Re: netflix proxy/unblocker false detection
On 29/Jun/20 07:34, Owen DeLong wrote: > Personally, I’d like to see the Netflix UI upgraded so that you could have > the option of indexing all content (whether you could view it or not) and > each time you clicked on something you weren’t allowed to view, it provided > contact information for the responsible party setting the restriction. > Unfortunately, I suspect that the majority of users wouldn’t enjoy this > opportunity for commercial activism, so I understand why Netflix doesn’t do > this. Amazon (sort of) do this, which is why I cancelled their Video service here in Johannesburg. It will show you what's in the library, but when you play it, it will tell you that it's not available for your region. If they could add the "commercial activism" button, I'd be okay to lose 5 seconds pressing it. There are too many moving parts for Netflix to reliably build code that could determine that an HE tunnel is coming from the right place content owners mandate their media be distributed to. That code would end up getting unwieldy, taking up too much time and becoming a full-time job. Since Netflix are sinking more and more cash into their own content every year, to me, that seems like a better long-term solution. Mark.
Re: netflix proxy/unblocker false detection
On 27/Jun/20 00:39, Grant Taylor via NANOG wrote: > > > Amazon does better. > YouTube does better. > CBS does better. > Hulu does better. I wouldn't immediately compare all of those services to Netflix (or even to each other), especially in a global context... but then this thread could get totally derailed :-). Mark.
Re: netflix proxy/unblocker false detection
> > I'd be down with that. Gamers will kill for even 1 nanosecond of lower > "ping" :-). > Which has long made me chuckle. It's analogous to the golfers buying things to "fix your slice!" or "get 10 more yards!" , when the true reason those things happen is completely your swing. :) On Sat, Jun 27, 2020 at 9:19 AM Mark Tinka wrote: > > > On 26/Jun/20 19:40, Sabri Berisha wrote: > > > Don't hold your breath. It's most likely not related to the capabilities > > of the hardware, or even the kernel running on the platform. > > I'm hoping a new device will bring with it renewed vigour :-). > > I'm probably being ambitious. Overly. > > > > My guess is that there is no IPv6 support because the backend doesn't > > support it. I've seen this at previous employers where the network was > ready > > for IPv6, but back-end applications were lagging. And that might require > > development on a lot of games as well. > > > > Perhaps we should start a rumor: "IPv6 has a lower ping!". We'll get > > thousands of gamers protesting for v6 in front of Sony's HQ :) > > I'd be down with that. Gamers will kill for even 1 nanosecond of lower > "ping" :-). > > Which is quite at odds with a flats screen TV I bought from Sony back in > 2015 that supported IPv6 - and this was Sony's own OS, not a 3rd party > one some of their current units ship with. The good ol' silo problem, > perhaps... > > Mark. >
Re: netflix proxy/unblocker false detection
> There is nothing to stop Netflix from probing a mixture of IPv4 and IPv6 > during the same video playing session. Thus they could correlate the IPv6 > with the IPv4 which correlates with my CC which correlates with my address on > file. This only works in environments that have both IPv4 and IPv6. Further, with CGN, your IPv4 address visible to Netflix is likely to represent an ever increasing geographic area in the coming years. They aren’t blocking all IPv6, just certain things like HE tunnels. If your provider implements native IPv6, you shouldn’t have any issues. If you _REALLY_ want a workaround for IPv6 over an HE tunnel, it is doable… If you get a /48 from ARIN (dirt simple to do and currently $150/year with a $500 initial cost IIRC) and set up a BGP tunnel with HE, you’ll be all set. Those seem to pass muster for Netflix Geolocation because the addresses don’t look like a tunnel to them. This does require you to have at least one public dedicated IPv4 address from your ISP, but that’s true for any HE tunnel, so if you get stuck behind CGN, your other HE tunnel options will evaporate as well. > I firmly believe that Netflix /could/ solve IPv6 playback, even through VPN, > if they wanted to. I completely believe that Netflix is capable of solving > this. I also completely believe that Netflix doesn't give a REDACTED and > chooses to ignore this problem. OK.. Assume the following: 1. Some users want to violate geofencing. 2. HE tunnel endpoints are easily updated (this is a fact more than an assumption) 3. It’s quite simple to use the same tunnel registered in a particular location in a variety of countries on several continents. (I haven’t don this for Netflix, but I have done it for IPv6 training purposes, I have a portable IPv6 classroom which uses an HE tunnel for the IPv6 routing. It uses a single IPv4 address at the site where the class is being taught and works the rest out either through NAT (IPv4) or HE Tunnel (IPv6).) How, from the Netflix side of the equation, do you determine where the tunnel actually terminates? Not where it’s registered, but where it actually terminates. How do you do this with sufficient reliability that studios who have lots of money to try the same tricks can’t easily produce enough proof that it’s easy to circumvent and you are in breech of contract and subject to significant penalties? > Instead, they choose to foist the problem onto other parties. Or pass the > blame. Again, the solutions you think easily solve this really aren’t viable. You’re looking from the very narrow perspective of your situation. The problem is that everyone with an HE tunnel isn’t in your situation and there’s no reliable way for Netflix to tell them apart. >> And too many content owners care very much where you are right this >> instant. > > Nope. I disagree. Oh, trust me, content owners are ape about this shit. They really do care. > I can just as easily extend my IPv4 address through a VPN as I can an IPv6 > address. -- Performance may suffer, but that's a different issue. Yes, but when you extend your IPv4 address through a VPN, that’s nearly impossible for them to detect. OTOH, if you use an address known to be associated with one of the many IPv4 VPN services out there, it’s not unlikely for them to block that too. > I can use my home's IPv4 address, which is GeoIP located to the same area as > my home which matches my CC billing address, can be used anywhere in the > world. Again, it comes down to detection. First, it actually requires some sophistication to do what you’re suggesting. Not a lot, but some. It takes almost nothing to do an HE tunnel. In fact, several portable routers will do HE tunnels semi-automatically through the HE API. If the studios could figure out a way to block what you’re suggesting, believe me, they’d foist that on to Netflix as well. OTOH, it’s easy to detect an HE addressed HE tunnel and those have a relatively low fraction of legitimate users compared to the numbers intent on circumventing geofencing. > So ... if I can use my IPv4 address outside of where Netflix thinks that I am > at, why is my IPv6 address any different? Because they don’t have a way to KNOW about your IPv4 address mobility. They can’t easily detect it. OTOH, your HE tunnel IPv6 address is easily detected. > I completely believe that there are technical solutions to this problem. I > also completely agree that Netflix is choosing to ignore them. OK… Explain one that you think is feasible across the entire spectrum of Netflix’s user base that will keep the studios off their case. >> Because they are unreasonable luddites who think that geographic monopolies >> make good business sense. > > As stated above, where the Luddites, or Netflix as their agent, thinks my IP > is located is actually divorced
Re: netflix proxy/unblocker false detection
> On Jun 26, 2020, at 12:32 , Grant Taylor via NANOG wrote: > > On 6/26/20 12:08 PM, Brandon Jackson via NANOG wrote: >> Correct they block HE.net's tunnel broker IP's because they practically are >> at least for the sense of geo restrictions "VPN" that can be used to get >> around said geo restriction. > > I want to agree, but I can't. Move up the stack. I pay my bill with a CC > which has my billing address. I would even be willing to tell Netflix my > home address directly. Yes, but it doesn’t matter where you live… It matters where you are watching at the moment. When I travel internationally, I guarantee you I get an entirely different Netflix experience than when I am at home. That’s what content creators what for reasons passing understanding. They want control over where you can view their content, not who can view it. > If they are willing to trust the CC information to take my money, then they > should also be willing to trust the information for my service address. Not that simple. Your phone, iPad, and Laptop aren’t reliably at your service address. No guarantee that the desktop or television you are using is at your service address, either. > If I want to use my Hurricane Electric IPv6 tunnel, to watch content that > matches my stated address which matches my CC billing address, which matches > my IPv4 address (region), then why the REDACTED can't I do so over my HE IPv6 > tunnel? Because you might not actually be in the licensing region containing your service address at the time. > I would even be willing to go through a physical snail mail confirmation > loop. I'll even pay a nominal fee to do so. That’s only going to prove where you live, not where you are at the time of viewing. > I want to watch content available in my region while I'm at the associated > address. Why can't I? You can. But what if you’re not at the associated address? I can use an HE tunnel terminated and numbered in Los Angeles from Brazil or Moscow or Tokyo or… I can even use the same tunnel from all of those locations. Personally I think all this geofencing is stupid, wasteful, and yet another example of just how truly broken the whole concept of DRM is. I’m not defending it, but I can at least (Hopefully) explain the argument that is driving this. > I think that blindly blocking Hurricane Electric IPv6 tunnels "because they > can be used as a VPN" is an old way of thinking and completely fails to take > other parts of the stack into account. Not really… You can still use an HE tunnel as a VPN to get around geofencing of content so long as your HE tunnel address isn’t blocked. > Netflix's blocking of HE IPv6 tunnels is preventing many people in the U.S.A. > that have a non-IPv6-ISP from being able to use IPv6. I've even heard of > people actively not using IPv6 because of Netflix. That’s unfortunate and needs to be reported more widely in hopes of getting this situation resolved. >> As much as I hate it as I use said tunnel service it is understandable > > I disagree. No, really, it is… It’s awful, but unless you want even less streaming content available on Netflix, it’s the reality inflicted by the content producers. The good news is that Netflix (at least so far) isn’t playing these stupid games with their own content and they’ve been bringing some darn good stuff under their label. Tragically, the IPv6 tunnel blocking seems to have been implemented as an all or nothing. Personally, I think Netflix should offer geo-unrestricted content to IPv6 tunnel users and note that the other content is unavailable because tunnel locations are unreliable. That should placate the studio jack holes responsible for this mess while still allowing studios that don’t play these stupid games a better foothold with IPv6 tunnel users. Personally, I’d like to see the Netflix UI upgraded so that you could have the option of indexing all content (whether you could view it or not) and each time you clicked on something you weren’t allowed to view, it provided contact information for the responsible party setting the restriction. Unfortunately, I suspect that the majority of users wouldn’t enjoy this opportunity for commercial activism, so I understand why Netflix doesn’t do this. >> I don't really blame Netflix for this, > > I do. Your blame is misplaced to some extent. I agree there are things Netflix could do better here (see above), but in general, the root cause of this is stupid restrictions placed on content by the producers. >> I blame the content producer/owners and the industry as a whole for >> mandating such restrictive practices. > > Are the content producers / owners mandating "Block Hurricane Electric IPv6 > tunnels" or are they mandating "Block playback to people that are outside of > the playback region”? Pretty much. Netflix use to treat tunnels as local to their registered region and the studios came at them hard claiming that was
Re: netflix proxy/unblocker false detection
On Fri, 26 Jun 2020 10:21:47 +0200, Mark Tinka said: > Sadly, PlayStation still don't support IPv6. Hopefully, it comes with > the PS5, although I see no reason why the PS4 and PS3 can't. The PS/4 will in fact dhcpv6 at startup, and it will answer pings from both on subnet and from elsewhere, and will properly hand you an RST when there's nobody listening on a TCP port, and a port unreachable for a UDP port. So it's very much a "lights are on but nobody's home" because nothing is using an IPv6 port. One big reason that PS4 doesn't use IPv6 is that although the OS supports it, the developer toolkit doesn't have that API in it, so no games or apps can use it without an incredible amount of pain and suffering. It wouldn't help games that want to talk to Playstation Network until Sony got *that* part working, but if the API was there at least things like the Netflix and Hulu and similar apps could use it pgpEx0LLWYFUs.pgp Description: PGP signature
Re: netflix proxy/unblocker false detection
On 28/Jun/20 19:37, Randy Bush wrote: > think of the burden on the netflix customer support of HE's IPv6 > tunnels. I wasn't aware about the HE situation and Netflix. I just learned about this via this thread. I understand why they are blocking those tunnels. Mark.
Re: netflix proxy/unblocker false detection
> If you don't use some kind of device to connect to Netflix, if you > have a reasonably modern TV that supports a native Netflix app as > well as IPv6, you'd be good to go. think of the burden on the netflix customer support of HE's IPv6 tunnels. randy
Re: netflix proxy/unblocker false detection
On 26/Jun/20 20:15, colin johnston wrote: > I don’t understand the rational to block specific ipv6 ranges, for example > the UK ipv6 ranges and Africa ipv6 ranges are not blocked from testing done > here with satellite comms and fibre backhaul uk comms Do you have more information on this testing? Mark.
Re: netflix proxy/unblocker false detection
On 26/Jun/20 20:08, Brandon Jackson via NANOG wrote: > > As much as I hate it as I use said tunnel service it is understandable > and I don't really blame Netflix for this, I blame the content > producer/owners and the industry as a whole for mandating such > restrictive practices. Unless I misunderstand it, there is a good chunk of Netflix original content that should not be subject to region blocking. I could be wrong. Mark.
Re: netflix proxy/unblocker false detection
- On Jun 26, 2020, at 3:39 PM, nanog nanog@nanog.org wrote: > On 6/26/20 1:42 PM, Sabri Berisha wrote: >> I'm also sure that in the past, enough people have abused their >> trust. > > I question the veracity of that statement. I for one, have been guilty of that. Using VPN when I was traveling abroad to access the series I was following. >> ... to the best of their abilities. > I highly doubt the agreements that Netflix's has with content owners > state that Hurricane Electric (et al.) must be blocked. Maybe I'm > wrong. It wouldn't be the first time today. > I believe that Netflix is choosing the lower / easier road and simply > blocking Hurricane Electric's IPv6 tunnels as an easy / low hanging > fruit option to achieve the contractual requirements. In order to enforce geographical content restrictions, the origin of a request must be determined. If that origin is a known tunneling address, you are unable to determine the true geographical position of that particular client. In that case, it is impossible for Netflix to determine that the viewer is in a location authorized to view the content. Since they know that HE's IPv6 broker range is most likely being tunneled, and they know that there is no way to accurately determine the true origin of the client, the must prevent it from accessing the content. It's not like HE can insert an X-Origin-GEOIP: x.x.x.x or something. >> False positives (meaning, people being denied while being in-region), are >> going >> to be an unwelcome side-effect. > Without seeing actual licenses to support "you must block Hurricane > Electric", I'm going to choose to disagree with the license scapegoat. We'll never be privvy to those license agreements. All we'll know is that they'll most likely include geographical restrictions. Thanks, Sabri
Re: netflix proxy/unblocker false detection
On 26/Jun/20 19:40, Sabri Berisha wrote: > Don't hold your breath. It's most likely not related to the capabilities > of the hardware, or even the kernel running on the platform. I'm hoping a new device will bring with it renewed vigour :-). I'm probably being ambitious. Overly. > My guess is that there is no IPv6 support because the backend doesn't > support it. I've seen this at previous employers where the network was ready > for IPv6, but back-end applications were lagging. And that might require > development on a lot of games as well. > > Perhaps we should start a rumor: "IPv6 has a lower ping!". We'll get > thousands of gamers protesting for v6 in front of Sony's HQ :) I'd be down with that. Gamers will kill for even 1 nanosecond of lower "ping" :-). Which is quite at odds with a flats screen TV I bought from Sony back in 2015 that supported IPv6 - and this was Sony's own OS, not a 3rd party one some of their current units ship with. The good ol' silo problem, perhaps... Mark.
Re: netflix proxy/unblocker false detection
On 26/Jun/20 15:48, Owen DeLong wrote: > I can’t speak for Netflix, but the reality is that there’s really no good > way to “fix” CGNAT other than migrating to IPv6 and eliminating it. > > CGNAT by its nature combines multiple subscribers behind a single address. > > When you make subscribers indistinguishable to the content provider, then > any subscriber in the group committing abuse is likely to get all the > subscribers in the group cut off. There’s no good way around that. > > Expecting content providers to maintain some sort of record of every > eyeball provider’s CGNAT port mapping policy in order to do more granular > filtering simply does not scale. > > So I don’t know how (or even if) Netflix will answer, but were I in their > shoes, I’d probably answer as follows: > > “IPv4 is a technology which has been extended well past its > ability to provide a good user experience. CGNAT, while it > allows providers to try and extend the lifetime of IPv4 > ultimately provides an increasingly degraded user experience. > We fully support IPv6. Deploying IPv6 support is the best > path to providing an improved user experience on Netflix > vs. CGNAT and IPv4.” > > Seriously, if you were Netflix, what would be the point of putting serious > investment into attempts to solve what will become an increasingly intractable > problem when you already have a clear solution that scales and requires > relatively easy and inherently necessary upgrades by the eyeball ISP that > you’ve already completed on your side? That would be my reading of the situation, if I were Netflix. While we don't know their true on-the-record position, for sure, I doubt we'd be far-fetched in assuming this to be case. Mark.
Re: netflix proxy/unblocker false detection
On 26/Jun/20 19:25, Gary E. Miller wrote: > Nope. Netflix blocks a lot of IPv6. Their blocking of HE has been > discussed here many times. Possibly, but I was merely referring to a compatible device. Actual ability to get IPv6 transport toward Netflix is an entirely different matter. Mark. signature.asc Description: OpenPGP digital signature
Re: netflix proxy/unblocker false detection
On 6/26/20 1:42 PM, Sabri Berisha wrote: Hi, Hi, This is the part that matters the most. I'm sure they're willing. Let's agree to disagree on Netflix's willingness. I'm also sure that in the past, enough people have abused their trust. I question the veracity of that statement. Since they are legally obliged to adhere to their licensing agreements, they have no choice but to implement technical precautions to enforce those agreements ... I agree to that part of your statement. What's more is I have no objection to it. I even support it. ... to the best of their abilities. This is where I have a problem. I highly doubt the agreements that Netflix's has with content owners state that Hurricane Electric (et al.) must be blocked. Maybe I'm wrong. It wouldn't be the first time today. I believe that Netflix is choosing the lower / easier road and simply blocking Hurricane Electric's IPv6 tunnels as an easy / low hanging fruit option to achieve the contractual requirements. I do not believe that we are seeing the best of Netflix's abilities to filter content. To be more blunt, I believe that Netflix is capable and can do better than they are doing now. Amazon does better. YouTube does better. CBS does better. Hulu does better. Where better is working with my Hurricane Electric IPv6 tunnel and not forcing me to DNS filtering of records for their domains, independent DNSSEC. I can only speculate that Netflix doesn't care. As such, they /choose/ this road through inaction on their part. False positives (meaning, people being denied while being in-region), are going to be an unwelcome side-effect. This side effect is like forgetting about your hurt knee after hitting your thumb with a hammer, on purpose. In the end, I must agree with Mike Hammett when he said: Media licensing is a complicated topic and the source of all of these problems. Without seeing actual licenses to support "you must block Hurricane Electric", I'm going to choose to disagree with the license scapegoat. I believe that Netflix is capable of doing better if they wanted to. I can only surmise that they don't want to. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: netflix proxy/unblocker false detection
On 6/26/20 3:21 PM, William Herrin wrote: Hi Grant, Hi, Philosophically, Netflix agrees with you. My interactions with and observations of Netflix make me want to disagree with you. Unfortunately they have to keep the studios happy or many of their content contracts evaporate. I fail to see how me watching a video at my address on file, which matches my CC's address on file, which matches the GeoIP region for my IPv4 address becomes invalidated because I'm using IPv6. There is nothing to stop Netflix from probing a mixture of IPv4 and IPv6 during the same video playing session. Thus they could correlate the IPv6 with the IPv4 which correlates with my CC which correlates with my address on file. I firmly believe that Netflix /could/ solve IPv6 playback, even through VPN, if they wanted to. I completely believe that Netflix is capable of solving this. I also completely believe that Netflix doesn't give a REDACTED and chooses to ignore this problem. Instead, they choose to foist the problem onto other parties. Or pass the blame. And too many content owners care very much where you are right this instant. Nope. I disagree. I can just as easily extend my IPv4 address through a VPN as I can an IPv6 address. -- Performance may suffer, but that's a different issue. I can use my home's IPv4 address, which is GeoIP located to the same area as my home which matches my CC billing address, can be used anywhere in the world. So ... if I can use my IPv4 address outside of where Netflix thinks that I am at, why is my IPv6 address any different? I completely believe that there are technical solutions to this problem. I also completely agree that Netflix is choosing to ignore them. Because they are unreasonable luddites who think that geographic monopolies make good business sense. As stated above, where the Luddites, or Netflix as their agent, thinks my IP is located is actually divorced from where I am really watching from. Or at least can be. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: netflix proxy/unblocker false detection
On Fri, Jun 26, 2020 at 12:34 PM Grant Taylor via NANOG wrote: > I want to agree, but I can't. Move up the stack. I pay my bill with a > CC which has my billing address. I would even be willing to tell > Netflix my home address directly. > > If they are willing to trust the CC information to take my money, then > they should also be willing to trust the information for my service address. > > If I want to use my Hurricane Electric IPv6 tunnel, to watch content > that matches my stated address which matches my CC billing address, > which matches my IPv4 address (region), then why the REDACTED can't I do > so over my HE IPv6 tunnel? Hi Grant, Philosophically, Netflix agrees with you. Unfortunately they have to keep the studios happy or many of their content contracts evaporate. And too many content owners care very much where you are right this instant. Because they are unreasonable luddites who think that geographic monopolies make good business sense. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: netflix proxy/unblocker false detection
- On Jun 26, 2020, at 12:32 PM, nanog nanog@nanog.org wrote: Hi, > they should also be willing to trust the information for my service address. This is the part that matters the most. I'm sure they're willing. I'm also sure that in the past, enough people have abused their trust. Since they are legally obliged to adhere to their licensing agreements, they have no choice but to implement technical precautions to enforce those agreements to the best of their abilities. False positives (meaning, people being denied while being in-region), are going to be an unwelcome side-effect. In the end, I must agree with Mike Hammett when he said: > Media licensing is a complicated topic and the source of all of these > problems. Thanks, Sabri
Re: netflix proxy/unblocker false detection
On 6/26/20 12:08 PM, Brandon Jackson via NANOG wrote: Correct they block HE.net's tunnel broker IP's because they practically are at least for the sense of geo restrictions "VPN" that can be used to get around said geo restriction. I want to agree, but I can't. Move up the stack. I pay my bill with a CC which has my billing address. I would even be willing to tell Netflix my home address directly. If they are willing to trust the CC information to take my money, then they should also be willing to trust the information for my service address. If I want to use my Hurricane Electric IPv6 tunnel, to watch content that matches my stated address which matches my CC billing address, which matches my IPv4 address (region), then why the REDACTED can't I do so over my HE IPv6 tunnel? I would even be willing to go through a physical snail mail confirmation loop. I'll even pay a nominal fee to do so. I want to watch content available in my region while I'm at the associated address. Why can't I? I think that blindly blocking Hurricane Electric IPv6 tunnels "because they can be used as a VPN" is an old way of thinking and completely fails to take other parts of the stack into account. Netflix's blocking of HE IPv6 tunnels is preventing many people in the U.S.A. that have a non-IPv6-ISP from being able to use IPv6. I've even heard of people actively not using IPv6 because of Netflix. As much as I hate it as I use said tunnel service it is understandable I disagree. I don't really blame Netflix for this, I do. I blame the content producer/owners and the industry as a whole for mandating such restrictive practices. Are the content producers / owners mandating "Block Hurricane Electric IPv6 tunnels" or are they mandating "Block playback to people that are outside of the playback region"? My opinion is that Netflix is taking the low road as an easy way out while trying to shift blame to someone else. Using that as an argument against Netflix for bad labeling of IP blocks at least in terms of IPv6 is not fair. I completely believe that Netflix could do a LOT better than they are doing now. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature
Re: netflix proxy/unblocker false detection
Media licensing is a complicated topic and the source of all of these problems. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "colin johnston" To: "Brian J. Murrell" Cc: nanog@nanog.org Sent: Friday, June 26, 2020 1:15:24 PM Subject: Re: netflix proxy/unblocker false detection > On Fri, 2020-06-26 at 12:45 -0500, Mike Hammett wrote: >> I believe they're only blocking the HE v6 prefixes used for the VPN >> service. > I don’t understand the rational to block specific ipv6 ranges, for example the UK ipv6 ranges and Africa ipv6 ranges are not blocked from testing done here with satellite comms and fibre backhaul uk comms Col
Re: netflix proxy/unblocker false detection
> On Fri, 2020-06-26 at 12:45 -0500, Mike Hammett wrote: >> I believe they're only blocking the HE v6 prefixes used for the VPN >> service. > I don’t understand the rational to block specific ipv6 ranges, for example the UK ipv6 ranges and Africa ipv6 ranges are not blocked from testing done here with satellite comms and fibre backhaul uk comms Col
Re: netflix proxy/unblocker false detection
On Fri, 2020-06-26 at 12:45 -0500, Mike Hammett wrote: > I believe they're only blocking the HE v6 prefixes used for the VPN > service. I don't use any VPN service of HE but I still get errors from Netflix when my client chooses my HE tunnel prefix as it's source. Or I guess I should say I was, the last time I tried and have since rejected Netflix's IPv6 hosts when the source address is the HE tunnel, so force clients to choose a different source address. Cheers, b. signature.asc Description: This is a digitally signed message part
Re: netflix proxy/unblocker false detection
Correct they block HE.net's tunnel broker IP's because they practically are at least for the sense of geo restrictions "VPN" that can be used to get around said geo restriction. As much as I hate it as I use said tunnel service it is understandable and I don't really blame Netflix for this, I blame the content producer/owners and the industry as a whole for mandating such restrictive practices. Using that as an argument against Netflix for bad labeling of IP blocks at least in terms of IPv6 is not fair. On Fri, Jun 26, 2020, 13:47 Mike Hammett wrote: > I believe they're only blocking the HE v6 prefixes used for the VPN > service. > > > > - > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ---------- > *From: *"Gary E. Miller" > *To: *nanog@nanog.org > *Sent: *Friday, June 26, 2020 12:25:07 PM > *Subject: *Re: netflix proxy/unblocker false detection > > Yo Mark! > > On Fri, 26 Jun 2020 10:21:47 +0200 > Mark Tinka wrote: > > > If you don't use some kind of device to connect to Netflix, if you > > have a reasonably modern TV that supports a native Netflix app as > > well as IPv6, you'd be good to go. > > Nope. Netflix blocks a lot of IPv6. Their blocking of HE has been > discussed here many times. > > RGDS > GARY > --- > Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 > g...@rellim.com Tel:+1 541 382 8588 > > Veritas liberabit vos. -- Quid est veritas? > "If you can't measure it, you can't improve it." - Lord Kelvin > >
Re: netflix proxy/unblocker false detection
I believe they're only blocking the HE v6 prefixes used for the VPN service. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Gary E. Miller" To: nanog@nanog.org Sent: Friday, June 26, 2020 12:25:07 PM Subject: Re: netflix proxy/unblocker false detection Yo Mark! On Fri, 26 Jun 2020 10:21:47 +0200 Mark Tinka wrote: > If you don't use some kind of device to connect to Netflix, if you > have a reasonably modern TV that supports a native Netflix app as > well as IPv6, you'd be good to go. Nope. Netflix blocks a lot of IPv6. Their blocking of HE has been discussed here many times. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin
Re: netflix proxy/unblocker false detection
- On Jun 26, 2020, at 1:21 AM, Mark Tinka mark.ti...@seacom.com wrote: Hi, > Sadly, PlayStation still don't support IPv6. Hopefully, it comes with > the PS5, Don't hold your breath. It's most likely not related to the capabilities of the hardware, or even the kernel running on the platform. > although I see no reason why the PS4 and PS3 can't. My guess is that there is no IPv6 support because the backend doesn't support it. I've seen this at previous employers where the network was ready for IPv6, but back-end applications were lagging. And that might require development on a lot of games as well. Perhaps we should start a rumor: "IPv6 has a lower ping!". We'll get thousands of gamers protesting for v6 in front of Sony's HQ :) Thanks, Sabri
Re: netflix proxy/unblocker false detection
Yo Mark! On Fri, 26 Jun 2020 10:21:47 +0200 Mark Tinka wrote: > If you don't use some kind of device to connect to Netflix, if you > have a reasonably modern TV that supports a native Netflix app as > well as IPv6, you'd be good to go. Nope. Netflix blocks a lot of IPv6. Their blocking of HE has been discussed here many times. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin pgpROuFfpyBMs.pgp Description: OpenPGP digital signature
Re: netflix proxy/unblocker false detection
> On Jun 25, 2020, at 8:38 AM, Mark Tinka wrote: > > > > On 25/Jun/20 16:45, Christian wrote: >> wow. blaming support for IPv6 rather than using cgnat is a huge >> stretch of credibility > > I have no idea what's going through Netflix's mind - it's all, as my > American friend would say, conjecturbation on my part. > > CG-NAT isn't new, and if Netflix are still not able to consider it a > "fixed issue", there is probably a reason why that is. > > Ultimately, reaching out to them and asking their position on the matter > seems like a path to an answer. > > Mark. I can’t speak for Netflix, but the reality is that there’s really no good way to “fix” CGNAT other than migrating to IPv6 and eliminating it. CGNAT by its nature combines multiple subscribers behind a single address. When you make subscribers indistinguishable to the content provider, then any subscriber in the group committing abuse is likely to get all the subscribers in the group cut off. There’s no good way around that. Expecting content providers to maintain some sort of record of every eyeball provider’s CGNAT port mapping policy in order to do more granular filtering simply does not scale. So I don’t know how (or even if) Netflix will answer, but were I in their shoes, I’d probably answer as follows: “IPv4 is a technology which has been extended well past its ability to provide a good user experience. CGNAT, while it allows providers to try and extend the lifetime of IPv4 ultimately provides an increasingly degraded user experience. We fully support IPv6. Deploying IPv6 support is the best path to providing an improved user experience on Netflix vs. CGNAT and IPv4.” Seriously, if you were Netflix, what would be the point of putting serious investment into attempts to solve what will become an increasingly intractable problem when you already have a clear solution that scales and requires relatively easy and inherently necessary upgrades by the eyeball ISP that you’ve already completed on your side? Owen
Re: netflix proxy/unblocker false detection
I take his statement more as: “If Netflix wasn’t doing IPv6, they’d be in more of a corner to resolve CGNAT issues. Since they support IPv6, likely their response to CGNAT issues is ``Press your provider to do IPv6, it’s better.’’” Likely, that is true. Support for IPv6 isn’t at fault here. Rather, the reality that IPv6 is a relatively easy way to offer a much better user experience than CGNAT is in play here. Owen > On Jun 25, 2020, at 7:45 AM, Christian wrote: > > wow. blaming support for IPv6 rather than using cgnat is a huge stretch of > credibility > > On 25/06/2020 10:20, Mark Tinka wrote: >> >> On 25/Jun/20 11:08, Denys Fedoryshchenko wrote: >> >>> Did anybody noticed that Netflix just became useless due to tons of >>> proxy/unblocker false detection on CGNAT ranges? >>> Even my home network is dual stack, i am absolutely sure there is no >>> proxy/vpn/whatsoever (but ipv4 part is over CGNAT) - and i got >>> "proxy/unblocker" message on my personal TV. >>> And many other ISP sysadmins told me that recently this is a massive >>> problem, and netflix support is frankly inadequate and does not want >>> to solve the problem. >>> I will not be surprised that they will begin to actively lose users >>> due to such a shameful silly screwed up algorithm. >>> Who in sober mind blocks all legit users due probably one or two >>> suspicious users behind same IP range? >> This isn't a new problem - for years, services that track what a single >> IP address does can deny access if something looks amiss. >> >> Of course, CG-NAT is a reality, but perhaps Netflix find it will be >> easier to lose some customers than building infrastructure and support >> to work out what is valid CG-NAT vs. mischief. >> >> Probably would have been an easier case if Netflix didn't support IPv6, >> but alas... >> >> Mark. > > -- > Christian de Larrinaga > --
Re: netflix proxy/unblocker false detection
On Thu, 2020-06-25 at 17:32 -0500, Mike Hammett wrote: > IPv6? I realize this list is for network operators, but as a user, when your ISP doesn't provide IPv6, this is not possible. Even with tunnelbrokers like HE as they are blocked at Netflix. I have to put rules in my firewall to force the clients in my network to use the non- HE addresses. Cheers, b. signature.asc Description: This is a digitally signed message part
Re: netflix proxy/unblocker false detection
On 26/Jun/20 03:12, Denys Fedoryshchenko wrote: > > > Honestly, this is very confusing suggestion from Netflix support (i > have native ipv6!). > Looking to > https://www.reddit.com/r/ipv6/comments/evv7r8/ipv6_and_netflix/ there > is definitely some issues for other users too. This seems to suggest Netflix detect for an block IPv6 transported over a 6-in-4 tunnel. Is this what you have? Can't say I've ever heard of this issue. Interesting... Mark.
Re: netflix proxy/unblocker false detection
On 25/Jun/20 18:08, Brandon Jackson via NANOG wrote: > Actually it's a good thing that Netflix does support IPv6 for this. As > any device using Netflix via IPv6 from your ISP would likely correctly > be protected as not a VPN or proxy. > > The problem is the ISPs that deploy CGNAT without also deploying IPv6 > is ridiculous. They are directly affected by the death of IPv4 yet > will not deploy IPv6, to me that is unacceptable. > > Unfortunately as well you have devices such as Roku who still refuse > to support IPv6 at all, so even if said ISP deployed IPv6 at least > users using Roku would still be in the same boat. If you don't use some kind of device to connect to Netflix, if you have a reasonably modern TV that supports a native Netflix app as well as IPv6, you'd be good to go. Sadly, PlayStation still don't support IPv6. Hopefully, it comes with the PS5, although I see no reason why the PS4 and PS3 can't. Mark.
Re: netflix proxy/unblocker false detection
On 2020-06-26 01:32, Mike Hammett wrote: IPv6? - By some reason my smart TV doesn't use IPv6 for Netflix, even everything else in same network using it properly (even developed for ESP8266/ESP32 - IPv6 enabled apps). And what is worse: "Netflix Kimberly The Network settings is to check if it is in Automatic not specifically to search for VPN and Proxy in that area, but that is okay. Then please remember that IPv6 is not allowed and should be disabled. With all these done, please contact your Internet Service provider to get further clarification on this matter. I will send you an email with some other information to consult with . Please give me a moment to send it to you" Honestly, this is very confusing suggestion from Netflix support (i have native ipv6!). Looking to https://www.reddit.com/r/ipv6/comments/evv7r8/ipv6_and_netflix/ there is definitely some issues for other users too. And final nail, local providers with OCA who does peering - don't provide IPv6 peering at all, and ISP i am using is too small to be qualified for OCA. Since bandwidth is very expensive here, it is no-go to push ipv6 and cutting off themself from cheaper(than "international capacity") OCA peering. Still, i tried, in browser it seems worked, but anyway i'm not going to watch movies on my desktop, while i have 4k screen, and also there is tons of users who don't have IPv6 enabled routers (they just buy cheapest brand).
Re: netflix proxy/unblocker false detection
IPv6? - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Denys Fedoryshchenko" To: "Dave Temkin" Cc: "North American Network Operators' Group" Sent: Thursday, June 25, 2020 2:44:43 PM Subject: Re: netflix proxy/unblocker false detection On 2020-06-25 19:20, Dave Temkin via NANOG wrote: > If you or others are not receiving a satisfactory reply from us > (Netflix) on this issue, please feel free to reach out directly and > I'll make sure it gets handled. > > So far as we know, we handle CGNAT (and IPv6) appropriately. Sometimes > ranges get reassigned and the data that we have gets stale - this > happens quite often since formal runout, and so sometimes we're behind > the ball on it, but be assured that we take this seriously. > > Thanks, > -Dave > This problem has been bothering operators in Lebanon for more than a month, and frankly they have not received any reasonable answers yet. IP's are the same for several years, no changes, but all of sudden users start to get reduced list of titles (only netflix originals) and popup messages. Maybe some of the clients are doing something bad, but in fact its not right to block legitimate clients with them because they are behind same CGNAT IP, I know for sure that I am using an absolutely normal account of the highest plan, on my absolutely ordinary Smart TV for last year, without any changes, i am in the same IP pool, but yet i have problem. And if someone doing something bad, we(ISP) can assist and if there is enough info, we move such people to different IP pool or if there is clear proof of wrongdoing we can even disconnect such clients. But we are getting nothing at all from support, except template "we are working hard on your problem", which is kind of disrespectful and enough. Today I tried it myself as a client, and as result it was 4 hour standoff in live chat, as support tried to feed me usual "we are working hard on your problem" and as i didnt accepted usual script/templates anymore, it turned into outright mockery on me, sending me literally same message template again and again, until i realised that i was wasting my time with reasoning. At the end, i received an answer that temporarily ok for me, but i hope the problem will be resolved properly soon, if it reached the right person, due my polite persistence.* At least today we got new contact, email for geosupport, and i have some hope that it will be more helpful, at least 3 ISP representatives mailed them. And i know for sure that i'm not going to give up until i find proper solution. *Which cost me and my cat a lot of stress today. (I couldn’t feed the cat because of the live chat timeouts, and he just keep meowing under the table demanding food).
Re: netflix proxy/unblocker false detection
On 2020-06-25 19:20, Dave Temkin via NANOG wrote: If you or others are not receiving a satisfactory reply from us (Netflix) on this issue, please feel free to reach out directly and I'll make sure it gets handled. So far as we know, we handle CGNAT (and IPv6) appropriately. Sometimes ranges get reassigned and the data that we have gets stale - this happens quite often since formal runout, and so sometimes we're behind the ball on it, but be assured that we take this seriously. Thanks, -Dave This problem has been bothering operators in Lebanon for more than a month, and frankly they have not received any reasonable answers yet. IP's are the same for several years, no changes, but all of sudden users start to get reduced list of titles (only netflix originals) and popup messages. Maybe some of the clients are doing something bad, but in fact its not right to block legitimate clients with them because they are behind same CGNAT IP, I know for sure that I am using an absolutely normal account of the highest plan, on my absolutely ordinary Smart TV for last year, without any changes, i am in the same IP pool, but yet i have problem. And if someone doing something bad, we(ISP) can assist and if there is enough info, we move such people to different IP pool or if there is clear proof of wrongdoing we can even disconnect such clients. But we are getting nothing at all from support, except template "we are working hard on your problem", which is kind of disrespectful and enough. Today I tried it myself as a client, and as result it was 4 hour standoff in live chat, as support tried to feed me usual "we are working hard on your problem" and as i didnt accepted usual script/templates anymore, it turned into outright mockery on me, sending me literally same message template again and again, until i realised that i was wasting my time with reasoning. At the end, i received an answer that temporarily ok for me, but i hope the problem will be resolved properly soon, if it reached the right person, due my polite persistence.* At least today we got new contact, email for geosupport, and i have some hope that it will be more helpful, at least 3 ISP representatives mailed them. And i know for sure that i'm not going to give up until i find proper solution. *Which cost me and my cat a lot of stress today. (I couldn’t feed the cat because of the live chat timeouts, and he just keep meowing under the table demanding food).
Re: netflix proxy/unblocker false detection
If you or others are not receiving a satisfactory reply from us (Netflix) on this issue, please feel free to reach out directly and I'll make sure it gets handled. So far as we know, we handle CGNAT (and IPv6) appropriately. Sometimes ranges get reassigned and the data that we have gets stale - this happens quite often since formal runout, and so sometimes we're behind the ball on it, but be assured that we take this seriously. Thanks, -Dave On Thu, Jun 25, 2020 at 11:42 AM Mark Tinka wrote: > > > On 25/Jun/20 16:45, Christian wrote: > > wow. blaming support for IPv6 rather than using cgnat is a huge > > stretch of credibility > > I have no idea what's going through Netflix's mind - it's all, as my > American friend would say, conjecturbation on my part. > > CG-NAT isn't new, and if Netflix are still not able to consider it a > "fixed issue", there is probably a reason why that is. > > Ultimately, reaching out to them and asking their position on the matter > seems like a path to an answer. > > Mark. >
Re: netflix proxy/unblocker false detection
Actually it's a good thing that Netflix does support IPv6 for this. As any device using Netflix via IPv6 from your ISP would likely correctly be protected as not a VPN or proxy. The problem is the ISPs that deploy CGNAT without also deploying IPv6 is ridiculous. They are directly affected by the death of IPv4 yet will not deploy IPv6, to me that is unacceptable. Unfortunately as well you have devices such as Roku who still refuse to support IPv6 at all, so even if said ISP deployed IPv6 at least users using Roku would still be in the same boat. On Thu, Jun 25, 2020, 11:43 Mark Tinka wrote: > > > On 25/Jun/20 16:45, Christian wrote: > > wow. blaming support for IPv6 rather than using cgnat is a huge > > stretch of credibility > > I have no idea what's going through Netflix's mind - it's all, as my > American friend would say, conjecturbation on my part. > > CG-NAT isn't new, and if Netflix are still not able to consider it a > "fixed issue", there is probably a reason why that is. > > Ultimately, reaching out to them and asking their position on the matter > seems like a path to an answer. > > Mark. >
Re: netflix proxy/unblocker false detection
On 25/Jun/20 16:45, Christian wrote: > wow. blaming support for IPv6 rather than using cgnat is a huge > stretch of credibility I have no idea what's going through Netflix's mind - it's all, as my American friend would say, conjecturbation on my part. CG-NAT isn't new, and if Netflix are still not able to consider it a "fixed issue", there is probably a reason why that is. Ultimately, reaching out to them and asking their position on the matter seems like a path to an answer. Mark.
Re: netflix proxy/unblocker false detection
wow. blaming support for IPv6 rather than using cgnat is a huge stretch of credibility On 25/06/2020 10:20, Mark Tinka wrote: On 25/Jun/20 11:08, Denys Fedoryshchenko wrote: Did anybody noticed that Netflix just became useless due to tons of proxy/unblocker false detection on CGNAT ranges? Even my home network is dual stack, i am absolutely sure there is no proxy/vpn/whatsoever (but ipv4 part is over CGNAT) - and i got "proxy/unblocker" message on my personal TV. And many other ISP sysadmins told me that recently this is a massive problem, and netflix support is frankly inadequate and does not want to solve the problem. I will not be surprised that they will begin to actively lose users due to such a shameful silly screwed up algorithm. Who in sober mind blocks all legit users due probably one or two suspicious users behind same IP range? This isn't a new problem - for years, services that track what a single IP address does can deny access if something looks amiss. Of course, CG-NAT is a reality, but perhaps Netflix find it will be easier to lose some customers than building infrastructure and support to work out what is valid CG-NAT vs. mischief. Probably would have been an easier case if Netflix didn't support IPv6, but alas... Mark. -- Christian de Larrinaga --
Re: netflix proxy/unblocker false detection
On 25/Jun/20 11:08, Denys Fedoryshchenko wrote: > Did anybody noticed that Netflix just became useless due to tons of > proxy/unblocker false detection on CGNAT ranges? > Even my home network is dual stack, i am absolutely sure there is no > proxy/vpn/whatsoever (but ipv4 part is over CGNAT) - and i got > "proxy/unblocker" message on my personal TV. > And many other ISP sysadmins told me that recently this is a massive > problem, and netflix support is frankly inadequate and does not want > to solve the problem. > I will not be surprised that they will begin to actively lose users > due to such a shameful silly screwed up algorithm. > Who in sober mind blocks all legit users due probably one or two > suspicious users behind same IP range? This isn't a new problem - for years, services that track what a single IP address does can deny access if something looks amiss. Of course, CG-NAT is a reality, but perhaps Netflix find it will be easier to lose some customers than building infrastructure and support to work out what is valid CG-NAT vs. mischief. Probably would have been an easier case if Netflix didn't support IPv6, but alas... Mark.
Re: netflix proxy/unblocker false detection
Try the contact information on this page to resolve it: http://thebrotherswisp.com/index.php/geo-and-vpn/ - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Denys Fedoryshchenko" To: nanog@nanog.org Sent: Thursday, June 25, 2020 4:08:34 AM Subject: netflix proxy/unblocker false detection Did anybody noticed that Netflix just became useless due to tons of proxy/unblocker false detection on CGNAT ranges? Even my home network is dual stack, i am absolutely sure there is no proxy/vpn/whatsoever (but ipv4 part is over CGNAT) - and i got "proxy/unblocker" message on my personal TV. And many other ISP sysadmins told me that recently this is a massive problem, and netflix support is frankly inadequate and does not want to solve the problem. I will not be surprised that they will begin to actively lose users due to such a shameful silly screwed up algorithm. Who in sober mind blocks all legit users due probably one or two suspicious users behind same IP range?
