 
U.S.?  You would think that they would welcome someone actually using a 
legitimate distribution medium rather than the traditional black market method. 


Steven Naslund
Chicago IL

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett
Sent: Friday, June 03, 2016 4:17 PM
Cc: nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

As bad as some are in the telecom industry, they don't hold a candle to those 
in the content industry. 




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com 

Midwest-IX
http://www.midwest-ix.com 

- Original Message -

From: "Steve Naslund" 
To: nanog@nanog.org
Sent: Friday, June 3, 2016 3:55:43 PM
Subject: RE: Netflix VPN detection - actual engineer needed 

Wifi location depends on a bunch of problematic things. First, your SSID needs 
to get collected and put in a database somewhere. That itself is a crap shoot. 
Next, you can stop google (and some other wifi databases) from collecting the 
data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi 
or iOS or GPS or whatever location method you can think of. BTW, my apple TV is 
on a wired Ethernet, not wifi. 

Point is, for whatever location technology you want to use be it IP, GPS, WiFi 
location, sextant…..they can be inaccurate and they can be faked and there are 
privacy concerns with all of them. What the content producers need to figure 
out is that regionalization DOES NOT WORK ANYMORE! The original point was that 
they could have different release dates in different areas at different prices 
and availability. They are going to have to get over it because they will lose 
the technological arms race. 

There is no reason you could not beat all of the location systems with a simple 
proxy. A proxy makes a Netflix connection from an allowed IP, location or 
whatever and then builds a new video/audio stream out the back end to the 
client anywhere in the world. Simple to implement and damn near impossible to 
beat. Ever hear of Slingbox? 

Steven Naslund
Chicago IL 

From: Cryptographrix [mailto:cryptograph...@gmail.com]
Sent: Friday, June 03, 2016 3:42 PM
To: Naslund, Steve; nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed 

Apple TVs get their location indoors using the same method they use for other 
iOS devices when indoors - wifi ssid/Mac scanning. 

Non-iOS devices are often capable of this as well. 

(As someone that spends >67% of his time underground and whose Apple TV 
requests my location from my underground bedroom and is very accurate) 

On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve 
> wrote: 
Their app could request your devices location. Problem is a lot of devices 
(like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't 
know where they are and it cannot easily be added (indoor GPS is still 
difficult/expensive) and even if they could should they be believed. I think 
the bigger issue is whether any kind of regional controls are enforceable or 
effective any more. 

Steven Naslund
Chicago IL 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On 
Behalf Of Cryptographrix
Sent: Friday, June 03, 2016 3:21 PM
To: Spencer Ryan
Cc: North American Network Operators' Group
Subject: Re: Netflix VPN detection - actual engineer needed 

Come now, content providers really just care that they have access to regional 
controls more so than their ability to blanket-deny access (ok, minus the MLB 
who are just insane). 

And part of those regional controls deal with the accuracy of the location 
information. 

If their app can request my device's precise location, it doesn't need to infer 
my location from my IP any more. 

As a matter of fact, it's only detrimental to them for it to do so, because of 
the lack of accuracy from geo databases and the various reasons that people use 
VPNs nowadays (i.e. for some devices that you can't even turn VPN connections 
off for - OR in the case of IPv6, when you can't reach a segment of the 
Internet without it). 


On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan 
> wrote: 

> There is a large difference between "the VPN run at your house" and 
> "Arguably the most popular, free, mostly anonymous tunnel broker service"
> 

Re: Netflix VPN detection - actual engineer needed

[Mark Andrews]

It's time for Netflix to offer IPv6 tunnels.  That way they can
correlate IPv4 and IPv6 addresses.  Longest match will result is
the correct source address being selected if they do the job
correctly.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Netflix VPN detection - actual engineer needed

[Mike Hammett]

As bad as some are in the telecom industry, they don't hold a candle to those 
in the content industry. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Steve Naslund"  
To: nanog@nanog.org 
Sent: Friday, June 3, 2016 3:55:43 PM 
Subject: RE: Netflix VPN detection - actual engineer needed 

Wifi location depends on a bunch of problematic things. First, your SSID needs 
to get collected and put in a database somewhere. That itself is a crap shoot. 
Next, you can stop google (and some other wifi databases) from collecting the 
data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi 
or iOS or GPS or whatever location method you can think of. BTW, my apple TV is 
on a wired Ethernet, not wifi. 

Point is, for whatever location technology you want to use be it IP, GPS, WiFi 
location, sextant…..they can be inaccurate and they can be faked and there are 
privacy concerns with all of them. What the content producers need to figure 
out is that regionalization DOES NOT WORK ANYMORE! The original point was that 
they could have different release dates in different areas at different prices 
and availability. They are going to have to get over it because they will lose 
the technological arms race. 

There is no reason you could not beat all of the location systems with a simple 
proxy. A proxy makes a Netflix connection from an allowed IP, location or 
whatever and then builds a new video/audio stream out the back end to the 
client anywhere in the world. Simple to implement and damn near impossible to 
beat. Ever hear of Slingbox? 

Steven Naslund 
Chicago IL 

From: Cryptographrix [mailto:cryptograph...@gmail.com] 
Sent: Friday, June 03, 2016 3:42 PM 
To: Naslund, Steve; nanog@nanog.org 
Subject: Re: Netflix VPN detection - actual engineer needed 

Apple TVs get their location indoors using the same method they use for other 
iOS devices when indoors - wifi ssid/Mac scanning. 

Non-iOS devices are often capable of this as well. 

(As someone that spends >67% of his time underground and whose Apple TV 
requests my location from my underground bedroom and is very accurate) 

On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve 
> wrote: 
Their app could request your devices location. Problem is a lot of devices 
(like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't 
know where they are and it cannot easily be added (indoor GPS is still 
difficult/expensive) and even if they could should they be believed. I think 
the bigger issue is whether any kind of regional controls are enforceable or 
effective any more. 

Steven Naslund 
Chicago IL 

-Original Message- 
From: NANOG [mailto:nanog-boun...@nanog.org] On 
Behalf Of Cryptographrix 
Sent: Friday, June 03, 2016 3:21 PM 
To: Spencer Ryan 
Cc: North American Network Operators' Group 
Subject: Re: Netflix VPN detection - actual engineer needed 

Come now, content providers really just care that they have access to regional 
controls more so than their ability to blanket-deny access (ok, minus the MLB 
who are just insane). 

And part of those regional controls deal with the accuracy of the location 
information. 

If their app can request my device's precise location, it doesn't need to infer 
my location from my IP any more. 

As a matter of fact, it's only detrimental to them for it to do so, because of 
the lack of accuracy from geo databases and the various reasons that people use 
VPNs nowadays (i.e. for some devices that you can't even turn VPN connections 
off for - OR in the case of IPv6, when you can't reach a segment of the 
Internet without it). 


On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan 
> wrote: 

> There is a large difference between "the VPN run at your house" and 
> "Arguably the most popular, free, mostly anonymous tunnel broker service" 
> 
> If it were up to the content providers, they probably would block any 
> IP they saw a VPN server listening on. 
> 
> 
> *Spencer Ryan* | Senior Systems Administrator | 
> sr...@arbor.net *Arbor 
> Networks* 
> +1.734.794.5033 (d) | +1.734.846.2053 (m) 
> www.arbornetworks.com 
> 
> On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix 
> > 
> wrote: 
> 
>> I have a VPN connection at my house. There's no way for them to know 
>> the difference between me using my home network connection from Hong 
>> Kong or my home network connection from my house. 
>> 
>> Are they going to disable connectivity from everywhere they can 
>> detect an open VPN port to, also? 
>> 
>> If they trust my v4 address, they can use that to establish 
>> historical reference. Additionally, they can fail over to v4 if they 
>> do not 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

Well, that's the rub of the whole issue with Netflix VPN detection.  They don't 
actually detect the VPN, they detect a bunch of people coming from the same IP 
address which they assume to be done via a VPN or proxy.  Any large networks 
sitting behind a single NAT are going to get looked at that way.  If everyone 
was using a VPN to their home and jumping through that to get to Netflix it 
would be nearly impossible to detect reliably (I know you could play games with 
MTU detection and stuff like that but those will give even more false 
positives).  The big fight is coming when Netflix is going to have to get real 
with the content providers and admit that there is no reliable way to 
regionalize.


Steven Naslund
Chicago IL





-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Blair Trosper
Sent: Friday, June 03, 2016 4:00 PM
To: Spencer Ryan
Cc: North American Network Operators' Group
Subject: Re: Netflix VPN detection - actual engineer needed

I dunno.  I could argue that I could -- to extend that idea -- let literally 
ANYONE tunnel through my Comcast Business connection to appear to be in the Bay 
Area.  How's that fundamentally different than a service like TunnelBroker 
apart from economies of scale?

More than a few people I know are ready to dump Netflix for this.
Fortunately, where I live, Comcast Business has native dual stack...

On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan  wrote:

> There is no way for Netflix to know the difference between you being 
> in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net *Arbor 
> Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
> 
> wrote:
>
>> Same, but until there's a real IPv6 presence in the US, it's really 
>> annoying that they haven't come up with some fix for this.
>>
>> I have no plans to turn off IPv6 at home - I actually have many uses 
>> for it, and as much as I dislike the controversy around it, think 
>> that adoption needs to be prioritized, not penalized.
>>
>> Additionally, I think that discussing content provider control over 
>> regional decisions isn't productive to the conversation, as they 
>> didn't build the banhammer (wouldn't you want to control your own 
>> content if you had made content specific to regional laws etc?).
>>
>> I.e. - not all shows need to have regional restrictions between New 
>> York (where I live) and California (where my IPv6 /64 says I live).
>>
>> I'm able to watch House in the any state in the U.S.? Great - ignore 
>> my intra-US proxy connection.
>>
>> My Netflix account randomly tries to connect from Tokyo because I 
>> forgot to shut off my work VPN? Finelet me know and I'll turn *that* off.
>>
>>
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
>>
>>> I don't blame them for blocking a (effectively) anonymous tunnel broker.
>>> I'm sure their content providers are forcing their hand.
>>> On Jun 3, 2016 3:46 PM, "Cryptographrix" 
>>> wrote:
>>>
 Netflix needs to figure out a fix for this until ISPs actually 
 provide
 IPv6
 natively.



 On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
 
 wrote:

 > Confirmed that Hurricane Electric's TunnelBroker is now blocked 
 > by Netflix.  Anyone nice people from Netflix perhaps want to take 
 > a
 crack at
 > this?
 >
 >
 >
 > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
 >
 > > Had the same problem at my house, but it was caused by the IPv6
 > connection
 > > to HE.  Turned of V6 and the device worked.
 > >
 > >
 > > --
 > >
 > > Sent with Airmail
 > >
 > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman 
 > > (matt...@matthew.at
 )
 > > wrote:
 > >
 > > Every device in my house is blocked from Netflix this evening 
 > > due to their new "VPN blocker". My house is on my own IP space, 
 > > and the
 outside
 > > of the NAT that the family devices are on is 198.202.199.254,
 announced
 > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my 
 > > house should show that I'm no farther away than Santa Cruz, CA 
 > > as
 microwaves
 > > fly.
 > >
 > > Unfortunately, when one calls Netflix support to talk about 
 > > this,
 the
 > > only response is to say "call your ISP and have them turn off 
 > > the
 VPN
 > > software they've added to your account". And they absolutely 
 > > refuse
 to
 > > escalate. Even if you tell them that you are essentially your 
 > > own
 ISP.
 > >
 > > So... where's the Netflix network engineer on the list who all 
 > > of
 us 

Re: Netflix VPN detection - actual engineer needed

[Laszlo Hanyecz]

On 2016-06-03 19:37, Matthew Huff wrote:

I would imagine it was done on purpose. The purpose of the Netflix VPN 
detection was to block users from outside of different regions due to content 
providers requests. Since HE provides free ipv6 tunnels, it's an easy way to 
get around the blockage, hence the restriction.




I know this isn't news to anyone on the list but I want to point out 
that the root of this problem is in trying to attach an Earth location 
to a network packet.  The only good solution we have for this is to ASK 
the user where they are located.  Netflix has a broken system that is 
causing a lot of collateral damage because the whole thing is based on 
the premise that they can determine where the users are by guessing.  If 
you just got your netblock it's probably going to be banned because it's 
not in their GeoIP database.  Maybe if you jump through all the right 
hoops, in a few months time they will update the database.


Working around it just sends the message that this is an acceptable 
practice and you will own the problems they caused.  This a widespread 
problem and not specific to Netflix.


There's also another angle to this in that old IP addresses (that work 
with Netflix/youtube/whatever) become more valuable and newly registered 
netblocks (like the ones everyone should be getting for IPv6) are not 
useful.  This might be a good way to keep new ISPs out too, unless they 
can pay for a well aged IPv4 block so their subscribers can access 
Netflix and friends.


-Laszlo

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

It's not. But if you start pumping 10s of gigabits to Netflix with
thousands of user IDs Netflix will blacklist your /56 as well.
On Jun 3, 2016 5:00 PM, "Blair Trosper"  wrote:

> I dunno.  I could argue that I could -- to extend that idea -- let
> literally ANYONE tunnel through my Comcast Business connection to appear to
> be in the Bay Area.  How's that fundamentally different than a service like
> TunnelBroker apart from economies of scale?
>
> More than a few people I know are ready to dump Netflix for this.
> Fortunately, where I live, Comcast Business has native dual stack...
>
> On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan  wrote:
>
>> There is no way for Netflix to know the difference between you being in
>> NY and using the tunnel, and you living in Hong Kong and using the tunnel.
>>
>>
>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>>
>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
>> wrote:
>>
>>> Same, but until there's a real IPv6 presence in the US, it's really
>>> annoying that they haven't come up with some fix for this.
>>>
>>> I have no plans to turn off IPv6 at home - I actually have many uses for
>>> it, and as much as I dislike the controversy around it, think that adoption
>>> needs to be prioritized, not penalized.
>>>
>>> Additionally, I think that discussing content provider control over
>>> regional decisions isn't productive to the conversation, as they didn't
>>> build the banhammer (wouldn't you want to control your own content if you
>>> had made content specific to regional laws etc?).
>>>
>>> I.e. - not all shows need to have regional restrictions between New York
>>> (where I live) and California (where my IPv6 /64 says I live).
>>>
>>> I'm able to watch House in the any state in the U.S.? Great - ignore my
>>> intra-US proxy connection.
>>>
>>> My Netflix account randomly tries to connect from Tokyo because I forgot
>>> to shut off my work VPN? Finelet me know and I'll turn *that* off.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
>>>
 I don't blame them for blocking a (effectively) anonymous tunnel
 broker. I'm sure their content providers are forcing their hand.
 On Jun 3, 2016 3:46 PM, "Cryptographrix" 
 wrote:

> Netflix needs to figure out a fix for this until ISPs actually provide
> IPv6
> natively.
>
>
>
> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> wrote:
>
> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> > Netflix.  Anyone nice people from Netflix perhaps want to take a
> crack at
> > this?
> >
> >
> >
> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> >
> > > Had the same problem at my house, but it was caused by the IPv6
> > connection
> > > to HE.  Turned of V6 and the device worked.
> > >
> > >
> > > --
> > >
> > > Sent with Airmail
> > >
> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
> matt...@matthew.at)
> > > wrote:
> > >
> > > Every device in my house is blocked from Netflix this evening due
> to
> > > their new "VPN blocker". My house is on my own IP space, and the
> outside
> > > of the NAT that the family devices are on is 198.202.199.254,
> announced
> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> > > should show that I'm no farther away than Santa Cruz, CA as
> microwaves
> > > fly.
> > >
> > > Unfortunately, when one calls Netflix support to talk about this,
> the
> > > only response is to say "call your ISP and have them turn off the
> VPN
> > > software they've added to your account". And they absolutely
> refuse to
> > > escalate. Even if you tell them that you are essentially your own
> ISP.
> > >
> > > So... where's the Netflix network engineer on the list who all of
> us can
> > > send these issues to directly?
> > >
> > > Matthew Kaufman
> > >
> >
>

>>
>

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

I dunno.  I could argue that I could -- to extend that idea -- let
literally ANYONE tunnel through my Comcast Business connection to appear to
be in the Bay Area.  How's that fundamentally different than a service like
TunnelBroker apart from economies of scale?

More than a few people I know are ready to dump Netflix for this.
Fortunately, where I live, Comcast Business has native dual stack...

On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan  wrote:

> There is no way for Netflix to know the difference between you being in NY
> and using the tunnel, and you living in Hong Kong and using the tunnel.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
> wrote:
>
>> Same, but until there's a real IPv6 presence in the US, it's really
>> annoying that they haven't come up with some fix for this.
>>
>> I have no plans to turn off IPv6 at home - I actually have many uses for
>> it, and as much as I dislike the controversy around it, think that adoption
>> needs to be prioritized, not penalized.
>>
>> Additionally, I think that discussing content provider control over
>> regional decisions isn't productive to the conversation, as they didn't
>> build the banhammer (wouldn't you want to control your own content if you
>> had made content specific to regional laws etc?).
>>
>> I.e. - not all shows need to have regional restrictions between New York
>> (where I live) and California (where my IPv6 /64 says I live).
>>
>> I'm able to watch House in the any state in the U.S.? Great - ignore my
>> intra-US proxy connection.
>>
>> My Netflix account randomly tries to connect from Tokyo because I forgot
>> to shut off my work VPN? Finelet me know and I'll turn *that* off.
>>
>>
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
>>
>>> I don't blame them for blocking a (effectively) anonymous tunnel broker.
>>> I'm sure their content providers are forcing their hand.
>>> On Jun 3, 2016 3:46 PM, "Cryptographrix" 
>>> wrote:
>>>
 Netflix needs to figure out a fix for this until ISPs actually provide
 IPv6
 natively.



 On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
 wrote:

 > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
 > Netflix.  Anyone nice people from Netflix perhaps want to take a
 crack at
 > this?
 >
 >
 >
 > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
 >
 > > Had the same problem at my house, but it was caused by the IPv6
 > connection
 > > to HE.  Turned of V6 and the device worked.
 > >
 > >
 > > --
 > >
 > > Sent with Airmail
 > >
 > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at
 )
 > > wrote:
 > >
 > > Every device in my house is blocked from Netflix this evening due to
 > > their new "VPN blocker". My house is on my own IP space, and the
 outside
 > > of the NAT that the family devices are on is 198.202.199.254,
 announced
 > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
 > > should show that I'm no farther away than Santa Cruz, CA as
 microwaves
 > > fly.
 > >
 > > Unfortunately, when one calls Netflix support to talk about this,
 the
 > > only response is to say "call your ISP and have them turn off the
 VPN
 > > software they've added to your account". And they absolutely refuse
 to
 > > escalate. Even if you tell them that you are essentially your own
 ISP.
 > >
 > > So... where's the Netflix network engineer on the list who all of
 us can
 > > send these issues to directly?
 > >
 > > Matthew Kaufman
 > >
 >

>>>
>

Re: Netflix VPN detection - actual engineer needed

[Alex Buie]

Agreed. I find it silly that as a US citizen on my US-bank-paid-for Netflix
account with US physical address information suddenly cannot watch things
when travelling I legally could if I were standing in another place.

On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix 
wrote:

> I have a VPN connection at my house. There's no way for them to know the
> difference between me using my home network connection from Hong Kong or my
> home network connection from my house.
>
> Are they going to disable connectivity from everywhere they can detect an
> open VPN port to, also?
>
> If they trust my v4 address, they can use that to establish historical
> reference. Additionally, they can fail over to v4 if they do not trust the
> v6 address.
>
>
>
>
> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan  wrote:
>
> > There is no way for Netflix to know the difference between you being in
> NY
> > and using the tunnel, and you living in Hong Kong and using the tunnel.
> >
> >
> > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> > *Arbor Networks*
> > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > www.arbornetworks.com
> >
> > On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix  >
> > wrote:
> >
> >> Same, but until there's a real IPv6 presence in the US, it's really
> >> annoying that they haven't come up with some fix for this.
> >>
> >> I have no plans to turn off IPv6 at home - I actually have many uses for
> >> it, and as much as I dislike the controversy around it, think that
> adoption
> >> needs to be prioritized, not penalized.
> >>
> >> Additionally, I think that discussing content provider control over
> >> regional decisions isn't productive to the conversation, as they didn't
> >> build the banhammer (wouldn't you want to control your own content if
> you
> >> had made content specific to regional laws etc?).
> >>
> >> I.e. - not all shows need to have regional restrictions between New York
> >> (where I live) and California (where my IPv6 /64 says I live).
> >>
> >> I'm able to watch House in the any state in the U.S.? Great - ignore my
> >> intra-US proxy connection.
> >>
> >> My Netflix account randomly tries to connect from Tokyo because I forgot
> >> to shut off my work VPN? Finelet me know and I'll turn *that* off.
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
> >>
> >>> I don't blame them for blocking a (effectively) anonymous tunnel
> broker.
> >>> I'm sure their content providers are forcing their hand.
> >>> On Jun 3, 2016 3:46 PM, "Cryptographrix" 
> >>> wrote:
> >>>
>  Netflix needs to figure out a fix for this until ISPs actually provide
>  IPv6
>  natively.
> 
> 
> 
>  On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper  >
>  wrote:
> 
>  > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
>  > Netflix.  Anyone nice people from Netflix perhaps want to take a
>  crack at
>  > this?
>  >
>  >
>  >
>  > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
>  >
>  > > Had the same problem at my house, but it was caused by the IPv6
>  > connection
>  > > to HE.  Turned of V6 and the device worked.
>  > >
>  > >
>  > > --
>  > >
>  > > Sent with Airmail
>  > >
>  > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
> matt...@matthew.at
>  )
>  > > wrote:
>  > >
>  > > Every device in my house is blocked from Netflix this evening due
> to
>  > > their new "VPN blocker". My house is on my own IP space, and the
>  outside
>  > > of the NAT that the family devices are on is 198.202.199.254,
>  announced
>  > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my
> house
>  > > should show that I'm no farther away than Santa Cruz, CA as
>  microwaves
>  > > fly.
>  > >
>  > > Unfortunately, when one calls Netflix support to talk about this,
>  the
>  > > only response is to say "call your ISP and have them turn off the
>  VPN
>  > > software they've added to your account". And they absolutely
> refuse
>  to
>  > > escalate. Even if you tell them that you are essentially your own
>  ISP.
>  > >
>  > > So... where's the Netflix network engineer on the list who all of
>  us can
>  > > send these issues to directly?
>  > >
>  > > Matthew Kaufman
>  > >
>  >
> 
> >>>
> >
>

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

Wifi location depends on a bunch of problematic things.  First, your SSID needs 
to get collected and put in a database somewhere.  That itself is a crap shoot. 
 Next, you can stop google (and some other wifi databases) from collecting the 
data by putting _nomap at the end of your SSID.  Lastly, not everyone has wifi 
or iOS or GPS or whatever location method you can think of.  BTW, my apple TV 
is on a wired Ethernet, not wifi.

Point is, for whatever location technology you want to use be it IP, GPS, WiFi 
location, sextant…..they can be inaccurate and they can be faked and there are 
privacy concerns with all of them.  What the content producers need to figure 
out is that regionalization DOES NOT WORK ANYMORE!  The original point was that 
they could have different release dates in different areas at different prices 
and availability.  They are going to have to get over it because they will lose 
the technological arms race.

There is no reason you could not beat all of the location systems with a simple 
proxy.  A proxy makes a Netflix connection from an allowed IP, location or 
whatever and then builds a new video/audio stream out the back end to the 
client anywhere in the world.  Simple to implement and damn near impossible to 
beat.  Ever hear of Slingbox?

Steven Naslund
Chicago IL

From: Cryptographrix [mailto:cryptograph...@gmail.com]
Sent: Friday, June 03, 2016 3:42 PM
To: Naslund, Steve; nanog@nanog.org
Subject: Re: Netflix VPN detection - actual engineer needed

Apple TVs get their location indoors using the same method they use for other 
iOS devices when indoors - wifi ssid/Mac scanning.

Non-iOS devices are often capable of this as well.

(As someone that spends >67% of his time underground and whose Apple TV 
requests my location from my underground bedroom and is very accurate)

On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve 
> wrote:
Their app could request your devices location.  Problem is a lot of devices 
(like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't 
know where they are and it cannot easily be added (indoor GPS is still 
difficult/expensive) and even if they could should they be believed.  I think 
the bigger issue is whether any kind of regional controls are enforceable or 
effective any more.

Steven Naslund
Chicago IL

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On 
Behalf Of Cryptographrix
Sent: Friday, June 03, 2016 3:21 PM
To: Spencer Ryan
Cc: North American Network Operators' Group
Subject: Re: Netflix VPN detection - actual engineer needed

Come now, content providers really just care that they have access to regional 
controls more so than their ability to blanket-deny access (ok, minus the MLB 
who are just insane).

And part of those regional controls deal with the accuracy of the location 
information.

If their app can request my device's precise location, it doesn't need to infer 
my location from my IP any more.

As a matter of fact, it's only detrimental to them for it to do so, because of 
the lack of accuracy from geo databases and the various reasons that people use 
VPNs nowadays (i.e. for some devices that you can't even turn VPN connections 
off for - OR in the case of IPv6, when you can't reach a segment of the 
Internet without it).


On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan 
> wrote:

> There is a large difference between "the VPN run at your house" and
> "Arguably the most popular, free, mostly anonymous tunnel broker service"
>
> If it were up to the content providers, they probably would block any
> IP they saw a VPN server listening on.
>
>
> *Spencer Ryan* | Senior Systems Administrator | 
> sr...@arbor.net *Arbor
> Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix
> >
> wrote:
>
>> I have a VPN connection at my house. There's no way for them to know
>> the difference between me using my home network connection from Hong
>> Kong or my home network connection from my house.
>>
>> Are they going to disable connectivity from everywhere they can
>> detect an open VPN port to, also?
>>
>> If they trust my v4 address, they can use that to establish
>> historical reference. Additionally, they can fail over to v4 if they
>> do not trust the
>> v6 address.
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan 
>> > wrote:
>>
>>> There is no way for Netflix to know the difference between you being
>>> in NY and using the tunnel, and you living in Hong Kong and using the 
>>> tunnel.
>>>
>>>
>>> *Spencer Ryan* | Senior Systems Administrator | 
>>> sr...@arbor.net
>>> *Arbor Networks*
>>> +1.734.794.5033 (d) | 

Re: Netflix VPN detection - actual engineer needed

[Alex Buie]

This is not a zero sum solution. Fallback to IP geolocation if more precise
location detection is not available, but if it is, use that. You could even
have a "location score" composite index composed of all the different
locale and historical session data you've accumulated. (cf things like
cloudflare bad-actor detection which uses many heuristics to determine if
you are who you say you are and whether to serve content to you)

On Fri, Jun 3, 2016 at 4:43 PM, Spencer Ryan  wrote:

> And what about the millions of TVs, DVD players and all the other embedded
> devices that don't/can't support any kind of location services?
> On Jun 3, 2016 4:38 PM, "Cryptographrix"  wrote:
>
> > It's much less hard to make an IP connection lie about it's location than
> > it is to make a non-rooted (which is easy to detect) iOS device lie about
> > it's AGPS-derived location.
> >
> > In all cases.
> > On Fri, Jun 3, 2016 at 4:28 PM Naslund, Steve 
> > wrote:
> >
> > > Two problem I see with that.
> > >
> > > 1.  My TV is going to have a hard time figuring out its GPS
> location
> > > inside my living room.
> > > 2.  It's not hard to make a device lie about a GPS position.
> > >
> > > Steven Naslund
> > > Chicago IL
> > >
> > > -Original Message-
> > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
> Cryptographrix
> > > Sent: Friday, June 03, 2016 3:18 PM
> > > To: Robert Jacobs; Spencer Ryan
> > > Cc: North American Network Operators' Group
> > > Subject: Re: Netflix VPN detection - actual engineer needed
> > >
> > > To be honest, I don't care about content providers having control over
> > > regional access controls - it's completely technologically backwards,
> but
> > > they're all about time zones so they can do what they want.
> > >
> > > BUT there are more reliable ways than using an IP to get geographic
> > > location in an era where any website can request your GPS location.
> > >
> > > They have an iOS team that can provide them with *the most
> > authoritatively
> > > precise location of my device* for their Apple TV app.
> > >
> > > My IP should be the last thing they check to determine my location. I
> can
> > > do a million things to tweak that, including things that their proxy
> > > detection will never ever find out about.
> > >
> > >
> > > On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs 
> > > wrote:
> > >
> > > > Seems everyone continues to forget the content providers are not
> > > > Netflix...They are the Disney, Discovery, NBC, Turner ect... These
> are
> > > > the ones that put clauses and restrictions in their licensing and
> > > > re-broadcast agreements forcing things like Netflix is doing..
> > > >
> > > > Robert Jacobs | Network Director/Architect
> > > >
> > > > Direct:  832-615-7742
> > > > Main:   832-615-8000
> > > > Fax:713-510-1650
> > > >
> > > > 5959 Corporate Dr. Suite 3300; Houston, TX 77036
> > > >
> > > >
> > > >
> > > > A Certified Woman-Owned Business
> > > >
> > > > 24x7x365 Customer  Support: 832-615-8000 | supp...@pslightwave.com
> > > > This electronic message contains information from Phonoscope
> Lightwave
> > > > which may be privileged and confidential. The information is intended
> > > > to be for the use of individual(s) or entity named above. If you are
> > > > not the intended recipient, any disclosure, copying, distribution or
> > > > use of the contents of this information is prohibited. If you have
> > > > received this electronic message in error, please notify me by
> > > > telephone or e-mail immediately.
> > > >
> > > >
> > > >
> > > > -Original Message-
> > > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Spencer
> Ryan
> > > > Sent: Friday, June 3, 2016 2:49 PM
> > > > To: Cryptographrix 
> > > > Cc: North American Network Operators' Group 
> > > > Subject: Re: Netflix VPN detection - actual engineer needed
> > > >
> > > > I don't blame them for blocking a (effectively) anonymous tunnel
> > broker.
> > > > I'm sure their content providers are forcing their hand.
> > > > On Jun 3, 2016 3:46 PM, "Cryptographrix" 
> > > wrote:
> > > >
> > > > > Netflix needs to figure out a fix for this until ISPs actually
> > > > > provide
> > > > > IPv6 natively.
> > > > >
> > > > >
> > > > >
> > > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper
> > > > > 
> > > > > wrote:
> > > > >
> > > > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked
> by
> > > > > > Netflix.  Anyone nice people from Netflix perhaps want to take a
> > > > > > crack at this?
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> > > > > >
> > > > > > > Had the same problem at my house, but it was caused by the IPv6
> > > > > > connection
> > > > > > > to HE.  Turned of V6 and the device worked.
> > > > > 

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

And what about the millions of TVs, DVD players and all the other embedded
devices that don't/can't support any kind of location services?
On Jun 3, 2016 4:38 PM, "Cryptographrix"  wrote:

> It's much less hard to make an IP connection lie about it's location than
> it is to make a non-rooted (which is easy to detect) iOS device lie about
> it's AGPS-derived location.
>
> In all cases.
> On Fri, Jun 3, 2016 at 4:28 PM Naslund, Steve 
> wrote:
>
> > Two problem I see with that.
> >
> > 1.  My TV is going to have a hard time figuring out its GPS location
> > inside my living room.
> > 2.  It's not hard to make a device lie about a GPS position.
> >
> > Steven Naslund
> > Chicago IL
> >
> > -Original Message-
> > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Cryptographrix
> > Sent: Friday, June 03, 2016 3:18 PM
> > To: Robert Jacobs; Spencer Ryan
> > Cc: North American Network Operators' Group
> > Subject: Re: Netflix VPN detection - actual engineer needed
> >
> > To be honest, I don't care about content providers having control over
> > regional access controls - it's completely technologically backwards, but
> > they're all about time zones so they can do what they want.
> >
> > BUT there are more reliable ways than using an IP to get geographic
> > location in an era where any website can request your GPS location.
> >
> > They have an iOS team that can provide them with *the most
> authoritatively
> > precise location of my device* for their Apple TV app.
> >
> > My IP should be the last thing they check to determine my location. I can
> > do a million things to tweak that, including things that their proxy
> > detection will never ever find out about.
> >
> >
> > On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs 
> > wrote:
> >
> > > Seems everyone continues to forget the content providers are not
> > > Netflix...They are the Disney, Discovery, NBC, Turner ect... These are
> > > the ones that put clauses and restrictions in their licensing and
> > > re-broadcast agreements forcing things like Netflix is doing..
> > >
> > > Robert Jacobs | Network Director/Architect
> > >
> > > Direct:  832-615-7742
> > > Main:   832-615-8000
> > > Fax:713-510-1650
> > >
> > > 5959 Corporate Dr. Suite 3300; Houston, TX 77036
> > >
> > >
> > >
> > > A Certified Woman-Owned Business
> > >
> > > 24x7x365 Customer  Support: 832-615-8000 | supp...@pslightwave.com
> > > This electronic message contains information from Phonoscope Lightwave
> > > which may be privileged and confidential. The information is intended
> > > to be for the use of individual(s) or entity named above. If you are
> > > not the intended recipient, any disclosure, copying, distribution or
> > > use of the contents of this information is prohibited. If you have
> > > received this electronic message in error, please notify me by
> > > telephone or e-mail immediately.
> > >
> > >
> > >
> > > -Original Message-
> > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Spencer Ryan
> > > Sent: Friday, June 3, 2016 2:49 PM
> > > To: Cryptographrix 
> > > Cc: North American Network Operators' Group 
> > > Subject: Re: Netflix VPN detection - actual engineer needed
> > >
> > > I don't blame them for blocking a (effectively) anonymous tunnel
> broker.
> > > I'm sure their content providers are forcing their hand.
> > > On Jun 3, 2016 3:46 PM, "Cryptographrix" 
> > wrote:
> > >
> > > > Netflix needs to figure out a fix for this until ISPs actually
> > > > provide
> > > > IPv6 natively.
> > > >
> > > >
> > > >
> > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper
> > > > 
> > > > wrote:
> > > >
> > > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> > > > > Netflix.  Anyone nice people from Netflix perhaps want to take a
> > > > > crack at this?
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> > > > >
> > > > > > Had the same problem at my house, but it was caused by the IPv6
> > > > > connection
> > > > > > to HE.  Turned of V6 and the device worked.
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > > Sent with Airmail
> > > > > >
> > > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman
> > > > > > (matt...@matthew.at)
> > > > > > wrote:
> > > > > >
> > > > > > Every device in my house is blocked from Netflix this evening
> > > > > > due to their new "VPN blocker". My house is on my own IP space,
> > > > > > and the
> > > > outside
> > > > > > of the NAT that the family devices are on is 198.202.199.254,
> > > > > > announced by AS 11994. A simple ping from Netflix HQ in Los
> > > > > > Gatos to my house should show that I'm no farther away than
> > > > > > Santa Cruz, CA as microwaves fly.
> > > > > >
> > > > > > Unfortunately, when one calls Netflix support to talk 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Apple TVs get their location indoors using the same method they use for
other iOS devices when indoors - wifi ssid/Mac scanning.

Non-iOS devices are often capable of this as well.

(As someone that spends >67% of his time underground and whose Apple TV
requests my location from my underground bedroom and is very accurate)


On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve  wrote:

> Their app could request your devices location.  Problem is a lot of
> devices (like TVs, Apple TVs, most DVD player, i.e. device with built in
> Netflix) don't know where they are and it cannot easily be added (indoor
> GPS is still difficult/expensive) and even if they could should they be
> believed.  I think the bigger issue is whether any kind of regional
> controls are enforceable or effective any more.
>
> Steven Naslund
> Chicago IL
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Cryptographrix
> Sent: Friday, June 03, 2016 3:21 PM
> To: Spencer Ryan
> Cc: North American Network Operators' Group
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Come now, content providers really just care that they have access to
> regional controls more so than their ability to blanket-deny access (ok,
> minus the MLB who are just insane).
>
> And part of those regional controls deal with the accuracy of the location
> information.
>
> If their app can request my device's precise location, it doesn't need to
> infer my location from my IP any more.
>
> As a matter of fact, it's only detrimental to them for it to do so,
> because of the lack of accuracy from geo databases and the various reasons
> that people use VPNs nowadays (i.e. for some devices that you can't even
> turn VPN connections off for - OR in the case of IPv6, when you can't reach
> a segment of the Internet without it).
>
>
> On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan  wrote:
>
> > There is a large difference between "the VPN run at your house" and
> > "Arguably the most popular, free, mostly anonymous tunnel broker service"
> >
> > If it were up to the content providers, they probably would block any
> > IP they saw a VPN server listening on.
> >
> >
> > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net *Arbor
> > Networks*
> > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > www.arbornetworks.com
> >
> > On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix
> > 
> > wrote:
> >
> >> I have a VPN connection at my house. There's no way for them to know
> >> the difference between me using my home network connection from Hong
> >> Kong or my home network connection from my house.
> >>
> >> Are they going to disable connectivity from everywhere they can
> >> detect an open VPN port to, also?
> >>
> >> If they trust my v4 address, they can use that to establish
> >> historical reference. Additionally, they can fail over to v4 if they
> >> do not trust the
> >> v6 address.
> >>
> >>
> >>
> >>
> >> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan  wrote:
> >>
> >>> There is no way for Netflix to know the difference between you being
> >>> in NY and using the tunnel, and you living in Hong Kong and using the
> tunnel.
> >>>
> >>>
> >>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >>> *Arbor Networks*
> >>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >>> www.arbornetworks.com
> >>>
> >>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix
> >>>  >>> > wrote:
> >>>
>  Same, but until there's a real IPv6 presence in the US, it's really
>  annoying that they haven't come up with some fix for this.
> 
>  I have no plans to turn off IPv6 at home - I actually have many
>  uses for it, and as much as I dislike the controversy around it,
>  think that adoption needs to be prioritized, not penalized.
> 
>  Additionally, I think that discussing content provider control over
>  regional decisions isn't productive to the conversation, as they
>  didn't build the banhammer (wouldn't you want to control your own
>  content if you had made content specific to regional laws etc?).
> 
>  I.e. - not all shows need to have regional restrictions between New
>  York (where I live) and California (where my IPv6 /64 says I live).
> 
>  I'm able to watch House in the any state in the U.S.? Great -
>  ignore my intra-US proxy connection.
> 
>  My Netflix account randomly tries to connect from Tokyo because I
>  forgot to shut off my work VPN? Finelet me know and I'll turn
>  *that* off.
> 
> 
> 
> 
> 
> 
>  On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
> 
> > I don't blame them for blocking a (effectively) anonymous tunnel
> > broker. I'm sure their content providers are forcing their hand.
> > On Jun 3, 2016 3:46 PM, "Cryptographrix"
> > 
> 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

It's much less hard to make an IP connection lie about it's location than
it is to make a non-rooted (which is easy to detect) iOS device lie about
it's AGPS-derived location.

In all cases.
On Fri, Jun 3, 2016 at 4:28 PM Naslund, Steve  wrote:

> Two problem I see with that.
>
> 1.  My TV is going to have a hard time figuring out its GPS location
> inside my living room.
> 2.  It's not hard to make a device lie about a GPS position.
>
> Steven Naslund
> Chicago IL
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Cryptographrix
> Sent: Friday, June 03, 2016 3:18 PM
> To: Robert Jacobs; Spencer Ryan
> Cc: North American Network Operators' Group
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> To be honest, I don't care about content providers having control over
> regional access controls - it's completely technologically backwards, but
> they're all about time zones so they can do what they want.
>
> BUT there are more reliable ways than using an IP to get geographic
> location in an era where any website can request your GPS location.
>
> They have an iOS team that can provide them with *the most authoritatively
> precise location of my device* for their Apple TV app.
>
> My IP should be the last thing they check to determine my location. I can
> do a million things to tweak that, including things that their proxy
> detection will never ever find out about.
>
>
> On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs 
> wrote:
>
> > Seems everyone continues to forget the content providers are not
> > Netflix...They are the Disney, Discovery, NBC, Turner ect... These are
> > the ones that put clauses and restrictions in their licensing and
> > re-broadcast agreements forcing things like Netflix is doing..
> >
> > Robert Jacobs | Network Director/Architect
> >
> > Direct:  832-615-7742
> > Main:   832-615-8000
> > Fax:713-510-1650
> >
> > 5959 Corporate Dr. Suite 3300; Houston, TX 77036
> >
> >
> >
> > A Certified Woman-Owned Business
> >
> > 24x7x365 Customer  Support: 832-615-8000 | supp...@pslightwave.com
> > This electronic message contains information from Phonoscope Lightwave
> > which may be privileged and confidential. The information is intended
> > to be for the use of individual(s) or entity named above. If you are
> > not the intended recipient, any disclosure, copying, distribution or
> > use of the contents of this information is prohibited. If you have
> > received this electronic message in error, please notify me by
> > telephone or e-mail immediately.
> >
> >
> >
> > -Original Message-
> > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Spencer Ryan
> > Sent: Friday, June 3, 2016 2:49 PM
> > To: Cryptographrix 
> > Cc: North American Network Operators' Group 
> > Subject: Re: Netflix VPN detection - actual engineer needed
> >
> > I don't blame them for blocking a (effectively) anonymous tunnel broker.
> > I'm sure their content providers are forcing their hand.
> > On Jun 3, 2016 3:46 PM, "Cryptographrix" 
> wrote:
> >
> > > Netflix needs to figure out a fix for this until ISPs actually
> > > provide
> > > IPv6 natively.
> > >
> > >
> > >
> > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper
> > > 
> > > wrote:
> > >
> > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> > > > Netflix.  Anyone nice people from Netflix perhaps want to take a
> > > > crack at this?
> > > >
> > > >
> > > >
> > > > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> > > >
> > > > > Had the same problem at my house, but it was caused by the IPv6
> > > > connection
> > > > > to HE.  Turned of V6 and the device worked.
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Sent with Airmail
> > > > >
> > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman
> > > > > (matt...@matthew.at)
> > > > > wrote:
> > > > >
> > > > > Every device in my house is blocked from Netflix this evening
> > > > > due to their new "VPN blocker". My house is on my own IP space,
> > > > > and the
> > > outside
> > > > > of the NAT that the family devices are on is 198.202.199.254,
> > > > > announced by AS 11994. A simple ping from Netflix HQ in Los
> > > > > Gatos to my house should show that I'm no farther away than
> > > > > Santa Cruz, CA as microwaves fly.
> > > > >
> > > > > Unfortunately, when one calls Netflix support to talk about
> > > > > this, the only response is to say "call your ISP and have them
> > > > > turn off the VPN software they've added to your account". And
> > > > > they absolutely refuse to escalate. Even if you tell them that
> > > > > you are
> > essentially your own ISP.
> > > > >
> > > > > So... where's the Netflix network engineer on the list who all
> > > > > of us
> > > can
> > > > > send these issues to directly?
> > > > >
> > > > > Matthew Kaufman
> > > 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

Their app could request your devices location.  Problem is a lot of devices 
(like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't 
know where they are and it cannot easily be added (indoor GPS is still 
difficult/expensive) and even if they could should they be believed.  I think 
the bigger issue is whether any kind of regional controls are enforceable or 
effective any more.

Steven Naslund
Chicago IL

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Cryptographrix
Sent: Friday, June 03, 2016 3:21 PM
To: Spencer Ryan
Cc: North American Network Operators' Group
Subject: Re: Netflix VPN detection - actual engineer needed

Come now, content providers really just care that they have access to regional 
controls more so than their ability to blanket-deny access (ok, minus the MLB 
who are just insane).

And part of those regional controls deal with the accuracy of the location 
information.

If their app can request my device's precise location, it doesn't need to infer 
my location from my IP any more.

As a matter of fact, it's only detrimental to them for it to do so, because of 
the lack of accuracy from geo databases and the various reasons that people use 
VPNs nowadays (i.e. for some devices that you can't even turn VPN connections 
off for - OR in the case of IPv6, when you can't reach a segment of the 
Internet without it).


On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan  wrote:

> There is a large difference between "the VPN run at your house" and 
> "Arguably the most popular, free, mostly anonymous tunnel broker service"
>
> If it were up to the content providers, they probably would block any 
> IP they saw a VPN server listening on.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net *Arbor 
> Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix 
> 
> wrote:
>
>> I have a VPN connection at my house. There's no way for them to know 
>> the difference between me using my home network connection from Hong 
>> Kong or my home network connection from my house.
>>
>> Are they going to disable connectivity from everywhere they can 
>> detect an open VPN port to, also?
>>
>> If they trust my v4 address, they can use that to establish 
>> historical reference. Additionally, they can fail over to v4 if they 
>> do not trust the
>> v6 address.
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan  wrote:
>>
>>> There is no way for Netflix to know the difference between you being 
>>> in NY and using the tunnel, and you living in Hong Kong and using the 
>>> tunnel.
>>>
>>>
>>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net 
>>> *Arbor Networks*
>>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>>> www.arbornetworks.com
>>>
>>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
>>> >> > wrote:
>>>
 Same, but until there's a real IPv6 presence in the US, it's really 
 annoying that they haven't come up with some fix for this.

 I have no plans to turn off IPv6 at home - I actually have many 
 uses for it, and as much as I dislike the controversy around it, 
 think that adoption needs to be prioritized, not penalized.

 Additionally, I think that discussing content provider control over 
 regional decisions isn't productive to the conversation, as they 
 didn't build the banhammer (wouldn't you want to control your own 
 content if you had made content specific to regional laws etc?).

 I.e. - not all shows need to have regional restrictions between New 
 York (where I live) and California (where my IPv6 /64 says I live).

 I'm able to watch House in the any state in the U.S.? Great - 
 ignore my intra-US proxy connection.

 My Netflix account randomly tries to connect from Tokyo because I 
 forgot to shut off my work VPN? Finelet me know and I'll turn
 *that* off.






 On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:

> I don't blame them for blocking a (effectively) anonymous tunnel 
> broker. I'm sure their content providers are forcing their hand.
> On Jun 3, 2016 3:46 PM, "Cryptographrix" 
> 
> wrote:
>
>> Netflix needs to figure out a fix for this until ISPs actually 
>> provide IPv6 natively.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
>> > >
>> wrote:
>>
>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked 
>> > by Netflix.  Anyone nice people from Netflix perhaps want to 
>> > take a
>> crack at
>> > this?
>> >
>> >
>> >
>> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
>> >
>> > > Had the same problem at 

RE: Netflix VPN detection - actual engineer needed

[Naslund, Steve]

Two problem I see with that.

1.  My TV is going to have a hard time figuring out its GPS location inside 
my living room.
2.  It's not hard to make a device lie about a GPS position.

Steven Naslund
Chicago IL

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Cryptographrix
Sent: Friday, June 03, 2016 3:18 PM
To: Robert Jacobs; Spencer Ryan
Cc: North American Network Operators' Group
Subject: Re: Netflix VPN detection - actual engineer needed

To be honest, I don't care about content providers having control over regional 
access controls - it's completely technologically backwards, but they're all 
about time zones so they can do what they want.

BUT there are more reliable ways than using an IP to get geographic location in 
an era where any website can request your GPS location.

They have an iOS team that can provide them with *the most authoritatively 
precise location of my device* for their Apple TV app.

My IP should be the last thing they check to determine my location. I can do a 
million things to tweak that, including things that their proxy detection will 
never ever find out about.


On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs 
wrote:

> Seems everyone continues to forget the content providers are not 
> Netflix...They are the Disney, Discovery, NBC, Turner ect... These are 
> the ones that put clauses and restrictions in their licensing and 
> re-broadcast agreements forcing things like Netflix is doing..
>
> Robert Jacobs | Network Director/Architect
>
> Direct:  832-615-7742
> Main:   832-615-8000
> Fax:713-510-1650
>
> 5959 Corporate Dr. Suite 3300; Houston, TX 77036
>
>
>
> A Certified Woman-Owned Business
>
> 24x7x365 Customer  Support: 832-615-8000 | supp...@pslightwave.com 
> This electronic message contains information from Phonoscope Lightwave 
> which may be privileged and confidential. The information is intended 
> to be for the use of individual(s) or entity named above. If you are 
> not the intended recipient, any disclosure, copying, distribution or 
> use of the contents of this information is prohibited. If you have 
> received this electronic message in error, please notify me by 
> telephone or e-mail immediately.
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Spencer Ryan
> Sent: Friday, June 3, 2016 2:49 PM
> To: Cryptographrix 
> Cc: North American Network Operators' Group 
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> I don't blame them for blocking a (effectively) anonymous tunnel broker.
> I'm sure their content providers are forcing their hand.
> On Jun 3, 2016 3:46 PM, "Cryptographrix"  wrote:
>
> > Netflix needs to figure out a fix for this until ISPs actually 
> > provide
> > IPv6 natively.
> >
> >
> >
> > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> > 
> > wrote:
> >
> > > Confirmed that Hurricane Electric's TunnelBroker is now blocked by 
> > > Netflix.  Anyone nice people from Netflix perhaps want to take a 
> > > crack at this?
> > >
> > >
> > >
> > > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> > >
> > > > Had the same problem at my house, but it was caused by the IPv6
> > > connection
> > > > to HE.  Turned of V6 and the device worked.
> > > >
> > > >
> > > > --
> > > >
> > > > Sent with Airmail
> > > >
> > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman
> > > > (matt...@matthew.at)
> > > > wrote:
> > > >
> > > > Every device in my house is blocked from Netflix this evening 
> > > > due to their new "VPN blocker". My house is on my own IP space, 
> > > > and the
> > outside
> > > > of the NAT that the family devices are on is 198.202.199.254, 
> > > > announced by AS 11994. A simple ping from Netflix HQ in Los 
> > > > Gatos to my house should show that I'm no farther away than 
> > > > Santa Cruz, CA as microwaves fly.
> > > >
> > > > Unfortunately, when one calls Netflix support to talk about 
> > > > this, the only response is to say "call your ISP and have them 
> > > > turn off the VPN software they've added to your account". And 
> > > > they absolutely refuse to escalate. Even if you tell them that 
> > > > you are
> essentially your own ISP.
> > > >
> > > > So... where's the Netflix network engineer on the list who all 
> > > > of us
> > can
> > > > send these issues to directly?
> > > >
> > > > Matthew Kaufman
> > > >
> > >
> >
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Come now, content providers really just care that they have access to
regional controls more so than their ability to blanket-deny access (ok,
minus the MLB who are just insane).

And part of those regional controls deal with the accuracy of the location
information.

If their app can request my device's precise location, it doesn't need to
infer my location from my IP any more.

As a matter of fact, it's only detrimental to them for it to do so, because
of the lack of accuracy from geo databases and the various reasons that
people use VPNs nowadays (i.e. for some devices that you can't even turn
VPN connections off for - OR in the case of IPv6, when you can't reach a
segment of the Internet without it).


On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan  wrote:

> There is a large difference between "the VPN run at your house" and
> "Arguably the most popular, free, mostly anonymous tunnel broker service"
>
> If it were up to the content providers, they probably would block any IP
> they saw a VPN server listening on.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix 
> wrote:
>
>> I have a VPN connection at my house. There's no way for them to know the
>> difference between me using my home network connection from Hong Kong or my
>> home network connection from my house.
>>
>> Are they going to disable connectivity from everywhere they can detect an
>> open VPN port to, also?
>>
>> If they trust my v4 address, they can use that to establish historical
>> reference. Additionally, they can fail over to v4 if they do not trust the
>> v6 address.
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan  wrote:
>>
>>> There is no way for Netflix to know the difference between you being in
>>> NY and using the tunnel, and you living in Hong Kong and using the tunnel.
>>>
>>>
>>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>>> *Arbor Networks*
>>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>>> www.arbornetworks.com
>>>
>>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix >> > wrote:
>>>
 Same, but until there's a real IPv6 presence in the US, it's really
 annoying that they haven't come up with some fix for this.

 I have no plans to turn off IPv6 at home - I actually have many uses
 for it, and as much as I dislike the controversy around it, think that
 adoption needs to be prioritized, not penalized.

 Additionally, I think that discussing content provider control over
 regional decisions isn't productive to the conversation, as they didn't
 build the banhammer (wouldn't you want to control your own content if you
 had made content specific to regional laws etc?).

 I.e. - not all shows need to have regional restrictions between New
 York (where I live) and California (where my IPv6 /64 says I live).

 I'm able to watch House in the any state in the U.S.? Great - ignore my
 intra-US proxy connection.

 My Netflix account randomly tries to connect from Tokyo because I
 forgot to shut off my work VPN? Finelet me know and I'll turn
 *that* off.






 On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:

> I don't blame them for blocking a (effectively) anonymous tunnel
> broker. I'm sure their content providers are forcing their hand.
> On Jun 3, 2016 3:46 PM, "Cryptographrix" 
> wrote:
>
>> Netflix needs to figure out a fix for this until ISPs actually
>> provide IPv6
>> natively.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper > >
>> wrote:
>>
>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
>> > Netflix.  Anyone nice people from Netflix perhaps want to take a
>> crack at
>> > this?
>> >
>> >
>> >
>> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
>> >
>> > > Had the same problem at my house, but it was caused by the IPv6
>> > connection
>> > > to HE.  Turned of V6 and the device worked.
>> > >
>> > >
>> > > --
>> > >
>> > > Sent with Airmail
>> > >
>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
>> matt...@matthew.at)
>> > > wrote:
>> > >
>> > > Every device in my house is blocked from Netflix this evening due
>> to
>> > > their new "VPN blocker". My house is on my own IP space, and the
>> outside
>> > > of the NAT that the family devices are on is 198.202.199.254,
>> announced
>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my
>> house
>> > > should show that I'm no farther away than Santa Cruz, CA as
>> 

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

To be honest, I don't care about content providers having control over
regional access controls - it's completely technologically backwards, but
they're all about time zones so they can do what they want.

BUT there are more reliable ways than using an IP to get geographic
location in an era where any website can request your GPS location.

They have an iOS team that can provide them with *the most authoritatively
precise location of my device* for their Apple TV app.

My IP should be the last thing they check to determine my location. I can
do a million things to tweak that, including things that their proxy
detection will never ever find out about.


On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs 
wrote:

> Seems everyone continues to forget the content providers are not
> Netflix...They are the Disney, Discovery, NBC, Turner ect... These are the
> ones that put clauses and restrictions in their licensing and re-broadcast
> agreements forcing things like Netflix is doing..
>
> Robert Jacobs | Network Director/Architect
>
> Direct:  832-615-7742
> Main:   832-615-8000
> Fax:713-510-1650
>
> 5959 Corporate Dr. Suite 3300; Houston, TX 77036
>
>
>
> A Certified Woman-Owned Business
>
> 24x7x365 Customer  Support: 832-615-8000 | supp...@pslightwave.com
> This electronic message contains information from Phonoscope Lightwave
> which may be privileged and confidential. The information is intended to be
> for the use of individual(s) or entity named above. If you are not the
> intended recipient, any disclosure, copying, distribution or use of the
> contents of this information is prohibited. If you have received this
> electronic message in error, please notify me by telephone or e-mail
> immediately.
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Spencer Ryan
> Sent: Friday, June 3, 2016 2:49 PM
> To: Cryptographrix 
> Cc: North American Network Operators' Group 
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> I don't blame them for blocking a (effectively) anonymous tunnel broker.
> I'm sure their content providers are forcing their hand.
> On Jun 3, 2016 3:46 PM, "Cryptographrix"  wrote:
>
> > Netflix needs to figure out a fix for this until ISPs actually provide
> > IPv6 natively.
> >
> >
> >
> > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> > wrote:
> >
> > > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> > > Netflix.  Anyone nice people from Netflix perhaps want to take a
> > > crack at this?
> > >
> > >
> > >
> > > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> > >
> > > > Had the same problem at my house, but it was caused by the IPv6
> > > connection
> > > > to HE.  Turned of V6 and the device worked.
> > > >
> > > >
> > > > --
> > > >
> > > > Sent with Airmail
> > > >
> > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman
> > > > (matt...@matthew.at)
> > > > wrote:
> > > >
> > > > Every device in my house is blocked from Netflix this evening due
> > > > to their new "VPN blocker". My house is on my own IP space, and
> > > > the
> > outside
> > > > of the NAT that the family devices are on is 198.202.199.254,
> > > > announced by AS 11994. A simple ping from Netflix HQ in Los Gatos
> > > > to my house should show that I'm no farther away than Santa Cruz,
> > > > CA as microwaves fly.
> > > >
> > > > Unfortunately, when one calls Netflix support to talk about this,
> > > > the only response is to say "call your ISP and have them turn off
> > > > the VPN software they've added to your account". And they
> > > > absolutely refuse to escalate. Even if you tell them that you are
> essentially your own ISP.
> > > >
> > > > So... where's the Netflix network engineer on the list who all of
> > > > us
> > can
> > > > send these issues to directly?
> > > >
> > > > Matthew Kaufman
> > > >
> > >
> >
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

There is a large difference between "the VPN run at your house" and
"Arguably the most popular, free, mostly anonymous tunnel broker service"

If it were up to the content providers, they probably would block any IP
they saw a VPN server listening on.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix 
wrote:

> I have a VPN connection at my house. There's no way for them to know the
> difference between me using my home network connection from Hong Kong or my
> home network connection from my house.
>
> Are they going to disable connectivity from everywhere they can detect an
> open VPN port to, also?
>
> If they trust my v4 address, they can use that to establish historical
> reference. Additionally, they can fail over to v4 if they do not trust the
> v6 address.
>
>
>
>
> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan  wrote:
>
>> There is no way for Netflix to know the difference between you being in
>> NY and using the tunnel, and you living in Hong Kong and using the tunnel.
>>
>>
>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>>
>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
>> wrote:
>>
>>> Same, but until there's a real IPv6 presence in the US, it's really
>>> annoying that they haven't come up with some fix for this.
>>>
>>> I have no plans to turn off IPv6 at home - I actually have many uses for
>>> it, and as much as I dislike the controversy around it, think that adoption
>>> needs to be prioritized, not penalized.
>>>
>>> Additionally, I think that discussing content provider control over
>>> regional decisions isn't productive to the conversation, as they didn't
>>> build the banhammer (wouldn't you want to control your own content if you
>>> had made content specific to regional laws etc?).
>>>
>>> I.e. - not all shows need to have regional restrictions between New York
>>> (where I live) and California (where my IPv6 /64 says I live).
>>>
>>> I'm able to watch House in the any state in the U.S.? Great - ignore my
>>> intra-US proxy connection.
>>>
>>> My Netflix account randomly tries to connect from Tokyo because I forgot
>>> to shut off my work VPN? Finelet me know and I'll turn *that* off.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
>>>
 I don't blame them for blocking a (effectively) anonymous tunnel
 broker. I'm sure their content providers are forcing their hand.
 On Jun 3, 2016 3:46 PM, "Cryptographrix" 
 wrote:

> Netflix needs to figure out a fix for this until ISPs actually provide
> IPv6
> natively.
>
>
>
> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> wrote:
>
> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> > Netflix.  Anyone nice people from Netflix perhaps want to take a
> crack at
> > this?
> >
> >
> >
> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> >
> > > Had the same problem at my house, but it was caused by the IPv6
> > connection
> > > to HE.  Turned of V6 and the device worked.
> > >
> > >
> > > --
> > >
> > > Sent with Airmail
> > >
> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
> matt...@matthew.at)
> > > wrote:
> > >
> > > Every device in my house is blocked from Netflix this evening due
> to
> > > their new "VPN blocker". My house is on my own IP space, and the
> outside
> > > of the NAT that the family devices are on is 198.202.199.254,
> announced
> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> > > should show that I'm no farther away than Santa Cruz, CA as
> microwaves
> > > fly.
> > >
> > > Unfortunately, when one calls Netflix support to talk about this,
> the
> > > only response is to say "call your ISP and have them turn off the
> VPN
> > > software they've added to your account". And they absolutely
> refuse to
> > > escalate. Even if you tell them that you are essentially your own
> ISP.
> > >
> > > So... where's the Netflix network engineer on the list who all of
> us can
> > > send these issues to directly?
> > >
> > > Matthew Kaufman
> > >
> >
>

>>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

(since we must dual-stack still here in the US)


On Fri, Jun 3, 2016 at 4:09 PM Cryptographrix 
wrote:

> I have a VPN connection at my house. There's no way for them to know the
> difference between me using my home network connection from Hong Kong or my
> home network connection from my house.
>
> Are they going to disable connectivity from everywhere they can detect an
> open VPN port to, also?
>
> If they trust my v4 address, they can use that to establish historical
> reference. Additionally, they can fail over to v4 if they do not trust the
> v6 address.
>
>
>
>
> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan  wrote:
>
>> There is no way for Netflix to know the difference between you being in
>> NY and using the tunnel, and you living in Hong Kong and using the tunnel.
>>
>>
>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>>
>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
>> wrote:
>>
>>> Same, but until there's a real IPv6 presence in the US, it's really
>>> annoying that they haven't come up with some fix for this.
>>>
>>> I have no plans to turn off IPv6 at home - I actually have many uses for
>>> it, and as much as I dislike the controversy around it, think that adoption
>>> needs to be prioritized, not penalized.
>>>
>>> Additionally, I think that discussing content provider control over
>>> regional decisions isn't productive to the conversation, as they didn't
>>> build the banhammer (wouldn't you want to control your own content if you
>>> had made content specific to regional laws etc?).
>>>
>>> I.e. - not all shows need to have regional restrictions between New York
>>> (where I live) and California (where my IPv6 /64 says I live).
>>>
>>> I'm able to watch House in the any state in the U.S.? Great - ignore my
>>> intra-US proxy connection.
>>>
>>> My Netflix account randomly tries to connect from Tokyo because I forgot
>>> to shut off my work VPN? Finelet me know and I'll turn *that* off.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
>>>
 I don't blame them for blocking a (effectively) anonymous tunnel
 broker. I'm sure their content providers are forcing their hand.
 On Jun 3, 2016 3:46 PM, "Cryptographrix" 
 wrote:

> Netflix needs to figure out a fix for this until ISPs actually provide
> IPv6
> natively.
>
>
>
> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> wrote:
>
> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> > Netflix.  Anyone nice people from Netflix perhaps want to take a
> crack at
> > this?
> >
> >
> >
> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> >
> > > Had the same problem at my house, but it was caused by the IPv6
> > connection
> > > to HE.  Turned of V6 and the device worked.
> > >
> > >
> > > --
> > >
> > > Sent with Airmail
> > >
> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
> matt...@matthew.at)
> > > wrote:
> > >
> > > Every device in my house is blocked from Netflix this evening due
> to
> > > their new "VPN blocker". My house is on my own IP space, and the
> outside
> > > of the NAT that the family devices are on is 198.202.199.254,
> announced
> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> > > should show that I'm no farther away than Santa Cruz, CA as
> microwaves
> > > fly.
> > >
> > > Unfortunately, when one calls Netflix support to talk about this,
> the
> > > only response is to say "call your ISP and have them turn off the
> VPN
> > > software they've added to your account". And they absolutely
> refuse to
> > > escalate. Even if you tell them that you are essentially your own
> ISP.
> > >
> > > So... where's the Netflix network engineer on the list who all of
> us can
> > > send these issues to directly?
> > >
> > > Matthew Kaufman
> > >
> >
>

>>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

I have a VPN connection at my house. There's no way for them to know the
difference between me using my home network connection from Hong Kong or my
home network connection from my house.

Are they going to disable connectivity from everywhere they can detect an
open VPN port to, also?

If they trust my v4 address, they can use that to establish historical
reference. Additionally, they can fail over to v4 if they do not trust the
v6 address.




On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan  wrote:

> There is no way for Netflix to know the difference between you being in NY
> and using the tunnel, and you living in Hong Kong and using the tunnel.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
> wrote:
>
>> Same, but until there's a real IPv6 presence in the US, it's really
>> annoying that they haven't come up with some fix for this.
>>
>> I have no plans to turn off IPv6 at home - I actually have many uses for
>> it, and as much as I dislike the controversy around it, think that adoption
>> needs to be prioritized, not penalized.
>>
>> Additionally, I think that discussing content provider control over
>> regional decisions isn't productive to the conversation, as they didn't
>> build the banhammer (wouldn't you want to control your own content if you
>> had made content specific to regional laws etc?).
>>
>> I.e. - not all shows need to have regional restrictions between New York
>> (where I live) and California (where my IPv6 /64 says I live).
>>
>> I'm able to watch House in the any state in the U.S.? Great - ignore my
>> intra-US proxy connection.
>>
>> My Netflix account randomly tries to connect from Tokyo because I forgot
>> to shut off my work VPN? Finelet me know and I'll turn *that* off.
>>
>>
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
>>
>>> I don't blame them for blocking a (effectively) anonymous tunnel broker.
>>> I'm sure their content providers are forcing their hand.
>>> On Jun 3, 2016 3:46 PM, "Cryptographrix" 
>>> wrote:
>>>
 Netflix needs to figure out a fix for this until ISPs actually provide
 IPv6
 natively.



 On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
 wrote:

 > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
 > Netflix.  Anyone nice people from Netflix perhaps want to take a
 crack at
 > this?
 >
 >
 >
 > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
 >
 > > Had the same problem at my house, but it was caused by the IPv6
 > connection
 > > to HE.  Turned of V6 and the device worked.
 > >
 > >
 > > --
 > >
 > > Sent with Airmail
 > >
 > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at
 )
 > > wrote:
 > >
 > > Every device in my house is blocked from Netflix this evening due to
 > > their new "VPN blocker". My house is on my own IP space, and the
 outside
 > > of the NAT that the family devices are on is 198.202.199.254,
 announced
 > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
 > > should show that I'm no farther away than Santa Cruz, CA as
 microwaves
 > > fly.
 > >
 > > Unfortunately, when one calls Netflix support to talk about this,
 the
 > > only response is to say "call your ISP and have them turn off the
 VPN
 > > software they've added to your account". And they absolutely refuse
 to
 > > escalate. Even if you tell them that you are essentially your own
 ISP.
 > >
 > > So... where's the Netflix network engineer on the list who all of
 us can
 > > send these issues to directly?
 > >
 > > Matthew Kaufman
 > >
 >

>>>
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

There is no way for Netflix to know the difference between you being in NY
and using the tunnel, and you living in Hong Kong and using the tunnel.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
wrote:

> Same, but until there's a real IPv6 presence in the US, it's really
> annoying that they haven't come up with some fix for this.
>
> I have no plans to turn off IPv6 at home - I actually have many uses for
> it, and as much as I dislike the controversy around it, think that adoption
> needs to be prioritized, not penalized.
>
> Additionally, I think that discussing content provider control over
> regional decisions isn't productive to the conversation, as they didn't
> build the banhammer (wouldn't you want to control your own content if you
> had made content specific to regional laws etc?).
>
> I.e. - not all shows need to have regional restrictions between New York
> (where I live) and California (where my IPv6 /64 says I live).
>
> I'm able to watch House in the any state in the U.S.? Great - ignore my
> intra-US proxy connection.
>
> My Netflix account randomly tries to connect from Tokyo because I forgot
> to shut off my work VPN? Finelet me know and I'll turn *that* off.
>
>
>
>
>
>
> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:
>
>> I don't blame them for blocking a (effectively) anonymous tunnel broker.
>> I'm sure their content providers are forcing their hand.
>> On Jun 3, 2016 3:46 PM, "Cryptographrix" 
>> wrote:
>>
>>> Netflix needs to figure out a fix for this until ISPs actually provide
>>> IPv6
>>> natively.
>>>
>>>
>>>
>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
>>> wrote:
>>>
>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
>>> > Netflix.  Anyone nice people from Netflix perhaps want to take a crack
>>> at
>>> > this?
>>> >
>>> >
>>> >
>>> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
>>> >
>>> > > Had the same problem at my house, but it was caused by the IPv6
>>> > connection
>>> > > to HE.  Turned of V6 and the device worked.
>>> > >
>>> > >
>>> > > --
>>> > >
>>> > > Sent with Airmail
>>> > >
>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at)
>>> > > wrote:
>>> > >
>>> > > Every device in my house is blocked from Netflix this evening due to
>>> > > their new "VPN blocker". My house is on my own IP space, and the
>>> outside
>>> > > of the NAT that the family devices are on is 198.202.199.254,
>>> announced
>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
>>> > > should show that I'm no farther away than Santa Cruz, CA as
>>> microwaves
>>> > > fly.
>>> > >
>>> > > Unfortunately, when one calls Netflix support to talk about this, the
>>> > > only response is to say "call your ISP and have them turn off the VPN
>>> > > software they've added to your account". And they absolutely refuse
>>> to
>>> > > escalate. Even if you tell them that you are essentially your own
>>> ISP.
>>> > >
>>> > > So... where's the Netflix network engineer on the list who all of us
>>> can
>>> > > send these issues to directly?
>>> > >
>>> > > Matthew Kaufman
>>> > >
>>> >
>>>
>>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Same, but until there's a real IPv6 presence in the US, it's really
annoying that they haven't come up with some fix for this.

I have no plans to turn off IPv6 at home - I actually have many uses for
it, and as much as I dislike the controversy around it, think that adoption
needs to be prioritized, not penalized.

Additionally, I think that discussing content provider control over
regional decisions isn't productive to the conversation, as they didn't
build the banhammer (wouldn't you want to control your own content if you
had made content specific to regional laws etc?).

I.e. - not all shows need to have regional restrictions between New York
(where I live) and California (where my IPv6 /64 says I live).

I'm able to watch House in the any state in the U.S.? Great - ignore my
intra-US proxy connection.

My Netflix account randomly tries to connect from Tokyo because I forgot to
shut off my work VPN? Finelet me know and I'll turn *that* off.






On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan  wrote:

> I don't blame them for blocking a (effectively) anonymous tunnel broker.
> I'm sure their content providers are forcing their hand.
> On Jun 3, 2016 3:46 PM, "Cryptographrix"  wrote:
>
>> Netflix needs to figure out a fix for this until ISPs actually provide
>> IPv6
>> natively.
>>
>>
>>
>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
>> wrote:
>>
>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
>> > Netflix.  Anyone nice people from Netflix perhaps want to take a crack
>> at
>> > this?
>> >
>> >
>> >
>> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
>> >
>> > > Had the same problem at my house, but it was caused by the IPv6
>> > connection
>> > > to HE.  Turned of V6 and the device worked.
>> > >
>> > >
>> > > --
>> > >
>> > > Sent with Airmail
>> > >
>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at)
>> > > wrote:
>> > >
>> > > Every device in my house is blocked from Netflix this evening due to
>> > > their new "VPN blocker". My house is on my own IP space, and the
>> outside
>> > > of the NAT that the family devices are on is 198.202.199.254,
>> announced
>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
>> > > should show that I'm no farther away than Santa Cruz, CA as microwaves
>> > > fly.
>> > >
>> > > Unfortunately, when one calls Netflix support to talk about this, the
>> > > only response is to say "call your ISP and have them turn off the VPN
>> > > software they've added to your account". And they absolutely refuse to
>> > > escalate. Even if you tell them that you are essentially your own ISP.
>> > >
>> > > So... where's the Netflix network engineer on the list who all of us
>> can
>> > > send these issues to directly?
>> > >
>> > > Matthew Kaufman
>> > >
>> >
>>
>

RE: Netflix VPN detection - actual engineer needed

[Robert Jacobs]

Seems everyone continues to forget the content providers are not Netflix...They 
are the Disney, Discovery, NBC, Turner ect... These are the ones that put 
clauses and restrictions in their licensing and re-broadcast agreements forcing 
things like Netflix is doing..   

Robert Jacobs | Network Director/Architect 

Direct:  832-615-7742
Main:   832-615-8000
Fax:    713-510-1650

5959 Corporate Dr. Suite 3300; Houston, TX 77036



A Certified Woman-Owned Business 

24x7x365 Customer  Support: 832-615-8000 | supp...@pslightwave.com
This electronic message contains information from Phonoscope Lightwave which 
may be privileged and confidential. The information is intended to be for the 
use of individual(s) or entity named above. If you are not the intended 
recipient, any disclosure, copying, distribution or use of the contents of this 
information is prohibited. If you have received this electronic message in 
error, please notify me by telephone or e-mail immediately.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Spencer Ryan
Sent: Friday, June 3, 2016 2:49 PM
To: Cryptographrix 
Cc: North American Network Operators' Group 
Subject: Re: Netflix VPN detection - actual engineer needed

I don't blame them for blocking a (effectively) anonymous tunnel broker.
I'm sure their content providers are forcing their hand.
On Jun 3, 2016 3:46 PM, "Cryptographrix"  wrote:

> Netflix needs to figure out a fix for this until ISPs actually provide 
> IPv6 natively.
>
>
>
> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> wrote:
>
> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by 
> > Netflix.  Anyone nice people from Netflix perhaps want to take a 
> > crack at this?
> >
> >
> >
> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> >
> > > Had the same problem at my house, but it was caused by the IPv6
> > connection
> > > to HE.  Turned of V6 and the device worked.
> > >
> > >
> > > --
> > >
> > > Sent with Airmail
> > >
> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman 
> > > (matt...@matthew.at)
> > > wrote:
> > >
> > > Every device in my house is blocked from Netflix this evening due 
> > > to their new "VPN blocker". My house is on my own IP space, and 
> > > the
> outside
> > > of the NAT that the family devices are on is 198.202.199.254, 
> > > announced by AS 11994. A simple ping from Netflix HQ in Los Gatos 
> > > to my house should show that I'm no farther away than Santa Cruz, 
> > > CA as microwaves fly.
> > >
> > > Unfortunately, when one calls Netflix support to talk about this, 
> > > the only response is to say "call your ISP and have them turn off 
> > > the VPN software they've added to your account". And they 
> > > absolutely refuse to escalate. Even if you tell them that you are 
> > > essentially your own ISP.
> > >
> > > So... where's the Netflix network engineer on the list who all of 
> > > us
> can
> > > send these issues to directly?
> > >
> > > Matthew Kaufman
> > >
> >
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

I don't blame them for blocking a (effectively) anonymous tunnel broker.
I'm sure their content providers are forcing their hand.
On Jun 3, 2016 3:46 PM, "Cryptographrix"  wrote:

> Netflix needs to figure out a fix for this until ISPs actually provide IPv6
> natively.
>
>
>
> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> wrote:
>
> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> > Netflix.  Anyone nice people from Netflix perhaps want to take a crack at
> > this?
> >
> >
> >
> > On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> >
> > > Had the same problem at my house, but it was caused by the IPv6
> > connection
> > > to HE.  Turned of V6 and the device worked.
> > >
> > >
> > > --
> > >
> > > Sent with Airmail
> > >
> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at)
> > > wrote:
> > >
> > > Every device in my house is blocked from Netflix this evening due to
> > > their new "VPN blocker". My house is on my own IP space, and the
> outside
> > > of the NAT that the family devices are on is 198.202.199.254, announced
> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> > > should show that I'm no farther away than Santa Cruz, CA as microwaves
> > > fly.
> > >
> > > Unfortunately, when one calls Netflix support to talk about this, the
> > > only response is to say "call your ISP and have them turn off the VPN
> > > software they've added to your account". And they absolutely refuse to
> > > escalate. Even if you tell them that you are essentially your own ISP.
> > >
> > > So... where's the Netflix network engineer on the list who all of us
> can
> > > send these issues to directly?
> > >
> > > Matthew Kaufman
> > >
> >
>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Netflix needs to figure out a fix for this until ISPs actually provide IPv6
natively.



On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
wrote:

> Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> Netflix.  Anyone nice people from Netflix perhaps want to take a crack at
> this?
>
>
>
> On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
>
> > Had the same problem at my house, but it was caused by the IPv6
> connection
> > to HE.  Turned of V6 and the device worked.
> >
> >
> > --
> >
> > Sent with Airmail
> >
> > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at)
> > wrote:
> >
> > Every device in my house is blocked from Netflix this evening due to
> > their new "VPN blocker". My house is on my own IP space, and the outside
> > of the NAT that the family devices are on is 198.202.199.254, announced
> > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> > should show that I'm no farther away than Santa Cruz, CA as microwaves
> > fly.
> >
> > Unfortunately, when one calls Netflix support to talk about this, the
> > only response is to say "call your ISP and have them turn off the VPN
> > software they've added to your account". And they absolutely refuse to
> > escalate. Even if you tell them that you are essentially your own ISP.
> >
> > So... where's the Netflix network engineer on the list who all of us can
> > send these issues to directly?
> >
> > Matthew Kaufman
> >
>

RE: Netflix VPN detection - actual engineer needed

[Matthew Huff]

I would imagine it was done on purpose. The purpose of the Netflix VPN 
detection was to block users from outside of different regions due to content 
providers requests. Since HE provides free ipv6 tunnels, it's an easy way to 
get around the blockage, hence the restriction.



Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-694-5669


> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Blair Trosper
> Sent: Friday, June 3, 2016 3:11 PM
> To: mike.hy...@gmail.com
> Cc: NANOG 
> Subject: Re: Netflix VPN detection - actual engineer needed
> 
> Confirmed that Hurricane Electric's TunnelBroker is now blocked by
> Netflix.  Anyone nice people from Netflix perhaps want to take a crack
> at
> this?
> 
> 
> 
> On Thu, Jun 2, 2016 at 2:15 PM,  wrote:
> 
> > Had the same problem at my house, but it was caused by the IPv6
> connection
> > to HE.  Turned of V6 and the device worked.
> >
> >
> > --
> >
> > Sent with Airmail
> >
> > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at)
> > wrote:
> >
> > Every device in my house is blocked from Netflix this evening due to
> > their new "VPN blocker". My house is on my own IP space, and the
> outside
> > of the NAT that the family devices are on is 198.202.199.254,
> announced
> > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> > should show that I'm no farther away than Santa Cruz, CA as
> microwaves
> > fly.
> >
> > Unfortunately, when one calls Netflix support to talk about this, the
> > only response is to say "call your ISP and have them turn off the VPN
> > software they've added to your account". And they absolutely refuse
> to
> > escalate. Even if you tell them that you are essentially your own
> ISP.
> >
> > So... where's the Netflix network engineer on the list who all of us
> can
> > send these issues to directly?
> >
> > Matthew Kaufman
> >

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

Confirmed that Hurricane Electric's TunnelBroker is now blocked by
Netflix.  Anyone nice people from Netflix perhaps want to take a crack at
this?



On Thu, Jun 2, 2016 at 2:15 PM,  wrote:

> Had the same problem at my house, but it was caused by the IPv6 connection
> to HE.  Turned of V6 and the device worked.
>
>
> --
>
> Sent with Airmail
>
> On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at)
> wrote:
>
> Every device in my house is blocked from Netflix this evening due to
> their new "VPN blocker". My house is on my own IP space, and the outside
> of the NAT that the family devices are on is 198.202.199.254, announced
> by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> should show that I'm no farther away than Santa Cruz, CA as microwaves
> fly.
>
> Unfortunately, when one calls Netflix support to talk about this, the
> only response is to say "call your ISP and have them turn off the VPN
> software they've added to your account". And they absolutely refuse to
> escalate. Even if you tell them that you are essentially your own ISP.
>
> So... where's the Netflix network engineer on the list who all of us can
> send these issues to directly?
>
> Matthew Kaufman
>

Re: craigslist.com admin

[Nevin Gonsalves via NANOG]

Have you tried reaching them on n...@craigslist.org ? thanks,-nevin
 

On Thursday, June 2, 2016 1:48 PM, Darin Steffl  
wrote:
 

 Have been getting reports of the same thing. Went to the craigslist help
forums where some people there decided to call us a fake ISP because we
don't hand out publics to every customer. They were VERY rude and hopefully
none of them were employees. They said our customers can't use craigslist
if we don't hand publics to everyone. It didn't matter to them that we
don't have enough IP's for every customer.

I sent an email to some admin account someone recommended but haven't heard
anything back yet.



On Tue, May 31, 2016 at 3:07 PM, Dennis Burgess 
wrote:

> Looking for a craigslist.com admin to connect with offlist about a block
> :)
>
> [DennisBurgessSignature]
> www.linktechs.net - 314-735-0270 x103 -
> dmburg...@linktechs.net
>
>


-- 
Darin Steffl
Minnesota WiFi
www.mnwifi.com
507-634-WiFi
 Like us on Facebook

Re: Bogon ASN Filter Policy

[Jay Borkenhagen]

AT/as7018 is also now in the process of updating its as-path bogon
filters to match those cited below.  We have long employed such
filters, and our changes at this time are primarily to extend them to
prohibit as23456 and the reserved blocks > as65535.

So to Job and Adam and anyone else who deploys such filters: Thanks!
I would like to extend to you this laurel, and hearty handshake...


On 02-June-2016, Adam Davenport writes:
 > I personally applaud this effort as initiatives like this that help 
 > prevent the global propagation of Bogons and other "bad things" only 
 > serves to help us all.  With that said, notice went out to potentially 
 > affected GTT / AS3257 customers this week that by the end of June we too 
 > will be filtering prefixes that contain any of the Bogon ASNs listed 
 > below in the in the as-path.  I highly encourage other networks to 
 > follow suit, as again it only helps us all.
 > 
 > Thanks Job for kicking this one off, and I look forward to others to 
 > doing the same!
 > 
 > Adam Davenport / adam.davenp...@gtt.net
 > 
 >   
 > 
 > On 6/2/16 3:41 PM, Job Snijders wrote:
 > > Dear fellow network operators,
 > >
 > > In July 2016, NTT Communications' Global IP Network AS2914 will deploy a
 > > new routing policy to block Bogon ASNs from its view of the default-free
 > > zone. This notification is provided as a courtesy to the network
 > > community at large.
 > >
 > > After the Bogon ASN filter policy has been deployed, AS 2914 will not
 > > accept route announcements from any eBGP neighbor which contains a Bogon
 > > ASN anywhere in the AS_PATH or its atomic aggregate attribute.
 > >
 > > The reasoning behind this policy is twofold:
 > >
 > >  - Private or Reserved ASNs have no place in the public DFZ. Barring
 > >these from the DFZ helps improve accountability and dampen
 > >accidental exposure of internal routing artifacts.
 > >
 > >  - All AS2914 devices support 4-byte ASNs. Any occurrence of "23456"
 > >in the DFZ is a either a misconfiguration or software issue.
 > >
 > > We are undertaking this effort to improve the quality of routing data as
 > > part of the global ecosystem. This should improve the security posture
 > > and provide additional certainty [1] to those undertaking network
 > > troubleshooting.
 > >
 > > Bogon ASNs are currently defined as following:
 > >
 > >  0   # Reserved RFC7607
 > >  23456   # AS_TRANS RFC6793
 > >  64496-64511 # Reserved for use in docs and code RFC5398
 > >  64512-65534 # Reserved for Private Use RFC6996
 > >  65535   # Reserved RFC7300
 > >  65536-65551 # Reserved for use in docs and code RFC5398
 > >  65552-131071# Reserved
 > >  42-4294967294   # Reserved for Private Use RFC6996
 > >  4294967295  # Reserved RFC7300
 > >
 > > A current overview of what are considered Bogon ASNs is maintained at
 > > NTT's Routing Policies page [2]. The IANA Autonomous System Number
 > > Registry [3] is closely tracked and the NTT Bogon ASN definitions are
 > > updated accordingly.
 > >
 > > We encourage network operators to consider deploying similar policies.
 > > Configuration examples for various platforms can be found here [4].
 > >
 > > NTT staff is monitoring current occurrences of Bogon ASNs in the routing
 > > system and reaching out to impacted parties on a weekly basis.
 > >
 > > Kind regards,
 > >
 > > Job
 > >
 > > Contact persons:
 > >
 > >  Job Snijders , Jared Mauch ,
 > >  NTT Communications NOC 
 > >
 > > References:
 > > [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
 > > [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon
 > > [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
 > > [4]: http://as2914.net/bogon_asns/configuration_examples.txt

Re: Netflix VPN detection - actual engineer needed

[mike . hyde1]

Had the same problem at my house, but it was caused by the IPv6 connection
to HE.  Turned of V6 and the device worked.


-- 

Sent with Airmail

On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at) wrote:

Every device in my house is blocked from Netflix this evening due to
their new "VPN blocker". My house is on my own IP space, and the outside
of the NAT that the family devices are on is 198.202.199.254, announced
by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
should show that I'm no farther away than Santa Cruz, CA as microwaves
fly.

Unfortunately, when one calls Netflix support to talk about this, the
only response is to say "call your ISP and have them turn off the VPN
software they've added to your account". And they absolutely refuse to
escalate. Even if you tell them that you are essentially your own ISP.

So... where's the Netflix network engineer on the list who all of us can
send these issues to directly?

Matthew Kaufman

Re: craigslist.com admin

[Vicente De Luca]

I'd try consider this argument if they at least offer the web service in 
v6, which is not the case



Darin Steffl 
June 2, 2016 at 9:45 PM
Have been getting reports of the same thing. Went to the craigslist help
forums where some people there decided to call us a fake ISP because we
don't hand out publics to every customer. They were VERY rude and 
hopefully

none of them were employees. They said our customers can't use craigslist
if we don't hand publics to everyone. It didn't matter to them that we
don't have enough IP's for every customer.

I sent an email to some admin account someone recommended but haven't 
heard

anything back yet.



On Tue, May 31, 2016 at 3:07 PM, Dennis Burgess 


Dennis Burgess 
May 31, 2016 at 9:07 PM
Looking for a craigslist.com admin to connect with offlist about a 
block :)


[DennisBurgessSignature]
www.linktechs.net - 314-735-0270 x103 - 
dmburg...@linktechs.net




--
Sent with Postbox