Re: Netflix VPN detection - actual engineer needed

[Davide Davini]

On 08/06/2016 18:17, Owen DeLong wrote:
>>> Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.
>>
>> Even though that sounds like an awesome idea it does not seem trivial to
>> me to obtain your own /48.
> 
> It’s trivial in the ARIN region. Other regions are YMMV.

I thought you might have been thinking of ARIN. :)

>> I mean: "You can only request IPv6 assignments and Autonomous System
>> Numbers through a Sponsoring LIR (a RIPE NCC member)"
>> https://www.ripe.net/manage-ips-and-asns/resource-management/number-resources/independent-resources
> I would suggest trying to work through the RIPE PDWG to get that policy 
> changed if you feel it is a hinderance to your deployment.
> I do know that RIPE has this (rather silly IMHO) process for keeping PI end 
> users at arms length, but as I understand it, it’s also not very hard to find 
> an LIR that will charge you a fee to acquire the addresses and pass them 
> along to you.

I tend to agree, it is silly.

>> But you know, my knowledge on the matter is half an hour old, I might be
>> dead wrong.
> 
> I think you’re right, but my understanding is that it is fairly trivial to 
> comply with that requirement. I’ll be surprised if some LIRs don’t contact 
> you as a result of this email.

It didn't happen yet, but I might try to "poke" someone when I have some
time to spare.

Ciao, Davide Davini

Re: Netflix VPN detection - actual engineer needed

[Davide Davini]

On 08/06/2016 18:23, Laszlo Hanyecz wrote:
> Well there is one good thing that might come out of this if you're a
> tunnel user.. the tunnels can have even more bandwidth now, with all the
> Netflix traffic moving off them.  I have no special visibility into how
> (over)loaded they are, just speculating.

I used HE tunnels since 2009, I don't recall having any bandwidth
problem that wasn't related to my local link. I never used super fast
physical links either though. 10 Mbit/s, 20Mbit/s, 50/Mbit/s.

I hardly had any issue to be perfectly honest with you, of any kind.

Ciao, Davide Davini.

Re: Turning Off IPv6 for Good (was Re: Netflix VPN detection - actual engineer needed)

[Jay Hennigan]

On 6/1/16 9:23 PM, Roland Dobbins wrote:

On 2 Jun 2016, at 10:47, Paul Ferguson wrote:


There is an epic lesson here. I'm just not sure what it is. :-)


That Netflix offering free streaming to everyone over IPv6 (after fixing
their VPN detection) would be the most effective way to convince
end-users to demand IPv6 service from their ISPs?


Something (somewhat) similar was tried in 2007. TTBOMK it never got 
fully implemented. "The Great IPv6 Experiment"


https://www.nanog.org/mailinglist/mailarchives/old_archive/2007-09/msg8.html

--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Netflix VPN detection - actual engineer needed

[Antonio Querubin]

On Wed, 8 Jun 2016, Baldur Norddahl wrote:

A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS 
lookup on netflix.com. I am not running a HE tunnel (I got native IPv6) and I 
am not blocked from accessing Netflix over IPv6 so can't really try it. I am


I sent some email earlier that that does work using a host firewall on an 
affected client.  For some reason my email is in hold state - not sure 
what's up with that.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: Netflix VPN detection - actual engineer needed

[Antonio Querubin]

On Wed, 8 Jun 2016, Mark Andrews wrote:


And which set of prefixes is that?  How often do they change? etc.


Apparently there's only 2620:108:7000::/44 and I doubt it'll change often. 
An associate actually reported this problem to me today.  I ended up just 
installing a host firewall rule on his Netflix viewer and made the problem 
go away.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

Why? I use Mobile Hotspot… It’s part of the service I pay for. If Cameron can’t 
make that
work, then that’s T-Mobile’s problem, not mine.

Owen

> On Jun 8, 2016, at 1:25 PM, joel jaeggli  wrote:
> 
> On 6/8/16 9:13 AM, Owen DeLong wrote:
>> As of last week, I still wasn’t getting an IPv6 address by default on my 
>> iPhone 6S+
>> on T-Mobile.
> 
> turn off mobile hotspot...
> 
>> Just saying.
>> 
>> Owen
>> 
>>> On Jun 7, 2016, at 11:00 AM, Ca By  wrote:
>>> 
>>> On Tuesday, June 7, 2016, Cryptographrix  wrote:
>>> 
 Very true - I was being a bit extremist out of frustration, but I think
 you're spot on - he.net tunnels and even 6to4 are toys to provide IPv6
 support, not actually IPv6 support.
 
 And I'm quite frustrated because there's so little actual v6 support, and
 I *do* actually need it on a daily basis for work.
 
 Because there's no actual ISP IPv6 support anywhere else (in parts of the
 US that *have* multiple ISPs), you can't even make the case to your ISP
 that it's a legitimate requirement for you because they know you're not
 really going to get v6 elsewhere.
 
 
>>> I think we have different definitions of "no actual isp ipv6 support"
>>> 
>>> Again, a helpful akamai blog
>>> https://blogs.akamai.com/2016/06/four-years-since-world-ipv6-launch-entering-the-mainstream.html
>>> 
>>> fixed line: Comcast, AT, TWC, just to name the largest in the nation have
>>> meaningful deployments of ipv6. The only thing holding back greater
>>> deployment for those networks are legacy CPE that will age out slowly.
>>> 
>>> All 4 of the national mobile operator have ipv6 default on for most
>>> new phone models.
>>> 
>>> Yes, many gaps to fill still. But, on "my network" with shy of 70 million
>>> users, everything has ipv6 except the iPhone, and that will change RSN. And
>>> for users with v6, the majority of their traffic is ipv6 e2e since the
>>> whales (google, fb, netflix, increasingly Akamai) are dual stack.
>>> 
>>> CB
>>> 
>>> 
 
 
 On Tue, Jun 7, 2016 at 10:22 AM Ca By > wrote:
 
> 
> 
> On Tuesday, June 7, 2016, Cryptographrix  > wrote:
> 
>> As I said to Netflix's tech support - if they advocate for people to turn
>> off IPv6 on their end, maybe Netflix should stop supporting it on their
>> end.
>> 
>> It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
>> the moment, and if their tech support is telling people to turn off IPv6,
>> maybe they should just instead remove their  records.
>> 
>> (or fail back to ipv4 when v6 looks like a tunnel)
>> 
>> 
> I think you need to reset your expectations of a free tunnel service.
> 
> he.net tunnels are a toy for geeks looking to play with v6. In terms of
> Netflix subcriber base, it is amazing insignificant number of users.
> 
> At the end of the day, anonymous tunnels, just like linux, are not
> supported by Netflix. And, he.net tunnel users are hurting ipv6 overall
> just like 6to4 by injecting FUD and other nonesense complexity For a
> toy.
> 
> Move on to a real issue instead of beating this dead horse.
> 
> CB
> 
> 
>> 
>> 
>> On Tue, Jun 7, 2016 at 9:22 AM Mark Felder  wrote:
>> 
>>> 
 On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
 
 The tunnelbroker service acts exactly like a VPN. It allows you,
>> from any
 arbitrary location in the world with an IPv4 address, to bring
>> traffic
>>> out
 via one of HE's 4 POP's, while completely masking your actual
>> location.
 
>>> 
>>> Perhaps Netflix should automatically block any connection that's not
>> from
>>> a known residential ISP or mobile ISP as anything else could be a
>> server
>>> someone is proxying through. It's very easy to get these subnets -- the
>>> spam filtering folks have these subnets well documented. /s
>>> 
>>> --
>>> Mark Felder
>>> f...@feld.me
>>> 
>>> 
>> 
> 
>> 
>> 
> 
> 

Re: Netflix VPN detection - actual engineer needed

[joel jaeggli]

On 6/8/16 9:13 AM, Owen DeLong wrote:
> As of last week, I still wasn’t getting an IPv6 address by default on my 
> iPhone 6S+
> on T-Mobile.

turn off mobile hotspot...

> Just saying.
> 
> Owen
> 
>> On Jun 7, 2016, at 11:00 AM, Ca By  wrote:
>>
>> On Tuesday, June 7, 2016, Cryptographrix  wrote:
>>
>>> Very true - I was being a bit extremist out of frustration, but I think
>>> you're spot on - he.net tunnels and even 6to4 are toys to provide IPv6
>>> support, not actually IPv6 support.
>>>
>>> And I'm quite frustrated because there's so little actual v6 support, and
>>> I *do* actually need it on a daily basis for work.
>>>
>>> Because there's no actual ISP IPv6 support anywhere else (in parts of the
>>> US that *have* multiple ISPs), you can't even make the case to your ISP
>>> that it's a legitimate requirement for you because they know you're not
>>> really going to get v6 elsewhere.
>>>
>>>
>> I think we have different definitions of "no actual isp ipv6 support"
>>
>> Again, a helpful akamai blog
>> https://blogs.akamai.com/2016/06/four-years-since-world-ipv6-launch-entering-the-mainstream.html
>>
>> fixed line: Comcast, AT, TWC, just to name the largest in the nation have
>> meaningful deployments of ipv6. The only thing holding back greater
>> deployment for those networks are legacy CPE that will age out slowly.
>>
>> All 4 of the national mobile operator have ipv6 default on for most
>> new phone models.
>>
>> Yes, many gaps to fill still. But, on "my network" with shy of 70 million
>> users, everything has ipv6 except the iPhone, and that will change RSN. And
>> for users with v6, the majority of their traffic is ipv6 e2e since the
>> whales (google, fb, netflix, increasingly Akamai) are dual stack.
>>
>> CB
>>
>>
>>>
>>>
>>> On Tue, Jun 7, 2016 at 10:22 AM Ca By >> > wrote:
>>>


 On Tuesday, June 7, 2016, Cryptographrix > wrote:

> As I said to Netflix's tech support - if they advocate for people to turn
> off IPv6 on their end, maybe Netflix should stop supporting it on their
> end.
>
> It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
> the moment, and if their tech support is telling people to turn off IPv6,
> maybe they should just instead remove their  records.
>
> (or fail back to ipv4 when v6 looks like a tunnel)
>
>
 I think you need to reset your expectations of a free tunnel service.

 he.net tunnels are a toy for geeks looking to play with v6. In terms of
 Netflix subcriber base, it is amazing insignificant number of users.

 At the end of the day, anonymous tunnels, just like linux, are not
 supported by Netflix. And, he.net tunnel users are hurting ipv6 overall
 just like 6to4 by injecting FUD and other nonesense complexity For a
 toy.

 Move on to a real issue instead of beating this dead horse.

 CB


>
>
> On Tue, Jun 7, 2016 at 9:22 AM Mark Felder  wrote:
>
>>
>>> On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
>>>
>>> The tunnelbroker service acts exactly like a VPN. It allows you,
> from any
>>> arbitrary location in the world with an IPv4 address, to bring
> traffic
>> out
>>> via one of HE's 4 POP's, while completely masking your actual
> location.
>>>
>>
>> Perhaps Netflix should automatically block any connection that's not
> from
>> a known residential ISP or mobile ISP as anything else could be a
> server
>> someone is proxying through. It's very easy to get these subnets -- the
>> spam filtering folks have these subnets well documented. /s
>>
>> --
>>  Mark Felder
>>  f...@feld.me
>>
>>
>

> 
> 




signature.asc
Description: OpenPGP digital signature

Re: Netflix VPN detection - actual engineer needed

[Baldur Norddahl]

On 2016-06-08 17:20, Javier J wrote:


Maybe I missed the start of this conversation but why are we talking 
about blocking Netflix?




By blocking the netflix.com IPv6 prefix your browser will automatically 
fall back to IPv4 because it is using the Happy Eyeballs algorithm.

Re: Netflix VPN detection - actual engineer needed

[Baldur Norddahl]

On 2016-06-08 17:58, Nicholas Suan wrote:



On Wednesday, June 8, 2016, Baldur Norddahl > wrote:



A start would be blocking 2620:108:700f::/64 as discovered by a
simple DNS lookup on netflix.com . I am not
running a HE tunnel (I got native IPv6) and I am not blocked from
accessing Netflix over IPv6 so can't really try it. I am curious
however that none of the vocal HE tunnel users here appears to
have tried even simple counter measures such as a simple firewall
rule to drop traffic to that one /64 prefix.


That's a start but Netflix has a few more prefixes than that: 
http://bgp.he.net/AS2906#_prefixes6


They do but that is irrelevant. Blocking just that one /64 prefix works 
because that is where their tunnel detector apparently lives.


I think we are at the point where we can say it would be nice if Netflix 
could just redirect users from IPv6 to IPv4 when a tunnel is suspected. 
They do deserve flames for being bad guys here when they have such an 
easy out.


But you can also just fix the issue yourself with a simple firewall rule.

Regards,

Baldur

Re: Netflix VPN detection - actual engineer needed

[Laszlo Hanyecz]

On 2016-06-08 16:12, Owen DeLong wrote:


It’s a link, just like any other link, over which IPv6 can be transmitted.
You can argue that it’s a lower quality link than some alternatives, but I have
to tell you I’ve gotten much more reliable service at higher bandwidth from
that link than from my T-Mobile LTE service, so I’d argue that it is a higher
quality service than T-Mobile.




Well there is one good thing that might come out of this if you're a 
tunnel user.. the tunnels can have even more bandwidth now, with all the 
Netflix traffic moving off them.  I have no special visibility into how 
(over)loaded they are, just speculating.


-Laszlo

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

> On Jun 7, 2016, at 11:50 AM, Davide Davini  wrote:
> 
> On 04/06/2016 20:46, Owen DeLong wrote:
>> Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.
> 
> Even though that sounds like an awesome idea it does not seem trivial to
> me to obtain your own /48.

It’s trivial in the ARIN region. Other regions are YMMV.

> I mean: "You can only request IPv6 assignments and Autonomous System
> Numbers through a Sponsoring LIR (a RIPE NCC member)"
> https://www.ripe.net/manage-ips-and-asns/resource-management/number-resources/independent-resources

I would suggest trying to work through the RIPE PDWG to get that policy changed 
if you feel it is a hinderance to your deployment.

I do know that RIPE has this (rather silly IMHO) process for keeping PI end 
users at arms length, but as I understand it, it’s also not very hard to find 
an LIR that will charge you a fee to acquire the addresses and pass them along 
to you.

> But you know, my knowledge on the matter is half an hour old, I might be
> dead wrong.

I think you’re right, but my understanding is that it is fairly trivial to 
comply with that requirement. I’ll be surprised if some LIRs don’t contact you 
as a result of this email.

Owen

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

As of last week, I still wasn’t getting an IPv6 address by default on my iPhone 
6S+
on T-Mobile.

Just saying.

Owen

> On Jun 7, 2016, at 11:00 AM, Ca By  wrote:
> 
> On Tuesday, June 7, 2016, Cryptographrix  wrote:
> 
>> Very true - I was being a bit extremist out of frustration, but I think
>> you're spot on - he.net tunnels and even 6to4 are toys to provide IPv6
>> support, not actually IPv6 support.
>> 
>> And I'm quite frustrated because there's so little actual v6 support, and
>> I *do* actually need it on a daily basis for work.
>> 
>> Because there's no actual ISP IPv6 support anywhere else (in parts of the
>> US that *have* multiple ISPs), you can't even make the case to your ISP
>> that it's a legitimate requirement for you because they know you're not
>> really going to get v6 elsewhere.
>> 
>> 
> I think we have different definitions of "no actual isp ipv6 support"
> 
> Again, a helpful akamai blog
> https://blogs.akamai.com/2016/06/four-years-since-world-ipv6-launch-entering-the-mainstream.html
> 
> fixed line: Comcast, AT, TWC, just to name the largest in the nation have
> meaningful deployments of ipv6. The only thing holding back greater
> deployment for those networks are legacy CPE that will age out slowly.
> 
> All 4 of the national mobile operator have ipv6 default on for most
> new phone models.
> 
> Yes, many gaps to fill still. But, on "my network" with shy of 70 million
> users, everything has ipv6 except the iPhone, and that will change RSN. And
> for users with v6, the majority of their traffic is ipv6 e2e since the
> whales (google, fb, netflix, increasingly Akamai) are dual stack.
> 
> CB
> 
> 
>> 
>> 
>> On Tue, Jun 7, 2016 at 10:22 AM Ca By > > wrote:
>> 
>>> 
>>> 
>>> On Tuesday, June 7, 2016, Cryptographrix >> > wrote:
>>> 
 As I said to Netflix's tech support - if they advocate for people to turn
 off IPv6 on their end, maybe Netflix should stop supporting it on their
 end.
 
 It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
 the moment, and if their tech support is telling people to turn off IPv6,
 maybe they should just instead remove their  records.
 
 (or fail back to ipv4 when v6 looks like a tunnel)
 
 
>>> I think you need to reset your expectations of a free tunnel service.
>>> 
>>> he.net tunnels are a toy for geeks looking to play with v6. In terms of
>>> Netflix subcriber base, it is amazing insignificant number of users.
>>> 
>>> At the end of the day, anonymous tunnels, just like linux, are not
>>> supported by Netflix. And, he.net tunnel users are hurting ipv6 overall
>>> just like 6to4 by injecting FUD and other nonesense complexity For a
>>> toy.
>>> 
>>> Move on to a real issue instead of beating this dead horse.
>>> 
>>> CB
>>> 
>>> 
 
 
 On Tue, Jun 7, 2016 at 9:22 AM Mark Felder  wrote:
 
> 
>> On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
>> 
>> The tunnelbroker service acts exactly like a VPN. It allows you,
 from any
>> arbitrary location in the world with an IPv4 address, to bring
 traffic
> out
>> via one of HE's 4 POP's, while completely masking your actual
 location.
>> 
> 
> Perhaps Netflix should automatically block any connection that's not
 from
> a known residential ISP or mobile ISP as anything else could be a
 server
> someone is proxying through. It's very easy to get these subnets -- the
> spam filtering folks have these subnets well documented. /s
> 
> --
>  Mark Felder
>  f...@feld.me
> 
> 
 
>>> 

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

> On Jun 7, 2016, at 10:22 AM, Ca By  wrote:
> 
> On Tuesday, June 7, 2016, Cryptographrix  wrote:
> 
>> As I said to Netflix's tech support - if they advocate for people to turn
>> off IPv6 on their end, maybe Netflix should stop supporting it on their
>> end.
>> 
>> It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
>> the moment, and if their tech support is telling people to turn off IPv6,
>> maybe they should just instead remove their  records.
>> 
>> (or fail back to ipv4 when v6 looks like a tunnel)
>> 
>> 
> I think you need to reset your expectations of a free tunnel service.
> 
> he.net tunnels are a toy for geeks looking to play with v6. In terms of
> Netflix subcriber base, it is amazing insignificant number of users.

If it’s so insignificant, why did Netflix go to the effort to implement blocking
based on address ranges associated with those tunnels?

> At the end of the day, anonymous tunnels, just like linux, are not
> supported by Netflix. And, he.net tunnel users are hurting ipv6 overall
> just like 6to4 by injecting FUD and other nonesense complexity For a
> toy.

I disagree.

Calling he.net tunnels a toy is absurd.

It’s a link, just like any other link, over which IPv6 can be transmitted.
You can argue that it’s a lower quality link than some alternatives, but I have
to tell you I’ve gotten much more reliable service at higher bandwidth from
that link than from my T-Mobile LTE service, so I’d argue that it is a higher
quality service than T-Mobile.

It’s not the only link I have for my IPv6 packets, in fact, it is one of three 
links
over which my IPv6 packets are able to travel.

> Move on to a real issue instead of beating this dead horse.

So we should start beating on unreliable LTE services instead? ;-)

Owen

> 
> CB
> 
> 
>> 
>> 
>> On Tue, Jun 7, 2016 at 9:22 AM Mark Felder >
>> wrote:
>> 
>>> 
 On Jun 6, 2016, at 22:25, Spencer Ryan >
>> wrote:
 
 The tunnelbroker service acts exactly like a VPN. It allows you, from
>> any
 arbitrary location in the world with an IPv4 address, to bring traffic
>>> out
 via one of HE's 4 POP's, while completely masking your actual location.
 
>>> 
>>> Perhaps Netflix should automatically block any connection that's not from
>>> a known residential ISP or mobile ISP as anything else could be a server
>>> someone is proxying through. It's very easy to get these subnets -- the
>>> spam filtering folks have these subnets well documented. /s
>>> 
>>> --
>>>  Mark Felder
>>>  f...@feld.me 
>>> 
>>> 
>> 

Re: Netflix VPN detection - actual engineer needed

[Nicholas Suan]

On Wednesday, June 8, 2016, Baldur Norddahl 
wrote:

>
>
> On 2016-06-08 07:27, Mark Andrews wrote:
>
>> In message <20160608070525.06fd5...@echo.ms.redpill-linpro.com>, Tore
>> Anderson writes:
>>
>>> * Davide Davini 
>>>
>>> Blocking access to Netflix via the tunnel seems like an obvious
>>> solution to me, for what it's worth.
>>>
>> And which set of prefixes is that?  How often do they change? etc.
>>
>>
> A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS
> lookup on netflix.com. I am not running a HE tunnel (I got native IPv6)
> and I am not blocked from accessing Netflix over IPv6 so can't really try
> it. I am curious however that none of the vocal HE tunnel users here
> appears to have tried even simple counter measures such as a simple
> firewall rule to drop traffic to that one /64 prefix.
>

That's a start but Netflix has a few more prefixes than that:
http://bgp.he.net/AS2906#_prefixes6

Re: Netflix VPN detection - actual engineer needed

[Hugo Slabbert]

On Wed 2016-Jun-08 11:23:35 -0400, Owen DeLong  wrote:

On Jun 7, 2016, at 9:21 AM, Mark Felder  wrote:



On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:

The tunnelbroker service acts exactly like a VPN. It allows you, from any
arbitrary location in the world with an IPv4 address, to bring traffic out
via one of HE's 4 POP's, while completely masking your actual location.



Perhaps Netflix should automatically block any connection that's not from a 
known residential ISP or mobile ISP as anything else could be a server someone 
is proxying through. It's very easy to get these subnets -- the spam filtering 
folks have these subnets well documented. /s

--
 Mark Felder
 f...@feld.me



Mark,

That would be bad.


The "/s" was of particular importance in Mark's email and I believe 
intended to apply to the whole line of reasoning, not just the "it's easy 
to get those blocks" section at the end.


--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


signature.asc
Description: Digital signature

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

On Wed, Jun 8, 2016, at 10:23, Owen DeLong wrote:
> Mark,
> 
> That would be bad.
> 
> At least in my case.
> 

The trailing /s at the end was the sarcasm tag :-)


-- 
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Steve Atkins]

> On Jun 8, 2016, at 8:13 AM, Baldur Norddahl  wrote:
> 
> 
> 
> On 2016-06-08 07:27, Mark Andrews wrote:
>> In message <20160608070525.06fd5...@echo.ms.redpill-linpro.com>, Tore 
>> Anderson writes:
>>> * Davide Davini 
>>> 
>>> Blocking access to Netflix via the tunnel seems like an obvious
>>> solution to me, for what it's worth.
>> And which set of prefixes is that?  How often do they change? etc.
>> 
> 
> A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS 
> lookup on netflix.com. I am not running a HE tunnel (I got native IPv6) and I 
> am not blocked from accessing Netflix over IPv6 so can't really try it. I am 
> curious however that none of the vocal HE tunnel users here appears to have 
> tried even simple counter measures such as a simple firewall rule to drop 
> traffic to that one /64 prefix.
> 
> It might be that more needs to be blocked, but in that case it will be 
> trivial to find the required prefixes by launching Wireshark and observe the 
> IPv6 traffic generated when accessing netflix.com. Maybe someone could do 
> that and post the results, as it is apparent that many people are in need of 
> a solution.

I don't think that "getting to Netflix over an HE  tunnel" is something that 
people here need a solution to, rather it's "stopping Netflix from discouraging 
IPv6 usage" or perhaps "encouraging Netflix to stop breaking service to IPv6 
users, including their lack of support for IPv4 fallback".

The connection to NANOG isn't that NANOG users want to reach Netflix, it's that 
NANOG users have an interest in the broader health of the IPv6 ecosystem.

Given the number of pieces of off-the-shelf packaged software that are designed 
to allow the end-user, with no technical expertise required, to proxy through 
an HE tunnel so as to avoid Netflix geolocation[1] I don't blame Netflix for 
blocking HE tunnels, but I do blame them for doing so badly.

Cheers,
  Steve

[1] e.g. https://github.com/ab77/netflix-proxy

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

Mark,

That would be bad.

At least in my case.

My addresses (192.159.10.0/24, 192.124.40.0/23, 2620:0:930::/48) are not from a 
known residential ISP or mobile ISP.

However, they are within my household and nowhere else. There’s no valid reason 
for Netflix to block them. They are not a server or proxy host.
They are not being used to subvert geo-fencing. They’re just my home addresses 
that I have had for many years and use in order to have
stable addressing across provider changes.

Owen

> On Jun 7, 2016, at 9:21 AM, Mark Felder  wrote:
> 
> 
>> On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
>> 
>> The tunnelbroker service acts exactly like a VPN. It allows you, from any
>> arbitrary location in the world with an IPv4 address, to bring traffic out
>> via one of HE's 4 POP's, while completely masking your actual location.
>> 
> 
> Perhaps Netflix should automatically block any connection that's not from a 
> known residential ISP or mobile ISP as anything else could be a server 
> someone is proxying through. It's very easy to get these subnets -- the spam 
> filtering folks have these subnets well documented. /s
> 
> --
>  Mark Felder
>  f...@feld.me
> 

Re: Netflix VPN detection - actual engineer needed

[Baldur Norddahl]

On 2016-06-08 07:27, Mark Andrews wrote:

In message <20160608070525.06fd5...@echo.ms.redpill-linpro.com>, Tore Anderson 
writes:

* Davide Davini 

Blocking access to Netflix via the tunnel seems like an obvious
solution to me, for what it's worth.

And which set of prefixes is that?  How often do they change? etc.



A start would be blocking 2620:108:700f::/64 as discovered by a simple 
DNS lookup on netflix.com. I am not running a HE tunnel (I got native 
IPv6) and I am not blocked from accessing Netflix over IPv6 so can't 
really try it. I am curious however that none of the vocal HE tunnel 
users here appears to have tried even simple counter measures such as a 
simple firewall rule to drop traffic to that one /64 prefix.


It might be that more needs to be blocked, but in that case it will be 
trivial to find the required prefixes by launching Wireshark and observe 
the IPv6 traffic generated when accessing netflix.com. Maybe someone 
could do that and post the results, as it is apparent that many people 
are in need of a solution.


Regards,

Baldur

Re: Netflix VPN detection - actual engineer needed

[Mikael Abrahamsson]

On Wed, 8 Jun 2016, Tore Anderson wrote:

I wonder if anyone has attempted to estimate approx. how much RIB/FIB 
space a single DFZ route requires in total across the entire internet...


You mean in money? A lot. The problem is that we have so far no feasible 
way to make "polluter pay". So people de-aggreggate left/right, because 
there is no marginal cost to them, because that cost is instead shared by 
everybody.


I'd imagine the cost to us all is thousands of USD per DFZ slot, if not 
more. Per month this might not be huge though...


Let's say we have 100k routers with all DFZ routes (should be correct 
magnitude, right?), let's say a router that can take full DFZ instead of 
smaller number of routes differ 10kUSD? (right magnitude on average?).


That's a billion dollars in CAPEX then. Divide that by 5 year lifetime of 
router, that's 200MUSD per year. Divide that by 100k extra routes that are 
in the DFZ because nobody is paying for it and you get 2kUSD per year per 
route.


I hope I got the math right...

But even 2kUSD per year per route isn't significant amount of money, I 
still think quite a lot of these routes would get advertised even if each 
DFZ-prefix came with a cost.


So I also think that is part of the reason we don't have a charging system 
for DFZ slots, because getting that charging infrastructure to work isn't 
worth it, the benefit of this complication isn't enough.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Netflix VPN detection - actual engineer needed

[Mark Andrews]

In message <20160608070525.06fd5...@echo.ms.redpill-linpro.com>, Tore Anderson 
writes:
> * Davide Davini 
> 
> > On 04/06/2016 20:46, Owen DeLong wrote:
> > > Get your own /48 and advertise to HE Tunnel via BGP. Problem
> > > solved.  
> > 
> > Even though that sounds like an awesome idea it does not seem trivial
> > to me to obtain your own /48.
> 
> Which is a good thing, as every new PI /48 advertised to the DFZ will
> bloat the routing tables of thousands upon thousands of routers world
> wide. It might solve the Netflix problem, but what has actually
> happened is that you've split the original problem into a thousand
> small bits and thrown one piece into each of your neighbours' gardens.
> 
> I'd encourage everyone to try to fix their Netflix problem a more proper
> way before deciding to litter everyone else's routing tables with
> another PI prefix.
> 
> Blocking access to Netflix via the tunnel seems like an obvious
> solution to me, for what it's worth.

And which set of prefixes is that?  How often do they change? etc.

When Netfix turned on IPv6 support HE's tunnels existed.  They
should be dealing with the existing environment rather than making
others work around their short comings.  Tunnels, as much as some
people may not like them, will continue to be a part of the IPv6
landscape for many years to come.

Mark

> I wonder if anyone has attempted to estimate approx. how much RIB/FIB
> space a single DFZ route requires in total across the entire internet...
> 
> Tore
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Netflix VPN detection - actual engineer needed

[Tore Anderson]

* Davide Davini 

> On 04/06/2016 20:46, Owen DeLong wrote:
> > Get your own /48 and advertise to HE Tunnel via BGP. Problem
> > solved.  
> 
> Even though that sounds like an awesome idea it does not seem trivial
> to me to obtain your own /48.

Which is a good thing, as every new PI /48 advertised to the DFZ will
bloat the routing tables of thousands upon thousands of routers world
wide. It might solve the Netflix problem, but what has actually
happened is that you've split the original problem into a thousand
small bits and thrown one piece into each of your neighbours' gardens.

I'd encourage everyone to try to fix their Netflix problem a more proper
way before deciding to litter everyone else's routing tables with
another PI prefix.

Blocking access to Netflix via the tunnel seems like an obvious
solution to me, for what it's worth.

I wonder if anyone has attempted to estimate approx. how much RIB/FIB
space a single DFZ route requires in total across the entire internet...

Tore

Re: Netflix VPN detection - actual engineer needed

[bzs]

Some of this reminds me of talking to IBM the the other day about
problems I was having with their "Rapport Trusteer" security package
which one of my banks requires to be running when I try to log in.



Invariably the bank claims it's not running, I restart it that
software, still no-go, the error msg offers to re-download and
install, I do (sometimes that's their "clever" way of saying your
version is out of date, why not just say that? who knows), it says to
complete you must reboot...hey I just wanted a bank balance, one
number, I have all these spread sheets open etc now I have to reboot
to get that???

It took over an hour until I got that bank balance. And this happens
every other time.



  (I KNOW change banks, I'm getting there, this is biz banking so not
   all that simple. And more banks are using this particular drek.)



So IBM support calls me back and this person starts explaining to me
about drivers and DLLs and how it takes a reboot, standard stuff, why
don't you just schedule a reboot every night (HUH? I'm not kidding!)
etc.



Finally I interrupt him and say NOT MY PROBLEM!

I just want my bank balance.

I don't care about drivers, I don't care about DLLs, I don't care
about why my bank may have chosen this security package, I don't care
about your problems with Microsoft's operating system or how your
software works...

Not...my...problem.

A lot of this netflix conversation is similar, suddenly we all have to
be empathetic to their licensing challenges and understand the
intricacies of regional licensing and how it can be affected by VPN
usage etc.

Not...my...problem. Ya got what I want, OR NOT?

There really is a point where one can make themselves completely nuts
trying to gain perspective into why you're not simply getting what you
believe you showed up as a customer for and see it as a long-winded
way of saying well, you won't get anything for your money, but for a
very good reason, have a seat and we'll explain...what a shell game!



P.S. I don't sub to netflix and never have because their selection
never seemed interesting to me not that I can be sure because you
can't really browse it UNLESS you're a customer (clever marketing!)
but some people publish "unauthorized" lists and it looked like
exactly the sort of stuff I avoid, rom-coms, junk comedies, nothing
before about 2000 (I like old movies), etc.

YMMV.

Ok, go ahead and tell me how difficult it would be for them to get
licensing to the sorts of movies I would like...I don't care! Gak!

  ``No one's ever wanted a 1/4" drill-bit, all they ever wanted was a
   1/4" hole''

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Netflix VPN detection - actual engineer needed

[Davide Davini]

On 07/06/2016 17:00, Ca By wrote:
> fixed line: Comcast, AT, TWC, just to name the largest in the nation have
> meaningful deployments of ipv6. The only thing holding back greater
> deployment for those networks are legacy CPE that will age out slowly.

It is probably totally off topic as this is NANOG but the issue at end
affects other continents too. Where I live good providers are few and
expensive. The ones I use and I'm otherwise happy with give me no IPv6
connectivity, that's a shame, it's despicable and I don't lose any
opportunity to remind them, but still, I have to use something else if I
want to "play" with IPv6.

This Netlix thing is just an annoyance, granted, I just wanted to point
out that not everyone has a clear way out of this.

Ciao, Davide Davini

Re: Netflix VPN detection - actual engineer needed

[Davide Davini]

On 04/06/2016 20:46, Owen DeLong wrote:
> Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.

Even though that sounds like an awesome idea it does not seem trivial to
me to obtain your own /48.

I mean: "You can only request IPv6 assignments and Autonomous System
Numbers through a Sponsoring LIR (a RIPE NCC member)"
https://www.ripe.net/manage-ips-and-asns/resource-management/number-resources/independent-resources

But you know, my knowledge on the matter is half an hour old, I might be
dead wrong.

Ciao, Davide Davini.

Re: Netflix VPN detection - actual engineer needed

[Ca By]

On Tuesday, June 7, 2016, Cryptographrix  wrote:

> Very true - I was being a bit extremist out of frustration, but I think
> you're spot on - he.net tunnels and even 6to4 are toys to provide IPv6
> support, not actually IPv6 support.
>
> And I'm quite frustrated because there's so little actual v6 support, and
> I *do* actually need it on a daily basis for work.
>
> Because there's no actual ISP IPv6 support anywhere else (in parts of the
> US that *have* multiple ISPs), you can't even make the case to your ISP
> that it's a legitimate requirement for you because they know you're not
> really going to get v6 elsewhere.
>
>
I think we have different definitions of "no actual isp ipv6 support"

Again, a helpful akamai blog
https://blogs.akamai.com/2016/06/four-years-since-world-ipv6-launch-entering-the-mainstream.html

fixed line: Comcast, AT, TWC, just to name the largest in the nation have
meaningful deployments of ipv6. The only thing holding back greater
deployment for those networks are legacy CPE that will age out slowly.

All 4 of the national mobile operator have ipv6 default on for most
new phone models.

Yes, many gaps to fill still. But, on "my network" with shy of 70 million
users, everything has ipv6 except the iPhone, and that will change RSN. And
for users with v6, the majority of their traffic is ipv6 e2e since the
whales (google, fb, netflix, increasingly Akamai) are dual stack.

CB


>
>
> On Tue, Jun 7, 2016 at 10:22 AM Ca By  > wrote:
>
>>
>>
>> On Tuesday, June 7, 2016, Cryptographrix > > wrote:
>>
>>> As I said to Netflix's tech support - if they advocate for people to turn
>>> off IPv6 on their end, maybe Netflix should stop supporting it on their
>>> end.
>>>
>>> It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
>>> the moment, and if their tech support is telling people to turn off IPv6,
>>> maybe they should just instead remove their  records.
>>>
>>> (or fail back to ipv4 when v6 looks like a tunnel)
>>>
>>>
>> I think you need to reset your expectations of a free tunnel service.
>>
>> he.net tunnels are a toy for geeks looking to play with v6. In terms of
>> Netflix subcriber base, it is amazing insignificant number of users.
>>
>> At the end of the day, anonymous tunnels, just like linux, are not
>> supported by Netflix. And, he.net tunnel users are hurting ipv6 overall
>> just like 6to4 by injecting FUD and other nonesense complexity For a
>> toy.
>>
>> Move on to a real issue instead of beating this dead horse.
>>
>> CB
>>
>>
>>>
>>>
>>> On Tue, Jun 7, 2016 at 9:22 AM Mark Felder  wrote:
>>>
>>> >
>>> > > On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
>>> > >
>>> > > The tunnelbroker service acts exactly like a VPN. It allows you,
>>> from any
>>> > > arbitrary location in the world with an IPv4 address, to bring
>>> traffic
>>> > out
>>> > > via one of HE's 4 POP's, while completely masking your actual
>>> location.
>>> > >
>>> >
>>> > Perhaps Netflix should automatically block any connection that's not
>>> from
>>> > a known residential ISP or mobile ISP as anything else could be a
>>> server
>>> > someone is proxying through. It's very easy to get these subnets -- the
>>> > spam filtering folks have these subnets well documented. /s
>>> >
>>> > --
>>> >   Mark Felder
>>> >   f...@feld.me
>>> >
>>> >
>>>
>>

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

Very true - I was being a bit extremist out of frustration, but I think
you're spot on - he.net tunnels and even 6to4 are toys to provide IPv6
support, not actually IPv6 support.

And I'm quite frustrated because there's so little actual v6 support, and I
*do* actually need it on a daily basis for work.

Because there's no actual ISP IPv6 support anywhere else (in parts of the
US that *have* multiple ISPs), you can't even make the case to your ISP
that it's a legitimate requirement for you because they know you're not
really going to get v6 elsewhere.




On Tue, Jun 7, 2016 at 10:22 AM Ca By  wrote:

>
>
> On Tuesday, June 7, 2016, Cryptographrix  wrote:
>
>> As I said to Netflix's tech support - if they advocate for people to turn
>> off IPv6 on their end, maybe Netflix should stop supporting it on their
>> end.
>>
>> It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
>> the moment, and if their tech support is telling people to turn off IPv6,
>> maybe they should just instead remove their  records.
>>
>> (or fail back to ipv4 when v6 looks like a tunnel)
>>
>>
> I think you need to reset your expectations of a free tunnel service.
>
> he.net tunnels are a toy for geeks looking to play with v6. In terms of
> Netflix subcriber base, it is amazing insignificant number of users.
>
> At the end of the day, anonymous tunnels, just like linux, are not
> supported by Netflix. And, he.net tunnel users are hurting ipv6 overall
> just like 6to4 by injecting FUD and other nonesense complexity For a
> toy.
>
> Move on to a real issue instead of beating this dead horse.
>
> CB
>
>
>>
>>
>> On Tue, Jun 7, 2016 at 9:22 AM Mark Felder  wrote:
>>
>> >
>> > > On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
>> > >
>> > > The tunnelbroker service acts exactly like a VPN. It allows you, from
>> any
>> > > arbitrary location in the world with an IPv4 address, to bring traffic
>> > out
>> > > via one of HE's 4 POP's, while completely masking your actual
>> location.
>> > >
>> >
>> > Perhaps Netflix should automatically block any connection that's not
>> from
>> > a known residential ISP or mobile ISP as anything else could be a server
>> > someone is proxying through. It's very easy to get these subnets -- the
>> > spam filtering folks have these subnets well documented. /s
>> >
>> > --
>> >   Mark Felder
>> >   f...@feld.me
>> >
>> >
>>
>

Re: Netflix VPN detection - actual engineer needed

[Ca By]

On Tuesday, June 7, 2016, Cryptographrix  wrote:

> As I said to Netflix's tech support - if they advocate for people to turn
> off IPv6 on their end, maybe Netflix should stop supporting it on their
> end.
>
> It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
> the moment, and if their tech support is telling people to turn off IPv6,
> maybe they should just instead remove their  records.
>
> (or fail back to ipv4 when v6 looks like a tunnel)
>
>
I think you need to reset your expectations of a free tunnel service.

he.net tunnels are a toy for geeks looking to play with v6. In terms of
Netflix subcriber base, it is amazing insignificant number of users.

At the end of the day, anonymous tunnels, just like linux, are not
supported by Netflix. And, he.net tunnel users are hurting ipv6 overall
just like 6to4 by injecting FUD and other nonesense complexity For a
toy.

Move on to a real issue instead of beating this dead horse.

CB


>
>
> On Tue, Jun 7, 2016 at 9:22 AM Mark Felder >
> wrote:
>
> >
> > > On Jun 6, 2016, at 22:25, Spencer Ryan >
> wrote:
> > >
> > > The tunnelbroker service acts exactly like a VPN. It allows you, from
> any
> > > arbitrary location in the world with an IPv4 address, to bring traffic
> > out
> > > via one of HE's 4 POP's, while completely masking your actual location.
> > >
> >
> > Perhaps Netflix should automatically block any connection that's not from
> > a known residential ISP or mobile ISP as anything else could be a server
> > someone is proxying through. It's very easy to get these subnets -- the
> > spam filtering folks have these subnets well documented. /s
> >
> > --
> >   Mark Felder
> >   f...@feld.me 
> >
> >
>

Re: Netflix VPN detection - actual engineer needed

[joel jaeggli]

On 6/7/16 6:55 AM, Cryptographrix wrote:
> As I said to Netflix's tech support - if they advocate for people to turn
> off IPv6 on their end, maybe Netflix should stop supporting it on their end.
> 
> It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
> the moment, and if their tech support is telling people to turn off IPv6,
> maybe they should just instead remove their  records.

it clearly works with prefixes delegated from other isps.
...
http://i.imgur.com/sJUM7tn.png

> (or fail back to ipv4 when v6 looks like a tunnel)
> 
> 
> 
> On Tue, Jun 7, 2016 at 9:22 AM Mark Felder  wrote:
> 
>>
>>> On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
>>>
>>> The tunnelbroker service acts exactly like a VPN. It allows you, from any
>>> arbitrary location in the world with an IPv4 address, to bring traffic
>> out
>>> via one of HE's 4 POP's, while completely masking your actual location.
>>>
>>
>> Perhaps Netflix should automatically block any connection that's not from
>> a known residential ISP or mobile ISP as anything else could be a server
>> someone is proxying through. It's very easy to get these subnets -- the
>> spam filtering folks have these subnets well documented. /s
>>
>> --
>>   Mark Felder
>>   f...@feld.me
>>
>>
> 




signature.asc
Description: OpenPGP digital signature

Re: Netflix VPN detection - actual engineer needed

[Cryptographrix]

As I said to Netflix's tech support - if they advocate for people to turn
off IPv6 on their end, maybe Netflix should stop supporting it on their end.

It's in the air whether it's just an HE tunnel issue or an IPv6 issue at
the moment, and if their tech support is telling people to turn off IPv6,
maybe they should just instead remove their  records.

(or fail back to ipv4 when v6 looks like a tunnel)



On Tue, Jun 7, 2016 at 9:22 AM Mark Felder  wrote:

>
> > On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
> >
> > The tunnelbroker service acts exactly like a VPN. It allows you, from any
> > arbitrary location in the world with an IPv4 address, to bring traffic
> out
> > via one of HE's 4 POP's, while completely masking your actual location.
> >
>
> Perhaps Netflix should automatically block any connection that's not from
> a known residential ISP or mobile ISP as anything else could be a server
> someone is proxying through. It's very easy to get these subnets -- the
> spam filtering folks have these subnets well documented. /s
>
> --
>   Mark Felder
>   f...@feld.me
>
>

Re: Netflix VPN detection - actual engineer needed

[Mike Hammett]

(not specifically to Cryptographrix) Anyone that expects any consumer-focused 
support to be able to address any legal or high level technical situation is a 
fool for having thought appropriate. These sorts of issues are things you start 
with Tempkin and others that frequent NOGs and other telecom events. You don't 
go to the web site support chat to get them to make a change to how they handle 
IPv6 on their end. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


- Original Message -

From: "Cryptographrix" <cryptograph...@gmail.com> 
To: "Mark Felder" <f...@feld.me>, nanog@nanog.org 
Sent: Tuesday, June 7, 2016 8:55:10 AM 
Subject: Re: Netflix VPN detection - actual engineer needed 

As I said to Netflix's tech support - if they advocate for people to turn 
off IPv6 on their end, maybe Netflix should stop supporting it on their end. 

It's in the air whether it's just an HE tunnel issue or an IPv6 issue at 
the moment, and if their tech support is telling people to turn off IPv6, 
maybe they should just instead remove their  records. 

(or fail back to ipv4 when v6 looks like a tunnel) 



On Tue, Jun 7, 2016 at 9:22 AM Mark Felder <f...@feld.me> wrote: 

> 
> > On Jun 6, 2016, at 22:25, Spencer Ryan <sr...@arbor.net> wrote: 
> > 
> > The tunnelbroker service acts exactly like a VPN. It allows you, from any 
> > arbitrary location in the world with an IPv4 address, to bring traffic 
> out 
> > via one of HE's 4 POP's, while completely masking your actual location. 
> > 
> 
> Perhaps Netflix should automatically block any connection that's not from 
> a known residential ISP or mobile ISP as anything else could be a server 
> someone is proxying through. It's very easy to get these subnets -- the 
> spam filtering folks have these subnets well documented. /s 
> 
> -- 
> Mark Felder 
> f...@feld.me 
> 
> 

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

> On Jun 6, 2016, at 22:25, Spencer Ryan  wrote:
> 
> The tunnelbroker service acts exactly like a VPN. It allows you, from any
> arbitrary location in the world with an IPv4 address, to bring traffic out
> via one of HE's 4 POP's, while completely masking your actual location.
> 

Perhaps Netflix should automatically block any connection that's not from a 
known residential ISP or mobile ISP as anything else could be a server someone 
is proxying through. It's very easy to get these subnets -- the spam filtering 
folks have these subnets well documented. /s

--
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

> On Jun 6, 2016, at 18:12, Baldur Norddahl  wrote:
> 
> It is a bit surprising that your browser would choose the ipv6 path via
> tunnel over the more direct ipv4 path. Anyway, you could blackhole the
> Netflix ipv6 prefix to force the situation.
> 

On modern Apple devices IPv6 is chosen 99% of the time now.

https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html


--
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Nikolay Shopik]

RDAP is same across RIRs. Yes old REST API was PITA

On 07/06/2016 02:08, Ricky Beam wrote:
> Yes, ARIN and RIPE have REST APIs, but they're completely different
> interfaces with different schemas (and different capabilities.) I have
> independent applications for talking to each. And those are the only two
> I'm going to bother with.

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

I’m sorry to say, Blair, that there are, in fact, many who do use HE tunnels
for Geo Fence evasion. Sure, it doesn’t represent even a significant fraction
of tunnel users, but they exist and they’ve been vocal, thus spoiling it for the
rest of us.

Owen

> On Jun 6, 2016, at 8:27 PM, Blair Trosper  wrote:
> 
> Right, but I think we know what Netflix is implying when they say "proxy
> unblocker" or "VPN" -- they mean people are deliberately going around
> GeoIP.  In this case, I don't know anyone who uses TunnelBroker that way.
> They're using it for V6.  That is to say, everyone I know with this issue
> could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning
> they're already in the US (or $region) -- and the IPv6 detection on the
> CDN/web is what's wrong.
> 
> I think I will go further here and say that the message sort if implies the
> user is acting in bad faith, which may raise some animosity towards Netflix.
> 
> On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan  wrote:
> 
>> The tunnelbroker service acts exactly like a VPN. It allows you, from any
>> arbitrary location in the world with an IPv4 address, to bring traffic out
>> via one of HE's 4 POP's, while completely masking your actual location.
>> 
>> 
>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>> 
>> On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper 
>> wrote:
>> 
>>> It should be pointed out that -- the SPECIFIC accusation from Netflix --
>>> is
>>> that people on TunnelBroker are on a VPN or proxy unblocker.
>>> 
>>> The data does not bear that out.  Hash tag just saying.
>>> 
>>> 
>>> 
>>> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam  wrote:
>>> 
 On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews  wrote:
 
> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There
>>> is
> no requirement to report physical location.
> 
 
 The general lie that is IP Geolocation. HE only has what I tell them
>>> (100%
 unverified), and what MaxMind (et.al.) tell them (~95% unverified.)
>>> They
 know my IPv4 endpoint address, but that doesn't give them a concrete
>>> street
 address -- they're guessing in exactly the same way everyone else does.
>>> And
 more to the point, HE doesn't share that information with anyone.
>>> (whois is
 populated with your account information. they don't ask where your
>>> tunnels
 are going.)
 
 Are they legally required to go to this level?
> 
 
 Possibly, but Netflix isn't going to push this. Win or Lose, they still
 lose distribution rights.
 
 Netflix (and their licensees) know people are using HE tunnels to get
>> around region restrictions. Their hands are tied; they have to show
>> they're doing something to limit this.
>> 
> 
> No, they do not know.  The purpose of HE tunnels is to get IPv6
>>> service.
> The fact that the endpoints are in different countries some of the time
> is incidental to that.
> 
 
 YES. THEY. DO. There have been entire COMPANIES doing this. (which is
 likely what sparked this level of response.) Neither HE nor Netflix are
 naming names, but a short walk through the more colorful parts of the
 internet should be enlightening.
 
 Garbage.  You have to establish the tunnel which requires registering
> a account.  It also requires a machine at the other end.  Virtual
> or physical they don't move around the world in a DDNS update. The
> addresses associated with a tunnel don't change for the life of
> that tunnel.
> 
 
 True. 'tho, you can list any nonsense address you want. They do nothing
>>> to
 validate it. (Use my favorite BS address: Independence MT -- pop: zero.
 It's a dirt road across a mountain in the middle of absolutely nowhere.
 Google it!)
 
 The tunnel endpoint (your IPv4 address) is known only to HE, and not
 exposed to ANYONE. That's not going to EVER change. Once your tunnel has
 been setup, that address ("Client IPv4 Address") is not set in stone.
 People have dynamic addresses, and HE recognizes this, so there are
 numerous methods to change the tunnel endpoint address. (tunnel
 configuration page, update through an http(s) request, etc.) THUS, a
>>> tunnel
 can move; it can be terminated anywhere, at anytime. Not only can one
 update the endpoint to a different address on the same box, but to a
 completely different box entirely.
 
 Furthermore, one account can have several tunnels through different
 servers that present addresses from different regions. Where I appear
>>> to be
 in the world, thus, depends on which tunnel I have enabled. (and in
>>> which
 countries HE has prefixes, which currently appears to be 

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

I believe there are a lot more than 4.

Owen

> On Jun 6, 2016, at 8:25 PM, Spencer Ryan  wrote:
> 
> The tunnelbroker service acts exactly like a VPN. It allows you, from any
> arbitrary location in the world with an IPv4 address, to bring traffic out
> via one of HE's 4 POP's, while completely masking your actual location.
> 
> 
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
> 
> On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper 
> wrote:
> 
>> It should be pointed out that -- the SPECIFIC accusation from Netflix -- is
>> that people on TunnelBroker are on a VPN or proxy unblocker.
>> 
>> The data does not bear that out.  Hash tag just saying.
>> 
>> 
>> 
>> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam  wrote:
>> 
>>> On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews  wrote:
>>> 
 What lie?  Truly who is lying here.  Not the end user.  Not HE.  There
>> is
 no requirement to report physical location.
 
>>> 
>>> The general lie that is IP Geolocation. HE only has what I tell them
>> (100%
>>> unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They
>>> know my IPv4 endpoint address, but that doesn't give them a concrete
>> street
>>> address -- they're guessing in exactly the same way everyone else does.
>> And
>>> more to the point, HE doesn't share that information with anyone. (whois
>> is
>>> populated with your account information. they don't ask where your
>> tunnels
>>> are going.)
>>> 
>>> Are they legally required to go to this level?
 
>>> 
>>> Possibly, but Netflix isn't going to push this. Win or Lose, they still
>>> lose distribution rights.
>>> 
>>> Netflix (and their licensees) know people are using HE tunnels to get
> around region restrictions. Their hands are tied; they have to show
> they're doing something to limit this.
> 
 
 No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
 The fact that the endpoints are in different countries some of the time
 is incidental to that.
 
>>> 
>>> YES. THEY. DO. There have been entire COMPANIES doing this. (which is
>>> likely what sparked this level of response.) Neither HE nor Netflix are
>>> naming names, but a short walk through the more colorful parts of the
>>> internet should be enlightening.
>>> 
>>> Garbage.  You have to establish the tunnel which requires registering
 a account.  It also requires a machine at the other end.  Virtual
 or physical they don't move around the world in a DDNS update. The
 addresses associated with a tunnel don't change for the life of
 that tunnel.
 
>>> 
>>> True. 'tho, you can list any nonsense address you want. They do nothing
>> to
>>> validate it. (Use my favorite BS address: Independence MT -- pop: zero.
>>> It's a dirt road across a mountain in the middle of absolutely nowhere.
>>> Google it!)
>>> 
>>> The tunnel endpoint (your IPv4 address) is known only to HE, and not
>>> exposed to ANYONE. That's not going to EVER change. Once your tunnel has
>>> been setup, that address ("Client IPv4 Address") is not set in stone.
>>> People have dynamic addresses, and HE recognizes this, so there are
>>> numerous methods to change the tunnel endpoint address. (tunnel
>>> configuration page, update through an http(s) request, etc.) THUS, a
>> tunnel
>>> can move; it can be terminated anywhere, at anytime. Not only can one
>>> update the endpoint to a different address on the same box, but to a
>>> completely different box entirely.
>>> 
>>> Furthermore, one account can have several tunnels through different
>>> servers that present addresses from different regions. Where I appear to
>> be
>>> in the world, thus, depends on which tunnel I have enabled. (and in which
>>> countries HE has prefixes, which currently appears to be 4)
>>> 
>> 

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

> On Jun 6, 2016, at 6:44 PM, Harald Koch  wrote:
> 
> On 6 June 2016 at 19:40, Owen DeLong  wrote:
> 
>> 
>> The problem is that some users travel and they try to watch Netflix using
>> their home account in far away lands.
>> 
> 
> Interestingly, audible.com (the audio book people) actually warn you about
> this up front - they point out on their site that many titles may not be
> available in foreign countries and therefore you should download your
> audiobooks before you leave your home country.
> 
> In other words, it's not just Netflix that has this problem…
> 
Yes and no… Audible at least let’s you download them before you leave.

Netflix, not so much…

Owen


> -- 
> Harald

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

Right, but I think we know what Netflix is implying when they say "proxy
unblocker" or "VPN" -- they mean people are deliberately going around
GeoIP.  In this case, I don't know anyone who uses TunnelBroker that way.
They're using it for V6.  That is to say, everyone I know with this issue
could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning
they're already in the US (or $region) -- and the IPv6 detection on the
CDN/web is what's wrong.

I think I will go further here and say that the message sort if implies the
user is acting in bad faith, which may raise some animosity towards Netflix.

On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan  wrote:

> The tunnelbroker service acts exactly like a VPN. It allows you, from any
> arbitrary location in the world with an IPv4 address, to bring traffic out
> via one of HE's 4 POP's, while completely masking your actual location.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper 
> wrote:
>
>> It should be pointed out that -- the SPECIFIC accusation from Netflix --
>> is
>> that people on TunnelBroker are on a VPN or proxy unblocker.
>>
>> The data does not bear that out.  Hash tag just saying.
>>
>> 
>>
>> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam  wrote:
>>
>> > On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews  wrote:
>> >
>> >> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There
>> is
>> >> no requirement to report physical location.
>> >>
>> >
>> > The general lie that is IP Geolocation. HE only has what I tell them
>> (100%
>> > unverified), and what MaxMind (et.al.) tell them (~95% unverified.)
>> They
>> > know my IPv4 endpoint address, but that doesn't give them a concrete
>> street
>> > address -- they're guessing in exactly the same way everyone else does.
>> And
>> > more to the point, HE doesn't share that information with anyone.
>> (whois is
>> > populated with your account information. they don't ask where your
>> tunnels
>> > are going.)
>> >
>> > Are they legally required to go to this level?
>> >>
>> >
>> > Possibly, but Netflix isn't going to push this. Win or Lose, they still
>> > lose distribution rights.
>> >
>> > Netflix (and their licensees) know people are using HE tunnels to get
>> >>> around region restrictions. Their hands are tied; they have to show
>> >>> they're doing something to limit this.
>> >>>
>> >>
>> >> No, they do not know.  The purpose of HE tunnels is to get IPv6
>> service.
>> >> The fact that the endpoints are in different countries some of the time
>> >> is incidental to that.
>> >>
>> >
>> > YES. THEY. DO. There have been entire COMPANIES doing this. (which is
>> > likely what sparked this level of response.) Neither HE nor Netflix are
>> > naming names, but a short walk through the more colorful parts of the
>> > internet should be enlightening.
>> >
>> > Garbage.  You have to establish the tunnel which requires registering
>> >> a account.  It also requires a machine at the other end.  Virtual
>> >> or physical they don't move around the world in a DDNS update. The
>> >> addresses associated with a tunnel don't change for the life of
>> >> that tunnel.
>> >>
>> >
>> > True. 'tho, you can list any nonsense address you want. They do nothing
>> to
>> > validate it. (Use my favorite BS address: Independence MT -- pop: zero.
>> > It's a dirt road across a mountain in the middle of absolutely nowhere.
>> > Google it!)
>> >
>> > The tunnel endpoint (your IPv4 address) is known only to HE, and not
>> > exposed to ANYONE. That's not going to EVER change. Once your tunnel has
>> > been setup, that address ("Client IPv4 Address") is not set in stone.
>> > People have dynamic addresses, and HE recognizes this, so there are
>> > numerous methods to change the tunnel endpoint address. (tunnel
>> > configuration page, update through an http(s) request, etc.) THUS, a
>> tunnel
>> > can move; it can be terminated anywhere, at anytime. Not only can one
>> > update the endpoint to a different address on the same box, but to a
>> > completely different box entirely.
>> >
>> > Furthermore, one account can have several tunnels through different
>> > servers that present addresses from different regions. Where I appear
>> to be
>> > in the world, thus, depends on which tunnel I have enabled. (and in
>> which
>> > countries HE has prefixes, which currently appears to be 4)
>> >
>>
>
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

The tunnelbroker service acts exactly like a VPN. It allows you, from any
arbitrary location in the world with an IPv4 address, to bring traffic out
via one of HE's 4 POP's, while completely masking your actual location.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper 
wrote:

> It should be pointed out that -- the SPECIFIC accusation from Netflix -- is
> that people on TunnelBroker are on a VPN or proxy unblocker.
>
> The data does not bear that out.  Hash tag just saying.
>
> 
>
> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam  wrote:
>
> > On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews  wrote:
> >
> >> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There
> is
> >> no requirement to report physical location.
> >>
> >
> > The general lie that is IP Geolocation. HE only has what I tell them
> (100%
> > unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They
> > know my IPv4 endpoint address, but that doesn't give them a concrete
> street
> > address -- they're guessing in exactly the same way everyone else does.
> And
> > more to the point, HE doesn't share that information with anyone. (whois
> is
> > populated with your account information. they don't ask where your
> tunnels
> > are going.)
> >
> > Are they legally required to go to this level?
> >>
> >
> > Possibly, but Netflix isn't going to push this. Win or Lose, they still
> > lose distribution rights.
> >
> > Netflix (and their licensees) know people are using HE tunnels to get
> >>> around region restrictions. Their hands are tied; they have to show
> >>> they're doing something to limit this.
> >>>
> >>
> >> No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
> >> The fact that the endpoints are in different countries some of the time
> >> is incidental to that.
> >>
> >
> > YES. THEY. DO. There have been entire COMPANIES doing this. (which is
> > likely what sparked this level of response.) Neither HE nor Netflix are
> > naming names, but a short walk through the more colorful parts of the
> > internet should be enlightening.
> >
> > Garbage.  You have to establish the tunnel which requires registering
> >> a account.  It also requires a machine at the other end.  Virtual
> >> or physical they don't move around the world in a DDNS update. The
> >> addresses associated with a tunnel don't change for the life of
> >> that tunnel.
> >>
> >
> > True. 'tho, you can list any nonsense address you want. They do nothing
> to
> > validate it. (Use my favorite BS address: Independence MT -- pop: zero.
> > It's a dirt road across a mountain in the middle of absolutely nowhere.
> > Google it!)
> >
> > The tunnel endpoint (your IPv4 address) is known only to HE, and not
> > exposed to ANYONE. That's not going to EVER change. Once your tunnel has
> > been setup, that address ("Client IPv4 Address") is not set in stone.
> > People have dynamic addresses, and HE recognizes this, so there are
> > numerous methods to change the tunnel endpoint address. (tunnel
> > configuration page, update through an http(s) request, etc.) THUS, a
> tunnel
> > can move; it can be terminated anywhere, at anytime. Not only can one
> > update the endpoint to a different address on the same box, but to a
> > completely different box entirely.
> >
> > Furthermore, one account can have several tunnels through different
> > servers that present addresses from different regions. Where I appear to
> be
> > in the world, thus, depends on which tunnel I have enabled. (and in which
> > countries HE has prefixes, which currently appears to be 4)
> >
>

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

It should be pointed out that -- the SPECIFIC accusation from Netflix -- is
that people on TunnelBroker are on a VPN or proxy unblocker.

The data does not bear that out.  Hash tag just saying.



On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam  wrote:

> On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews  wrote:
>
>> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There is
>> no requirement to report physical location.
>>
>
> The general lie that is IP Geolocation. HE only has what I tell them (100%
> unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They
> know my IPv4 endpoint address, but that doesn't give them a concrete street
> address -- they're guessing in exactly the same way everyone else does. And
> more to the point, HE doesn't share that information with anyone. (whois is
> populated with your account information. they don't ask where your tunnels
> are going.)
>
> Are they legally required to go to this level?
>>
>
> Possibly, but Netflix isn't going to push this. Win or Lose, they still
> lose distribution rights.
>
> Netflix (and their licensees) know people are using HE tunnels to get
>>> around region restrictions. Their hands are tied; they have to show
>>> they're doing something to limit this.
>>>
>>
>> No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
>> The fact that the endpoints are in different countries some of the time
>> is incidental to that.
>>
>
> YES. THEY. DO. There have been entire COMPANIES doing this. (which is
> likely what sparked this level of response.) Neither HE nor Netflix are
> naming names, but a short walk through the more colorful parts of the
> internet should be enlightening.
>
> Garbage.  You have to establish the tunnel which requires registering
>> a account.  It also requires a machine at the other end.  Virtual
>> or physical they don't move around the world in a DDNS update. The
>> addresses associated with a tunnel don't change for the life of
>> that tunnel.
>>
>
> True. 'tho, you can list any nonsense address you want. They do nothing to
> validate it. (Use my favorite BS address: Independence MT -- pop: zero.
> It's a dirt road across a mountain in the middle of absolutely nowhere.
> Google it!)
>
> The tunnel endpoint (your IPv4 address) is known only to HE, and not
> exposed to ANYONE. That's not going to EVER change. Once your tunnel has
> been setup, that address ("Client IPv4 Address") is not set in stone.
> People have dynamic addresses, and HE recognizes this, so there are
> numerous methods to change the tunnel endpoint address. (tunnel
> configuration page, update through an http(s) request, etc.) THUS, a tunnel
> can move; it can be terminated anywhere, at anytime. Not only can one
> update the endpoint to a different address on the same box, but to a
> completely different box entirely.
>
> Furthermore, one account can have several tunnels through different
> servers that present addresses from different regions. Where I appear to be
> in the world, thus, depends on which tunnel I have enabled. (and in which
> countries HE has prefixes, which currently appears to be 4)
>

Re: Netflix VPN detection - actual engineer needed

[Ricky Beam]

On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews  wrote:

What lie?  Truly who is lying here.  Not the end user.  Not HE.  There is
no requirement to report physical location.


The general lie that is IP Geolocation. HE only has what I tell them (100%  
unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They  
know my IPv4 endpoint address, but that doesn't give them a concrete  
street address -- they're guessing in exactly the same way everyone else  
does. And more to the point, HE doesn't share that information with  
anyone. (whois is populated with your account information. they don't ask  
where your tunnels are going.)



Are they legally required to go to this level?


Possibly, but Netflix isn't going to push this. Win or Lose, they still  
lose distribution rights.



Netflix (and their licensees) know people are using HE tunnels to get
around region restrictions. Their hands are tied; they have to show
they're doing something to limit this.


No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
The fact that the endpoints are in different countries some of the time
is incidental to that.


YES. THEY. DO. There have been entire COMPANIES doing this. (which is  
likely what sparked this level of response.) Neither HE nor Netflix are  
naming names, but a short walk through the more colorful parts of the  
internet should be enlightening.



Garbage.  You have to establish the tunnel which requires registering
a account.  It also requires a machine at the other end.  Virtual
or physical they don't move around the world in a DDNS update. The
addresses associated with a tunnel don't change for the life of
that tunnel.


True. 'tho, you can list any nonsense address you want. They do nothing to  
validate it. (Use my favorite BS address: Independence MT -- pop: zero.  
It's a dirt road across a mountain in the middle of absolutely nowhere.  
Google it!)


The tunnel endpoint (your IPv4 address) is known only to HE, and not  
exposed to ANYONE. That's not going to EVER change. Once your tunnel has  
been setup, that address ("Client IPv4 Address") is not set in stone.  
People have dynamic addresses, and HE recognizes this, so there are  
numerous methods to change the tunnel endpoint address. (tunnel  
configuration page, update through an http(s) request, etc.) THUS, a  
tunnel can move; it can be terminated anywhere, at anytime. Not only can  
one update the endpoint to a different address on the same box, but to a  
completely different box entirely.


Furthermore, one account can have several tunnels through different  
servers that present addresses from different regions. Where I appear to  
be in the world, thus, depends on which tunnel I have enabled. (and in  
which countries HE has prefixes, which currently appears to be 4)

Re: Netflix VPN detection - actual engineer needed

[Josh Reynolds]

Holy fuck get on your meds.

As someone who actually has to deal with 3 different (4 technically)
content providers, their distribution agreements and requirements for
distribution a the way through the network are absolutely asinine, but
required if you want your eyeballs to receive their content. Trying to work
out an actual streaming deal with them was an absolute nightmare.

I can't imagine the legal and contractual obligations to event get the
content, let alone distribute it in the method they have.

What they are doing with content is groundbreaking considering the sources
of their content, and it is a huge thorn in the side of advertising
companies to say the least.

I know wild speculation is what the internet does best (and the less
factual information the better), but this thread has gone way off the rails
for what NANOG is supposed to discuss.

This is a contractual and political issue, not so much a technical one.

I'm going to "mute" this thread on my end, as it's gone beyond an actual
useful  technical discussion and has regressed into some emotional rantfest.

I would suggest the rest of NANOG do the same.

...

Does anyone have any scotch left?
On Jun 6, 2016 8:55 PM, "Lyndon Nerenberg"  wrote:

>
> > In other words, it's not just Netflix that has this problem...
>
> No, it's Netflix that has the problem.  Audible actually gives a fuck
> about their customers.

Re: Netflix VPN detection - actual engineer needed

[Lyndon Nerenberg]

> In other words, it's not just Netflix that has this problem...

No, it's Netflix that has the problem.  Audible actually gives a fuck about 
their customers.

Re: Netflix VPN detection - actual engineer needed

[Harald Koch]

On 6 June 2016 at 19:40, Owen DeLong  wrote:

>
> The problem is that some users travel and they try to watch Netflix using
> their home account in far away lands.
>

Interestingly, audible.com (the audio book people) actually warn you about
this up front - they point out on their site that many titles may not be
available in foreign countries and therefore you should download your
audiobooks before you leave your home country.

In other words, it's not just Netflix that has this problem...

-- 
Harald

Re: Netflix VPN detection - actual engineer needed

[Matthew Huff]

Search this email thread (there was a link to a document dump), or use google. 
Neither Netflix nor the content providers have been very shy about this. Now 
for the speculation part … I think it’s possible that Netflix has gone along 
with this because they want to expand into countries that have restrictive 
policies (china, etc..) and will need to have system to either block or limit 
capabilities based on the geo-ip for other reasons. Just a hunch.


> On Jun 6, 2016, at 7:32 PM, Owen DeLong <o...@delong.com> wrote:
> 
> While I think this may well be the reason for Netflix’s actions, do you have 
> any evidence to back up this claim?
> 
> Actual evidence vs. just a very good educated guess and speculation could 
> prove very useful in this circumstance.
> 
> Owen
> 
>> On Jun 6, 2016, at 7:59 AM, Matthew Huff <mh...@ox.com> wrote:
>> 
>> Netflix IS acting in their user's best interest. In order to provide content 
>> that the user's want, the content providers have mandated that they do their 
>> due diligence to block out of region users including VPN and open tunnel 
>> access. As Hulu and Amazon prime become more popular and their contracts 
>> with the content provides come due, they will have to also.
>> 
>> You can argue about the content provides business model all you want, but 
>> Netflix has to do what they are doing. They aren't blocking IPv6 users, they 
>> are blocking users that are using VPNs and/or tunnels since their currently 
>> is no practical way of providing GEOIP information about that users that the 
>> content providers require.
>> 
>> 
>> 
>> Matthew Huff | 1 Manhattanville Rd
>> Director of Operations   | Purchase, NY 10577
>> OTA Management LLC   | Phone: 914-460-4039
>> aim: matthewbhuff| Fax:   914-694-5669
>> 
>>> -Original Message-
>>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Morizot
>>> Sent: Monday, June 6, 2016 10:50 AM
>>> To: Mark Tinka <mark.ti...@seacom.mu>
>>> Cc: NANOG list <nanog@nanog.org>
>>> Subject: Re: Netflix VPN detection - actual engineer needed
>>> 
>>> I have Hulu Plus and Amazon Prime. The only thing I would miss from
>>> Netflix
>>> is their Marvel original series. And I can live with that. I can't live
>>> without my IPv6 enabled home network and Internet connection since
>>> that's
>>> an essential part of my job. (I'm the IPv6 transition technical lead
>>> for a
>>> large organization.) While I actually manage my home internet gateway
>>> through a linux server and have fine-grained control over the firewall
>>> rules, I'm still debating whether I care enough about a handful of
>>> series
>>> to continue paying a company that is deliberately acting against its
>>> users'
>>> interests. Right now I'm leaning toward no. But I'll discuss it with my
>>> wife before making a final decision.
>>> 
>>> Scott
>>> 
>>> On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.ti...@seacom.mu>
>>> wrote:
>>> 
>>>> 
>>>> 
>>>> On 6/Jun/16 01:45, Damian Menscher wrote:
>>>> 
>>>>> 
>>>>> Who are these non-technical Netflix users who accidentally stumbled
>>> into
>>>>> having a HE tunnel broker connection without their knowledge?  I
>>> wasn't
>>>>> aware this sort of thing could happen without user consent, and
>>> would
>>>> like
>>>>> to know if I'm wrong.  Only thing I can imagine is if ISPs are
>>> using HE
>>>> as
>>>>> a form of CGN.
>>>> 
>>>> There are several networks around the world that rely on 6-in-4
>>> because
>>>> their local provider does not offer IPv6.
>>>> 
>>>> Mark.
>>>> 
> 

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

> On Jun 6, 2016, at 9:01 AM, Laszlo Hanyecz  wrote:
> 
> 
> On 2016-06-06 15:21, Tore Anderson wrote:
>> 
>> But Netflix shouldn't have any need to ask in the first place. Their
>> customers need to log in to their own personal accounts in order to
>> access any content, when they do Netflix can discover their addresses.
>> 
>> Tore
> 
> Hey there's an idea, how about they ASK the users where they are located, 
> instead of telling them where they are located.  Presumably a user will have 
> a new billing address when they move to a new place.  That ought to be a lot 
> more accurate than lookup based on a static map of number -> location.  I 
> don't think this is too crazy of an idea.. my car insurance company asks me 
> what zip code I keep my cars in.  Netflix could ask people what zip code they 
> watch video from.
> 
> -Laszlo

The problem is that some users travel and they try to watch Netflix using their 
home account in far away lands.

Now you and I may think this should be perfectly fine and I suspect Netflix 
would like to agree with us, but I’m sure many content providers have their 
crania planted so firmly up their collective recta that they believe this is 
akin to piracy.

That’s why they don’t want to allow users who are actually in 
 to claim to be in  by using a VPN.

The tactic being used for this measurement is silly to the point of absurd (why 
not use RTT measurements instead), but that’s what I suspect is driving this.

Owen

Re: Netflix VPN detection - actual engineer needed

[Mark Andrews]

In message , "Ricky Beam" writes:
> On Sun, 05 Jun 2016 19:35:27 -0400, Mark Andrews  wrote:
> > It is a attack on HE.  HE also provides stable user -> address
> > mappings so you can do fine grained geo location based on HE IPv6
> > addresses.
> 
> They may be "fine grained", but they are still lies. One's tunnel can be  
> terminated from *anywhere*, at *anytime*. HE doesn't publish the IPv4  
> address of the tunnel endpoint, nor do they update any public facing  
> registry w.r.t. the "address" of that IPv4 address. (which is 99% voodoo  
> as well.)

What lie?  Truly who is lying here.  Not the end user.  Not HE.  There is
no requirement to report physical location.
 
> > Also despite what the content cartel say using a VPN to bypass
> > georestrictions to get movies is not illegal, nor is it "piracy".
> > Individuals are allowed to import content from other countries.  It
> > is commercial importing that is banned.
> 
> While the end user may not be violating any law (other than their  
> "contract" with Netflix), Netflix certainly is. They signed a contract  
> that says they cannot send X to Romania / X is only allowed in the USA. In  
> the end, they are allowing content to go where they agreed to not send it.  
> They are legally required to do something about that. (or at least, *look*  
> like they are.)

Are they legally required to go to this level?  I actually doubt
it.  I would love to see this tested in a court because I suspect
the content cartel would loose as they were well aware that the
geoip databases are imperfect and no one in the world can accurately
determine from the IP address where a machine is located.  There
is a difference between knowingly sending to a different region and
incidentally sending to another region.  The courts understand this.

> Netflix (and their licensees) know people are using HE tunnels to get  
> around region restrictions. Their hands are tied; they have to show  
> they're doing something to limit this.

No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
The fact that the endpoints are in different countries some of the time
is incidental to that.

I have a HE tunnel.  It terminates at the topologically closest
point which is in California.  There is a physically closer endpoint
in Hong Kong but it would require a double trip across the Pacific
to get to it.  Unless you are crazy you don't put the topological
tunnel endpoint further from you than you can.  When HE finish
getting their Sydney pop set up (it wasn't the last time I looked)
I'll set up a new tunnel to it and tear down the existing tunnel.

It's going to be a few years more before I can get native IPv6.
The NBN really put the breaks on IPv6 deployment in Australia as
ISP's don't want to invest in the existing technology they are using
knowing that the customer is going to be switched to using the NBN
in a couple of years.

> All you can tell about a HE tunnel is the tunnel broker server that's  
> hosting it. (it's in the hostname -- eg. ash1) Beyond that, you have  
> absolutely no idea where in the universe the other end actually is. Plus,  
> it can move in an instant... one DDNS update, and it's somewhere else.

Garbage.  You have to establish the tunnel which requires registering
a account.  It also requires a machine at the other end.  Virtual
or physical they don't move around the world in a DDNS update. The
addresses associated with a tunnel don't change for the life of
that tunnel.  It's not like you get new IPv6 addresses everytime
you reconnect.  The tunnels are designed so you can run services
at the end of them.  They are not a typical VPN service where you
get a new IPv4 address from a local pool each time you connect to
them.  They are setup so you can delegate nameserver to serve the
reverse addresses for the namespace being allocated.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

While I think this may well be the reason for Netflix’s actions, do you have 
any evidence to back up this claim?

Actual evidence vs. just a very good educated guess and speculation could prove 
very useful in this circumstance.

Owen

> On Jun 6, 2016, at 7:59 AM, Matthew Huff <mh...@ox.com> wrote:
> 
> Netflix IS acting in their user's best interest. In order to provide content 
> that the user's want, the content providers have mandated that they do their 
> due diligence to block out of region users including VPN and open tunnel 
> access. As Hulu and Amazon prime become more popular and their contracts with 
> the content provides come due, they will have to also.
> 
> You can argue about the content provides business model all you want, but 
> Netflix has to do what they are doing. They aren't blocking IPv6 users, they 
> are blocking users that are using VPNs and/or tunnels since their currently 
> is no practical way of providing GEOIP information about that users that the 
> content providers require.
> 
> 
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-694-5669
> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Morizot
>> Sent: Monday, June 6, 2016 10:50 AM
>> To: Mark Tinka <mark.ti...@seacom.mu>
>> Cc: NANOG list <nanog@nanog.org>
>> Subject: Re: Netflix VPN detection - actual engineer needed
>> 
>> I have Hulu Plus and Amazon Prime. The only thing I would miss from
>> Netflix
>> is their Marvel original series. And I can live with that. I can't live
>> without my IPv6 enabled home network and Internet connection since
>> that's
>> an essential part of my job. (I'm the IPv6 transition technical lead
>> for a
>> large organization.) While I actually manage my home internet gateway
>> through a linux server and have fine-grained control over the firewall
>> rules, I'm still debating whether I care enough about a handful of
>> series
>> to continue paying a company that is deliberately acting against its
>> users'
>> interests. Right now I'm leaning toward no. But I'll discuss it with my
>> wife before making a final decision.
>> 
>> Scott
>> 
>> On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.ti...@seacom.mu>
>> wrote:
>> 
>>> 
>>> 
>>> On 6/Jun/16 01:45, Damian Menscher wrote:
>>> 
>>>> 
>>>> Who are these non-technical Netflix users who accidentally stumbled
>> into
>>>> having a HE tunnel broker connection without their knowledge?  I
>> wasn't
>>>> aware this sort of thing could happen without user consent, and
>> would
>>> like
>>>> to know if I'm wrong.  Only thing I can imagine is if ISPs are
>> using HE
>>> as
>>>> a form of CGN.
>>> 
>>> There are several networks around the world that rely on 6-in-4
>> because
>>> their local provider does not offer IPv6.
>>> 
>>> Mark.
>>> 

Re: Netflix VPN detection - actual engineer needed

[Baldur Norddahl]

> And they could easily redirect HE IPv6 addresses to a IPv4 only
> service.  This would satify both the content providers and the
> customers.  It's not like there tunneled traffic is IPv6 only as
> there has to be a IPv4 endpoint for the tunnel.
>
> You can't argue that HE is too small to do this for as they are
> targeting HE tunnels.
>
> Mark

And while we wait for Netflix to do that, you could also turn off ipv6 on
your Netflix watching device as a quick fix. Most smart tv do not support
it to start with.

It is a bit surprising that your browser would choose the ipv6 path via
tunnel over the more direct ipv4 path. Anyway, you could blackhole the
Netflix ipv6 prefix to force the situation.

Or you could get your own /48 prefix and announce via BGP. Might not be
free but comes with other advantages and has some coolness factor.

Or turn off the tunnel while you watch Netflix. Lots of options for "can
do" people.

Yes we all hate geo ip solutions but this particular Netflix issue is not a
big thing in the grand scheme of things.

Regards

Baldur

Re: Netflix VPN detection - actual engineer needed

[Ricky Beam]

On Mon, 06 Jun 2016 15:44:14 -0400,  wrote:

And if Netflix can't be bothered to consult rwhois
for the ownership (which could be used for other use cases as well), they
certainly aren't going to do *new* code as a one-off.


Said by someone who's never written (r)whois parsers. There's no standard,  
you don't know who's running one, and God knows what it's going to spit  
out. It's hard enough to simply know who to ask. (see also: jwhois)  
Parsing whatever junk gets sent back almost requires an AI.


Yes, ARIN and RIPE have REST APIs, but they're completely different  
interfaces with different schemas (and different capabilities.) I have  
independent applications for talking to each. And those are the only two  
I'm going to bother with.


HE doesn't do a GeoIP lookup for the location of your v4 address and  
update their rwhois information every time your tunnel endpoint changes.  
Even if they did, Netflix would have to query that for every connection  
attempt to make sure you haven't moved it. That's never going to happen.


--Ricky

Re: Netflix VPN detection - actual engineer needed

[Ricky Beam]

On Mon, 06 Jun 2016 11:08:13 -0400, John Peach  
 wrote:

The whois information on the HE IPv6 address, does give the location.
At least, it does on mine.


It lists the location of the user's registration -- which could very well  
be a lie as they do nothing at all to verify it. AND that has zero  
correlation with where the tunnel actually goes. There in is the  
problem... your tunnel isn't nailed to a physical line ["T1"], or a  
physical device ["cablemodem"]; it's loosely pinned to an IPv4 address. An  
address that can change in an instance. An address that can literally be  
any where.

Re: Netflix VPN detection - actual engineer needed

[Ricky Beam]

On Sun, 05 Jun 2016 19:35:27 -0400, Mark Andrews  wrote:

It is a attack on HE.  HE also provides stable user -> address
mappings so you can do fine grained geo location based on HE IPv6
addresses.


They may be "fine grained", but they are still lies. One's tunnel can be  
terminated from *anywhere*, at *anytime*. HE doesn't publish the IPv4  
address of the tunnel endpoint, nor do they update any public facing  
registry w.r.t. the "address" of that IPv4 address. (which is 99% voodoo  
as well.)



Also despite what the content cartel say using a VPN to bypass
georestrictions to get movies is not illegal, nor is it "piracy".
Individuals are allowed to import content from other countries.  It
is commercial importing that is banned.


While the end user may not be violating any law (other than their  
"contract" with Netflix), Netflix certainly is. They signed a contract  
that says they cannot send X to Romania / X is only allowed in the USA. In  
the end, they are allowing content to go where they agreed to not send it.  
They are legally required to do something about that. (or at least, *look*  
like they are.)


Netflix (and their licensees) know people are using HE tunnels to get  
around region restrictions. Their hands are tied; they have to show  
they're doing something to limit this.


All you can tell about a HE tunnel is the tunnel broker server that's  
hosting it. (it's in the hostname -- eg. ash1) Beyond that, you have  
absolutely no idea where in the universe the other end actually is. Plus,  
it can move in an instant... one DDNS update, and it's somewhere else.


--Ricky

Re: Netflix VPN detection - actual engineer needed

[Mark Andrews]

In message 
, Eric Kuhnke writes:
> None of this is a problem with actual network engineering, HE's tunnels
> work fine. It goes in the category of political/economic/contractual , not
> "this is a technical problem we need to solve".
> 
> The problem exists with business/contractual relationship Netflix has with
> its content providers, which barring a miraculous data leak from a
> disgruntled sysadmin at Netflix, will remain completely opaque to everyone
> on the outside looking in.
> 
> Due to the large sums of money involved, my best guess is that the recent
> crackdown on VPN and VPN-like tunnels is a result of major content
> providers staff that have been provided with greatly increased visibility
> into Netflix's internal processes for identifying and blocking VPNs.
> Undoubtedly there are dozens of pages in the contracts defining metrics for
> geolocation and acceptable vs unacceptable levels of "leakage" of content.

And they could easily redirect HE IPv6 addresses to a IPv4 only
service.  This would satify both the content providers and the
customers.  It's not like there tunneled traffic is IPv6 only as
there has to be a IPv4 endpoint for the tunnel.

You can't argue that HE is too small to do this for as they are
targeting HE tunnels.

Mark

> On Mon, Jun 6, 2016 at 12:39 PM, Christopher Morrow  m
> > wrote:
> 
> > On Mon, Jun 6, 2016 at 3:30 PM, Aled Morris  wrote:
> >
> > > Maybe HE's IPv6 tunnel packets could be flagged with a destination opti=
> on
> > > (extension header field) that records the end-user's IPv4 tunnel endpoi=
> nt
> > > so geolocation could be done in the "old fashioned" way on that address=
> .
> > >
> > > Similar to the way that edns-client-subnet records the end user's addre=
> ss
> > > for geolocation purposes.
> > >
> > >
> > =E2=80=8Bwhy is this any problem at all for HE to solve?
> > why is this any problem at all for NetFlix to solve?
> >
> > HE just provides transport
> > Netflix is just complying (I suspect) with the wishes of the content
> > owners.
> >
> > complain to your local content owner about this? show the content owners
> > that this sort of restriction in a global economy is
> > silly/counter-productive? explain that: "while I'm a Citizen of locale X,=
>  I
> > may often travel around to A, B, C and I'd like for my NetFlix to work in
> > all locations, since I pay good pesos for that access?"=E2=80=8B
> >
> > =E2=80=8BDoing any sort of 'authentication' or 'authorization' on src-IP =
> is just ..
> > broken.=E2=80=8B
> >
> >
> >
> > > I have to say though, how many Netflix customers are using HE IPv6
> > tunnels,
> > > really?  zero percent (to two decimal places)?
> > >
> > > Aled
> > >
> >
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Netflix VPN detection - actual engineer needed

[Lyndon Nerenberg]

> 1. C-band teleport in Singapore with SingTel IPs, remote terminals in
> Afghanistan.
> 
> 2. Ku-band teleport in Germany with IP space in an Intelsat /20, remote
> terminal on the roof of a US government diplomatic facility in
> $DEVELOPING_COUNTRY
> 
> 3. Teleports in Miami with IP space that looks indistinguishable (in terms
> of BGP-adjacency and traceroutes) from any other ISP in the metro Miami
> area, providing services to small TDMA VSAT terminals in west Africa.
> 
> 4. Things in Antarctica that are on the other end of a C-band SCPC pipe
> from a large earth station in southern California.
> 
> 5. Maritime Ku and C-band VSAT services with 2.5 meter size 3-axis tracking
> antennas on top of cruise ships that could be literally anywhere in the
> Mediterranean or Caribbean oceans, with the terrestrial end of the
> connection in Switzerland, Italy, Maryland or Georgia.
> 
> 6. Small pacific island nations that have no submarine fiber connectivity
> and are now using o3b for IP backhaul, or C-band connectivity to teleports
> in Australia.

Yes.  All big Netflix customers.

Re: Netflix VPN detection - actual engineer needed

[Eric Kuhnke]

Geolocation by IP is even funnier as an idea for those who have worked in
network engineering for commercial, geostationary two-way satellite
services...  Some examples:

1. C-band teleport in Singapore with SingTel IPs, remote terminals in
Afghanistan.

2. Ku-band teleport in Germany with IP space in an Intelsat /20, remote
terminal on the roof of a US government diplomatic facility in
$DEVELOPING_COUNTRY

3. Teleports in Miami with IP space that looks indistinguishable (in terms
of BGP-adjacency and traceroutes) from any other ISP in the metro Miami
area, providing services to small TDMA VSAT terminals in west Africa.

4. Things in Antarctica that are on the other end of a C-band SCPC pipe
from a large earth station in southern California.

5. Maritime Ku and C-band VSAT services with 2.5 meter size 3-axis tracking
antennas on top of cruise ships that could be literally anywhere in the
Mediterranean or Caribbean oceans, with the terrestrial end of the
connection in Switzerland, Italy, Maryland or Georgia.

6. Small pacific island nations that have no submarine fiber connectivity
and are now using o3b for IP backhaul, or C-band connectivity to teleports
in Australia.

On Mon, Jun 6, 2016 at 2:33 PM, Laszlo Hanyecz  wrote:

> On 2016-06-06 19:39, Christopher Morrow wrote:
>
>>
>> ​Doing any sort of 'authentication' or 'authorization' on src-IP is just
>> ..
>> broken.​
>>
>>
>>
> This.
>
> Netflix is pretending to have a capability (geolocation by src ip) that
> doesn't exist and there is collateral damage from the application of their
> half baked solution.  Those who end up getting dropped as collateral damage
> are rightly upset about the discrimination.
>
> -Laszlo
>
>

Re: Netflix VPN detection - actual engineer needed

[Laszlo Hanyecz]

On 2016-06-06 19:39, Christopher Morrow wrote:


​Doing any sort of 'authentication' or 'authorization' on src-IP is just ..
broken.​




This.

Netflix is pretending to have a capability (geolocation by src ip) that 
doesn't exist and there is collateral damage from the application of 
their half baked solution.  Those who end up getting dropped as 
collateral damage are rightly upset about the discrimination.


-Laszlo

Re: Netflix VPN detection - actual engineer needed

[Eric Kuhnke]

None of this is a problem with actual network engineering, HE's tunnels
work fine. It goes in the category of political/economic/contractual , not
"this is a technical problem we need to solve".

The problem exists with business/contractual relationship Netflix has with
its content providers, which barring a miraculous data leak from a
disgruntled sysadmin at Netflix, will remain completely opaque to everyone
on the outside looking in.

Due to the large sums of money involved, my best guess is that the recent
crackdown on VPN and VPN-like tunnels is a result of major content
providers staff that have been provided with greatly increased visibility
into Netflix's internal processes for identifying and blocking VPNs.
Undoubtedly there are dozens of pages in the contracts defining metrics for
geolocation and acceptable vs unacceptable levels of "leakage" of content.

On Mon, Jun 6, 2016 at 12:39 PM, Christopher Morrow  wrote:

> On Mon, Jun 6, 2016 at 3:30 PM, Aled Morris  wrote:
>
> > Maybe HE's IPv6 tunnel packets could be flagged with a destination option
> > (extension header field) that records the end-user's IPv4 tunnel endpoint
> > so geolocation could be done in the "old fashioned" way on that address.
> >
> > Similar to the way that edns-client-subnet records the end user's address
> > for geolocation purposes.
> >
> >
> ​why is this any problem at all for HE to solve?
> why is this any problem at all for NetFlix to solve?
>
> HE just provides transport
> Netflix is just complying (I suspect) with the wishes of the content
> owners.
>
> complain to your local content owner about this? show the content owners
> that this sort of restriction in a global economy is
> silly/counter-productive? explain that: "while I'm a Citizen of locale X, I
> may often travel around to A, B, C and I'd like for my NetFlix to work in
> all locations, since I pay good pesos for that access?"​
>
> ​Doing any sort of 'authentication' or 'authorization' on src-IP is just ..
> broken.​
>
>
>
> > I have to say though, how many Netflix customers are using HE IPv6
> tunnels,
> > really?  zero percent (to two decimal places)?
> >
> > Aled
> >
>

Re: Netflix VPN detection - actual engineer needed

[Valdis . Kletnieks]

On Mon, 06 Jun 2016 20:30:02 +0100, Aled Morris said:
> Maybe HE's IPv6 tunnel packets could be flagged with a destination option
> (extension header field) that records the end-user's IPv4 tunnel endpoint
> so geolocation could be done in the "old fashioned" way on that address.
>
> Similar to the way that edns-client-subnet records the end user's address
> for geolocation purposes.

First, you'd need buy-in from other tunnel providers.  Doing it one-off for HE
isn't a scalable answer.  And if Netflix can't be bothered to consult rwhois
for the ownership (which could be used for other use cases as well), they
certainly aren't going to do *new* code as a one-off.

Second, you'd need to make sure the extension header didn't get molested or
dropped by anything on its way to Netflix.  (edns-client-subnet leaves its
cookie crumbs a few levels higher in the stack, so is less likely to be mangled
by recalcitrant routers)



pgpdmMKln7jYj.pgp
Description: PGP signature

Re: Netflix VPN detection - actual engineer needed

[Christopher Morrow]

On Mon, Jun 6, 2016 at 3:30 PM, Aled Morris  wrote:

> Maybe HE's IPv6 tunnel packets could be flagged with a destination option
> (extension header field) that records the end-user's IPv4 tunnel endpoint
> so geolocation could be done in the "old fashioned" way on that address.
>
> Similar to the way that edns-client-subnet records the end user's address
> for geolocation purposes.
>
>
​why is this any problem at all for HE to solve?
why is this any problem at all for NetFlix to solve?

HE just provides transport
Netflix is just complying (I suspect) with the wishes of the content owners.

complain to your local content owner about this? show the content owners
that this sort of restriction in a global economy is
silly/counter-productive? explain that: "while I'm a Citizen of locale X, I
may often travel around to A, B, C and I'd like for my NetFlix to work in
all locations, since I pay good pesos for that access?"​

​Doing any sort of 'authentication' or 'authorization' on src-IP is just ..
broken.​



> I have to say though, how many Netflix customers are using HE IPv6 tunnels,
> really?  zero percent (to two decimal places)?
>
> Aled
>

Re: Netflix VPN detection - actual engineer needed

[Steven Noble]

It's obviously a nontrivial number otherwise why would Netflix block it? :)

Aled Morris wrote:


Maybe HE's IPv6 tunnel packets could be flagged with a destination option
(extension header field) that records the end-user's IPv4 tunnel endpoint
so geolocation could be done in the "old fashioned" way on that address.

Similar to the way that edns-client-subnet records the end user's address
for geolocation purposes.

I have to say though, how many Netflix customers are using HE IPv6 
tunnels,

really? zero percent (to two decimal places)?

Aled

Re: Netflix VPN detection - actual engineer needed

[Aled Morris]

Maybe HE's IPv6 tunnel packets could be flagged with a destination option
(extension header field) that records the end-user's IPv4 tunnel endpoint
so geolocation could be done in the "old fashioned" way on that address.

Similar to the way that edns-client-subnet records the end user's address
for geolocation purposes.

I have to say though, how many Netflix customers are using HE IPv6 tunnels,
really?  zero percent (to two decimal places)?

Aled

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

On Mon, Jun 6, 2016, at 13:09, Brandon Jackson wrote:
> Looking up your tunnels block in ARIN will only show HE's Info.
> 
> Using HE's rwhois  http://rwhois.he.net/whois.php
> 
> Shows the information provided by the tunnel user at time of signup or as
> modified in account settings.
> 

Ahh, correct. This way is showing it for me. I should have known to use
their rwhois.


-- 
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

> On Jun 5, 2016, at 16:45 , Damian Menscher  wrote:
> 
> On Sun, Jun 5, 2016 at 4:33 PM, Laszlo Hanyecz  > wrote:
> 
>> On 2016-06-05 22:48, Damian Menscher wrote:
>> 
>>> 
>>> What *is* standard about them?  My earliest training as a sysadmin taught
>>> me that any time you switch away from a default setting, you're venturing
>>> into the unknown.  Your config is no longer well-tested; you may
>>> experience
>>> strange errors; nobody else will have seen the same bugs.
>>> 
>>> That's exactly what's happening here -- people are setting up IPv6 tunnel
>>> broker connections, then complaining that there are unexpected side
>>> effects.
>>> 
>> 
>> There are a lot of non technical Netflix users who are being told to turn
>> off IPv6, switch ISPs, get a new VPN, etc. because Netflix has a broken
>> system.  Those users don't care what IPv6 is, they just learn that it's bad
>> because it breaks Netflix.  Most users have no way to change these things
>> and they just aren't going to be able to use Netflix anymore.
> 
> 
> Who are these non-technical Netflix users who accidentally stumbled into
> having a HE tunnel broker connection without their knowledge?  I wasn't
> aware this sort of thing could happen without user consent, and would like
> to know if I'm wrong.  Only thing I can imagine is if ISPs are using HE as
> a form of CGN.

I don’t know if it ever actually happened or not, but I do know that there
were router vendors considering implementing automated Tunnel-broker IPv6
connectivity in instances where native IPv6 was unavailable.

All of the API hooks necessary to do so are available in Tunnel Broker.

So, it is quite possible that this has happened or will happen in the future.

> Another question: what benefit does one get from having a HE tunnel broker
> connection?  Is it just geek points, or is there a practical benefit too?

One can reach IPv6-only content which while a tiny fraction of content today 
will,
by definition be a growing fraction of content in the future.

Owen

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

On Mon, Jun 6, 2016, at 10:08, John Peach wrote:
> The whois information on the HE IPv6 address, does give the location.
> At least, it does on mine.
> 

That's interesting. On mine it does not. It just shows HE's info.

-- 
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Owen DeLong]

> On Jun 5, 2016, at 15:48 , Damian Menscher  wrote:
> 
> On Sun, Jun 5, 2016 at 2:59 PM, Owen DeLong  > wrote:
> > On Jun 5, 2016, at 14:18 , Damian Menscher  > > wrote:
> > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl  > > wrote:
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix"  >> >:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net  tunnels is not killing ipv6. You just 
> >> need need native
> >> ipv6.
> >
> > This entire thread confuses me.  Are there normal home users who are being
> > blocked from Netflix because their ISP forces them through a HE VPN?  Or is
> > this massive thread just about a handful of geeks who think IPv6 is cool
> > and insist they be allowed to use it despite not having it natively?  I
> > could certainly understand ISP concerns that they are receiving user
> > complaints because they failed to provide native IPv6 (why not?), but
> > whining that you've managed to create a non-standard network setup doesn't
> > work with some providers seems a bit silly.
> 
> What is non-standard about an HE tunnel? It conforms to the relevant RFCs and
> is a very common configuration widely deployed to many thousands of locations
> around the internet.
> 
> What *is* standard about them?  My earliest training as a sysadmin taught me 
> that any time you switch away from a default setting, you're venturing into 
> the unknown.  Your config is no longer well-tested; you may experience 
> strange errors; nobody else will have seen the same bugs.

Then your training was flat out wrong. By your definition, it’s an experiment 
every time you manually configure an IP address on a system.

Further, System Administration is somewhat different from Networking.

As long as one adheres to the protocols as described in the RFCs, things should 
generally work. HE tunnels conform to RFCs and operate in a well defined and 
well documented standard manner that complies with all applicable standards.

If you never configure a router for something other than default, it is 
basically a brick. A very very expensive brick.

So by your definition, the entire internet is no longer well-tested, etc.

That’s just silly.

> 
> That's exactly what's happening here -- people are setting up IPv6 tunnel 
> broker connections, then complaining that there are unexpected side effects. 

No, that is not what is happening here.

What is happening here is that people set up tunnels through the tunnel broker 
and it worked just fine for years.

Some of the next part is speculation (the belief that it is content providers 
who are behind it), but the networking part is fact:

Netflix then likely got complaints from their content providers because some of 
those tunnels were being used to obfuscate geographic information allowing 
users outside the intended content distribution range to access the content. As 
a result, Netflix began deliberately blocking tunnels, including HE IPv6 
tunnels and many other kinds of VPNs.

This isn’t a case of something didn’t work because it was non-standard. This is 
a case of Netflix deliberately blocking things that previously worked.

> 
> It’s not that Netflix happens to not work with these tunnels, the problem is
> that they are taking deliberate active steps to specifically block them.
> 
> [Citation needed] ;)

See the rest of the thread. See Netflix’s public statements about VPNs and 
Tunnels.

> You're taking this as an attack on Hurricane Electric, and by extension on 
> IPv6.  But the reality is that Netflix has presumably identified HE tunnel 
> broker as a frequent source of VPN connections that violate their ToS, and 
> they are blocking it as they would any other widescale abuse.  The impact to 
> their userbase is miniscule -- as noted above, normal users won't be 
> affected, and those who are have the trivial workaround of disabling 
> tunnelbroker for Netflix-bound connections.  (I agree Netflix could helpfully 
> 302 such users to ipv4.netflix.com  instead, but 
> it's already such a small problem I doubt that's a priority for them.  And it 
> probably wouldn't reduce the hype here anyway.)

Actually, when I read them, the ToS did not prohibit me from using a VPN or a 
tunnel to reach their service.

The ToS did prohibit accessing content from a disallowed geographic region, but 
the problem here is that Netflix is indiscriminately blocking all tunnels and 
vpns that they can identify, not just the ones that are being used for 
geo-obfuscation.

> As a side note, this is a common meme: recently Tor claimed 

Re: Netflix VPN detection - actual engineer needed

[Chris Baker]

No need to speculate some details are available ...
http://www.michaelgeist.ca/2015/04/nobodys-perfect-leaked-contract-reveals-sony-requires-netflix-to-geo-block-but-acknowledges-technology-is-imperfect/
And thats just for a single content provider ...

On Mon, Jun 6, 2016 at 11:55 AM, Livingood, Jason <
jason_living...@comcast.com> wrote:

> On 6/5/16, 7:11 PM, "NANOG on behalf of Christopher Morrow"
>  wrote:
>
> >I dislike the IP folks as much as anyone, but :( flix has to make a
> >good-faith-effort or they'll lose content sources, I suspect.
>
> Perhaps so. And now that they are an original content creator as well, and
> making large investments to do so, that may also be a factor as they work
> to maximize distribution revenues.
>
> Jason
>
>

Re: Netflix VPN detection - actual engineer needed

[Steve Atkins]

> On Jun 6, 2016, at 8:21 AM, Tore Anderson  wrote:
> 
> * Spencer Ryan
> 
>> As an addendum to this and what someone said earlier about the
>> tunnels not being anonymous: From Netflix's perspective they are. Yes
>> HE knows who controls which tunnel, but if Netflix went to HE and
>> said "Tell me what user has x/48" HE would say "No". Thus, making
>> them an effective anonymous VPN service from Netflix's perspective.
> 
> Every ISP would say «No» to that question. In sane juridstictions only
> law enforcement has any chance of getting that answer (hopefully only if
> they have a valid mandate from some kind of court).

HE.net run a perfectly good rwhois server which has my town, state, country
and zip code for my personal IPv6 tunnel, just the same as they have
full contact information for my HE-provided business IPv6 space.

> But Netflix shouldn't have any need to ask in the first place. Their
> customers need to log in to their own personal accounts in order to
> access any content, when they do Netflix can discover their addresses.

The content providers are concerned about who is consuming the
content, not who is paying for it. Those needn't be the same people,
and given how careful people are not to share netflix creds with friends,
often won't be.

Netflix could stomp on credential sharing, but they don't seem to particularly
want to. Blocking a few VPN providers seems a figleaf to keep the content
providers happier while inconveniencing relatively few end users - anyone
who's using a VPN or tunnel anyway can probably change things around
to avoid the blocking with little effort.

Cheers,
  Steve

Re: Netflix VPN detection - actual engineer needed

[Laszlo Hanyecz]

On 2016-06-06 15:21, Tore Anderson wrote:


But Netflix shouldn't have any need to ask in the first place. Their
customers need to log in to their own personal accounts in order to
access any content, when they do Netflix can discover their addresses.

Tore


Hey there's an idea, how about they ASK the users where they are 
located, instead of telling them where they are located.  Presumably a 
user will have a new billing address when they move to a new place.  
That ought to be a lot more accurate than lookup based on a static map 
of number -> location.  I don't think this is too crazy of an idea.. my 
car insurance company asks me what zip code I keep my cars in.  Netflix 
could ask people what zip code they watch video from.


-Laszlo

Re: Netflix VPN detection - actual engineer needed

[Livingood, Jason]

On 6/5/16, 7:11 PM, "NANOG on behalf of Christopher Morrow"
 wrote:

>I dislike the IP folks as much as anyone, but :( flix has to make a
>good-faith-effort or they'll lose content sources, I suspect.

Perhaps so. And now that they are an original content creator as well, and
making large investments to do so, that may also be a factor as they work
to maximize distribution revenues.

Jason

Re: Netflix VPN detection - actual engineer needed

[Nicholas Suan]

On Sun, Jun 5, 2016 at 10:51 PM, Jon Lewis  wrote:
> On Sun, 5 Jun 2016, Owen DeLong wrote:
>
>> What is non-standard about an HE tunnel? It conforms to the relevant RFCs
>> and
>> is a very common configuration widely deployed to many thousands of
>> locations
>> around the internet.
>>
>> Itÿÿs not that Netflix happens to not work with these tunnels, the problem
>> is
>> that they are taking deliberate active steps to specifically block them.
>
>
> It's not a question of standard vs non-standard.  If Netflix is blocking HE
> IPv6 space (tunnel customers), I suspect they're doing so because this is
> effectively an IPv6 VPN service that masks the end-user's real IP making
> invalid any IP-based GEO assumptions Netflix would like to make about
> customer connections in order to satisfy their content licenses.
>

Yes, it's just Netflix being super aggressive about blocking VPNs.
They're basically removing access from any sort of service that can be
used to tunnel.

Re: Netflix VPN detection - actual engineer needed

[Tore Anderson]

* Spencer Ryan

> As an addendum to this and what someone said earlier about the
> tunnels not being anonymous: From Netflix's perspective they are. Yes
> HE knows who controls which tunnel, but if Netflix went to HE and
> said "Tell me what user has x/48" HE would say "No". Thus, making
> them an effective anonymous VPN service from Netflix's perspective.

Every ISP would say «No» to that question. In sane juridstictions only
law enforcement has any chance of getting that answer (hopefully only if
they have a valid mandate from some kind of court).

But Netflix shouldn't have any need to ask in the first place. Their
customers need to log in to their own personal accounts in order to
access any content, when they do Netflix can discover their addresses.

Tore

RE: Netflix VPN detection - actual engineer needed

[Mikael Abrahamsson]

On Mon, 6 Jun 2016, Matthew Huff wrote:

You can argue about the content provides business model all you want, 
but Netflix has to do what they are doing. They aren't blocking IPv6 
users, they are blocking users that are using VPNs and/or tunnels since 
their currently is no practical way of providing GEOIP information about 
that users that the content providers require.


See my earlier email.

My billing address is in Sweden. My IPv4 address GEOIPs to Sweden. My IPv6 
tunnel GEOIPs to Sweden. I am not trying to circumvent ANYTHING, I am 
trying to watch content available to swedish users.


Still, Netflix is blocking my HE IPv6 tunnel, it seems mostly just 
lazy-blocking all HE prefixes instead of actually writing some intelligent 
code to try to find the people that are trying to circumvent the 
geographical limitations imposed by content owners.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Netflix VPN detection - actual engineer needed

[Livingood, Jason]

The SB6141, while fine for now, is only an 8 downstream channel device. If
you are buying one now I would recommend a a 16 or 24 channel device.
Alternatively, wait (lease) a few months and buy a DOCSIS 3.1 modem in
retail when they come out.

Jason Livingood
Comcast




On 6/3/16, 11:42 PM, "nanog-boun...@nanog.org on behalf of
valdis.kletni...@vt.edu"  wrote:

>On Fri, 03 Jun 2016 17:21:16 -0700, Blair Trosper said:
>> ...IF (and that's a big IF in the Bay Area at least) you can get the
>>newest
>> modems.  Easier said than done.
>
>http://www.amazon.com/ARRIS-SURFboard-SB6141-DOCSIS-Cable/dp/B00AJHDZSI/
>
>$68.75 and Done.  And the damned thing even pays for itself by not paying
>a rental
>every month.

RE: Netflix VPN detection - actual engineer needed

[Matthew Huff]

Scott,

You are being absurd. The number of Netflix customers using 6in4 tunnels has to 
be in the 0.0001% territory of their users. They would be committing business 
malpractice to risk their contracts with content providers to provide access to 
that negligent amount of users. It’s not laziness to look at the risk versus 
rewards and decide it isn’t worth it from a business practice.

Yes, they could work with tunnel brokers and VPN provides and come up with some 
way of communicating GEOIP information, but even if the content providers were 
okay with that the cost involved versus the number of users they would impact 
would never make it worth their wile.


Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff| Fax:   914-694-5669

From: Scott Morizot [mailto:tmori...@gmail.com]
Sent: Monday, June 6, 2016 11:04 AM
To: Matthew Huff <mh...@ox.com>
Cc: Mark Tinka <mark.ti...@seacom.mu>; NANOG list <nanog@nanog.org>
Subject: Re: Netflix VPN detection - actual engineer needed

Nonsense. That is hardly their only option as many others have pointed out. 
It's a deliberate and technically lazy choice to block 6in4 tunnels. Those are 
not even vaguely the same thing as a VPN. They've decided to break normal IPv6 
support and do so in a way that does not even fall back to IPv4. They deserve 
all the bad publicity that comes with such a anti-customer decision and the 
blame for their implementation choices cannot be passed back to the content 
providers.

Scott

On Mon, Jun 6, 2016 at 9:59 AM, Matthew Huff 
<mh...@ox.com<mailto:mh...@ox.com>> wrote:
Netflix IS acting in their user's best interest. In order to provide content 
that the user's want, the content providers have mandated that they do their 
due diligence to block out of region users including VPN and open tunnel 
access. As Hulu and Amazon prime become more popular and their contracts with 
the content provides come due, they will have to also.

You can argue about the content provides business model all you want, but 
Netflix has to do what they are doing. They aren't blocking IPv6 users, they 
are blocking users that are using VPNs and/or tunnels since their currently is 
no practical way of providing GEOIP information about that users that the 
content providers require.



Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff| Fax:   914-694-5669

> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org>] 
> On Behalf Of Scott Morizot
> Sent: Monday, June 6, 2016 10:50 AM
> To: Mark Tinka <mark.ti...@seacom.mu<mailto:mark.ti...@seacom.mu>>
> Cc: NANOG list <nanog@nanog.org<mailto:nanog@nanog.org>>
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> I have Hulu Plus and Amazon Prime. The only thing I would miss from
> Netflix
> is their Marvel original series. And I can live with that. I can't live
> without my IPv6 enabled home network and Internet connection since
> that's
> an essential part of my job. (I'm the IPv6 transition technical lead
> for a
> large organization.) While I actually manage my home internet gateway
> through a linux server and have fine-grained control over the firewall
> rules, I'm still debating whether I care enough about a handful of
> series
> to continue paying a company that is deliberately acting against its
> users'
> interests. Right now I'm leaning toward no. But I'll discuss it with my
> wife before making a final decision.
>
> Scott
>
> On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka 
> <mark.ti...@seacom.mu<mailto:mark.ti...@seacom.mu>>
> wrote:
>
> >
> >
> > On 6/Jun/16 01:45, Damian Menscher wrote:
> >
> > >
> > > Who are these non-technical Netflix users who accidentally stumbled
> into
> > > having a HE tunnel broker connection without their knowledge?  I
> wasn't
> > > aware this sort of thing could happen without user consent, and
> would
> > like
> > > to know if I'm wrong.  Only thing I can imagine is if ISPs are
> using HE
> > as
> > > a form of CGN.
> >
> > There are several networks around the world that rely on 6-in-4
> because
> > their local provider does not offer IPv6.
> >
> > Mark.
> >

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

> They deserve all the bad publicity that comes with such a
anti-customer decision and the blame for their implementation choices
cannot be passed back to the content providers.

Content Providers: Block VPN and tunnel services.
Netflix: That really isn't the best way of doing this
Content Providers: I don't care, do it or we pull our content.

Someone here from BBC effectively said the exact same thing. Netflix has no
where near enough original content to have their providers all pull out.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Mon, Jun 6, 2016 at 11:03 AM, Scott Morizot <tmori...@gmail.com> wrote:

> Nonsense. That is hardly their only option as many others have pointed out.
> It's a deliberate and technically lazy choice to block 6in4 tunnels. Those
> are not even vaguely the same thing as a VPN. They've decided to break
> normal IPv6 support and do so in a way that does not even fall back to
> IPv4. They deserve all the bad publicity that comes with such a
> anti-customer decision and the blame for their implementation choices
> cannot be passed back to the content providers.
>
> Scott
>
> On Mon, Jun 6, 2016 at 9:59 AM, Matthew Huff <mh...@ox.com> wrote:
>
> > Netflix IS acting in their user's best interest. In order to provide
> > content that the user's want, the content providers have mandated that
> they
> > do their due diligence to block out of region users including VPN and
> open
> > tunnel access. As Hulu and Amazon prime become more popular and their
> > contracts with the content provides come due, they will have to also.
> >
> > You can argue about the content provides business model all you want, but
> > Netflix has to do what they are doing. They aren't blocking IPv6 users,
> > they are blocking users that are using VPNs and/or tunnels since their
> > currently is no practical way of providing GEOIP information about that
> > users that the content providers require.
> >
> >
> > 
> > Matthew Huff | 1 Manhattanville Rd
> > Director of Operations   | Purchase, NY 10577
> > OTA Management LLC   | Phone: 914-460-4039
> > aim: matthewbhuff| Fax:   914-694-5669
> >
> > > -Original Message-
> > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott
> Morizot
> > > Sent: Monday, June 6, 2016 10:50 AM
> > > To: Mark Tinka <mark.ti...@seacom.mu>
> > > Cc: NANOG list <nanog@nanog.org>
> > > Subject: Re: Netflix VPN detection - actual engineer needed
> > >
> > > I have Hulu Plus and Amazon Prime. The only thing I would miss from
> > > Netflix
> > > is their Marvel original series. And I can live with that. I can't live
> > > without my IPv6 enabled home network and Internet connection since
> > > that's
> > > an essential part of my job. (I'm the IPv6 transition technical lead
> > > for a
> > > large organization.) While I actually manage my home internet gateway
> > > through a linux server and have fine-grained control over the firewall
> > > rules, I'm still debating whether I care enough about a handful of
> > > series
> > > to continue paying a company that is deliberately acting against its
> > > users'
> > > interests. Right now I'm leaning toward no. But I'll discuss it with my
> > > wife before making a final decision.
> > >
> > > Scott
> > >
> > > On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.ti...@seacom.mu>
> > > wrote:
> > >
> > > >
> > > >
> > > > On 6/Jun/16 01:45, Damian Menscher wrote:
> > > >
> > > > >
> > > > > Who are these non-technical Netflix users who accidentally stumbled
> > > into
> > > > > having a HE tunnel broker connection without their knowledge?  I
> > > wasn't
> > > > > aware this sort of thing could happen without user consent, and
> > > would
> > > > like
> > > > > to know if I'm wrong.  Only thing I can imagine is if ISPs are
> > > using HE
> > > > as
> > > > > a form of CGN.
> > > >
> > > > There are several networks around the world that rely on 6-in-4
> > > because
> > > > their local provider does not offer IPv6.
> > > >
> > > > Mark.
> > > >
> >
>

Re: Netflix VPN detection - actual engineer needed

[John Peach]

The whois information on the HE IPv6 address, does give the location.
At least, it does on mine.


On Mon, 6 Jun 2016 11:03:16 -0400
Spencer Ryan <sr...@arbor.net> wrote:

> As an addendum to this and what someone said earlier about the
> tunnels not being anonymous: From Netflix's perspective they are. Yes
> HE knows who controls which tunnel, but if Netflix went to HE and
> said "Tell me what user has x/48" HE would say "No". Thus, making
> them an effective anonymous VPN service from Netflix's perspective.
> 
> 
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
> 
> On Mon, Jun 6, 2016 at 10:59 AM, Matthew Huff <mh...@ox.com> wrote:
> 
> > Netflix IS acting in their user's best interest. In order to provide
> > content that the user's want, the content providers have mandated
> > that they do their due diligence to block out of region users
> > including VPN and open tunnel access. As Hulu and Amazon prime
> > become more popular and their contracts with the content provides
> > come due, they will have to also.
> >
> > You can argue about the content provides business model all you
> > want, but Netflix has to do what they are doing. They aren't
> > blocking IPv6 users, they are blocking users that are using VPNs
> > and/or tunnels since their currently is no practical way of
> > providing GEOIP information about that users that the content
> > providers require.
> >
> >
> > 
> > Matthew Huff | 1 Manhattanville Rd
> > Director of Operations   | Purchase, NY 10577
> > OTA Management LLC   | Phone: 914-460-4039
> > aim: matthewbhuff| Fax:   914-694-5669
> >
> > > -Original Message-
> > > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott
> > > Morizot Sent: Monday, June 6, 2016 10:50 AM
> > > To: Mark Tinka <mark.ti...@seacom.mu>
> > > Cc: NANOG list <nanog@nanog.org>
> > > Subject: Re: Netflix VPN detection - actual engineer needed
> > >
> > > I have Hulu Plus and Amazon Prime. The only thing I would miss
> > > from Netflix
> > > is their Marvel original series. And I can live with that. I
> > > can't live without my IPv6 enabled home network and Internet
> > > connection since that's
> > > an essential part of my job. (I'm the IPv6 transition technical
> > > lead for a
> > > large organization.) While I actually manage my home internet
> > > gateway through a linux server and have fine-grained control over
> > > the firewall rules, I'm still debating whether I care enough
> > > about a handful of series
> > > to continue paying a company that is deliberately acting against
> > > its users'
> > > interests. Right now I'm leaning toward no. But I'll discuss it
> > > with my wife before making a final decision.
> > >
> > > Scott
> > >
> > > On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.ti...@seacom.mu>
> > > wrote:
> > >
> > > >
> > > >
> > > > On 6/Jun/16 01:45, Damian Menscher wrote:
> > > >
> > > > >
> > > > > Who are these non-technical Netflix users who accidentally
> > > > > stumbled
> > > into
> > > > > having a HE tunnel broker connection without their
> > > > > knowledge?  I
> > > wasn't
> > > > > aware this sort of thing could happen without user consent,
> > > > > and
> > > would
> > > > like
> > > > > to know if I'm wrong.  Only thing I can imagine is if ISPs are
> > > using HE
> > > > as
> > > > > a form of CGN.
> > > >
> > > > There are several networks around the world that rely on 6-in-4
> > > because
> > > > their local provider does not offer IPv6.
> > > >
> > > > Mark.
> > > >
> >


signature.asc
Description: PGP signature

Re: Netflix VPN detection - actual engineer needed

[Radu-Adrian Feurdean]

On Sun, Jun 5, 2016, at 23:55, jim deleskie wrote:
> Damian, I HIGHLY doubt regular folks are running into issues with this, I
> suspect its not even geeks in general having issues, I suspect 80% plus of
> those having issues spend most of their time complaining about something
> related to v6 and the rest of the geeks not loving them/it enough.

You don't even need a HE tunnel in order to be blocked for "VPN
reasons": 2 providers, both dual-stacked (2 different v6 prefixes on the
home LAN, adresses from both /64s on each machine), only one used for
IPv4 exit.
With this set-up you DO get random messages about being on a VPN (at
least on some devices).

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

On Sun, Jun 5, 2016, at 18:45, Damian Menscher wrote:
> 
> Another question: what benefit does one get from having a HE tunnel
> broker
> connection?  Is it just geek points, or is there a practical benefit too?
> 

I can access all my equipment at home remotely without having to resort
to Port Address Translation. I only have one static IPv4 and I run a lot
of services.

-- 
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

On Fri, Jun 3, 2016, at 17:30, Naslund, Steve wrote:
> 
> I guarantee you that Apple does not know where my Apple TV units or any
> of my Sony TVs are because they are on hard Ethernet cables with WiFi
> disabled so if they told the lawyers that, they lied.
> 

I woud not be surprised if Apple wakes up the wifi occasionally to
listen/scan for SSIDs on non-iPhone devices where there's no worry of
impacting battery usage. Just because you don't intend to pass traffic
on it does not mean the OS doesn't have a valid use for it.


-- 
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Mark Felder]

On Sun, Jun 5, 2016, at 17:18, Matt Freitag wrote:
> While it is damaging negative publicity it also makes sense. HE's tunnel
> service amounts to a free VPN that happens to provide IPv6. I would love
> for someone from HE to jump in and explain better how their tunnel works,
> why it's been blocked by Netflix, and what (if anything) they are doing
> to
> mitigate it.
> 
> For my part, I also found that my HE tunnel no longer worked with Netflix
> because, again, it amounts to a free VPN service. I had to shut it off.
> 
> However, I did discover that my ISP Charter Communications runs a 6rd
> tunnel service for their customers and enabled that on my router instead.
> Here are the settings I put in my ASUS router, taken off of a Tomato
> router
> firmware forum post:
> 
> DHCP Option: Disable
> IPv6 Prefix: 2602:100::
> IPv6 Prefix Length: 32
> IPv4 Border Router: 68.114.165.1
> IPv4 Router Mask Length: 0
> 
> I'm also using an MTU of 1480 and a Tunnel TTL of 255.
> 
> Works great, though I imagine it'll only work for other Charter customers
> who don't care what prefix they get assigned as Charter uses prefix
> delegation to make this work.
> 

That's funny because I tried to switch back to my Charter 6rd tunnel to
solve this and found even worse results. I stopped using Charter's 6rd
because it was terrible (latency mostly) but I was surprised to find
Netflix to be broken, not blocked. In my browser none of the static
elements load after I'm logged in. I pretty much get a black page. It's
not an MTU problem either...

Note, I'm on FreeBSD which doesn't support 6rd completely (there's an
uncommitted stf(4) driver with 6rd support by hrs@ but it was broken
last I checked). Using just a gif tunnel works but I can't contact any
IPs on 2602:100::/32, which is fine because I don't have a reason to
talk directly to any Charter 6rd tunnel users.


-- 
  Mark Felder
  f...@feld.me

Re: Netflix VPN detection - actual engineer needed

[Scott Morizot]

Nonsense. That is hardly their only option as many others have pointed out.
It's a deliberate and technically lazy choice to block 6in4 tunnels. Those
are not even vaguely the same thing as a VPN. They've decided to break
normal IPv6 support and do so in a way that does not even fall back to
IPv4. They deserve all the bad publicity that comes with such a
anti-customer decision and the blame for their implementation choices
cannot be passed back to the content providers.

Scott

On Mon, Jun 6, 2016 at 9:59 AM, Matthew Huff <mh...@ox.com> wrote:

> Netflix IS acting in their user's best interest. In order to provide
> content that the user's want, the content providers have mandated that they
> do their due diligence to block out of region users including VPN and open
> tunnel access. As Hulu and Amazon prime become more popular and their
> contracts with the content provides come due, they will have to also.
>
> You can argue about the content provides business model all you want, but
> Netflix has to do what they are doing. They aren't blocking IPv6 users,
> they are blocking users that are using VPNs and/or tunnels since their
> currently is no practical way of providing GEOIP information about that
> users that the content providers require.
>
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-694-5669
>
> > -Original Message-
> > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Morizot
> > Sent: Monday, June 6, 2016 10:50 AM
> > To: Mark Tinka <mark.ti...@seacom.mu>
> > Cc: NANOG list <nanog@nanog.org>
> > Subject: Re: Netflix VPN detection - actual engineer needed
> >
> > I have Hulu Plus and Amazon Prime. The only thing I would miss from
> > Netflix
> > is their Marvel original series. And I can live with that. I can't live
> > without my IPv6 enabled home network and Internet connection since
> > that's
> > an essential part of my job. (I'm the IPv6 transition technical lead
> > for a
> > large organization.) While I actually manage my home internet gateway
> > through a linux server and have fine-grained control over the firewall
> > rules, I'm still debating whether I care enough about a handful of
> > series
> > to continue paying a company that is deliberately acting against its
> > users'
> > interests. Right now I'm leaning toward no. But I'll discuss it with my
> > wife before making a final decision.
> >
> > Scott
> >
> > On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.ti...@seacom.mu>
> > wrote:
> >
> > >
> > >
> > > On 6/Jun/16 01:45, Damian Menscher wrote:
> > >
> > > >
> > > > Who are these non-technical Netflix users who accidentally stumbled
> > into
> > > > having a HE tunnel broker connection without their knowledge?  I
> > wasn't
> > > > aware this sort of thing could happen without user consent, and
> > would
> > > like
> > > > to know if I'm wrong.  Only thing I can imagine is if ISPs are
> > using HE
> > > as
> > > > a form of CGN.
> > >
> > > There are several networks around the world that rely on 6-in-4
> > because
> > > their local provider does not offer IPv6.
> > >
> > > Mark.
> > >
>

Re: Netflix VPN detection - actual engineer needed

[Spencer Ryan]

As an addendum to this and what someone said earlier about the tunnels not
being anonymous: From Netflix's perspective they are. Yes HE knows who
controls which tunnel, but if Netflix went to HE and said "Tell me what
user has x/48" HE would say "No". Thus, making them an effective
anonymous VPN service from Netflix's perspective.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Mon, Jun 6, 2016 at 10:59 AM, Matthew Huff <mh...@ox.com> wrote:

> Netflix IS acting in their user's best interest. In order to provide
> content that the user's want, the content providers have mandated that they
> do their due diligence to block out of region users including VPN and open
> tunnel access. As Hulu and Amazon prime become more popular and their
> contracts with the content provides come due, they will have to also.
>
> You can argue about the content provides business model all you want, but
> Netflix has to do what they are doing. They aren't blocking IPv6 users,
> they are blocking users that are using VPNs and/or tunnels since their
> currently is no practical way of providing GEOIP information about that
> users that the content providers require.
>
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-694-5669
>
> > -Original Message-
> > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Morizot
> > Sent: Monday, June 6, 2016 10:50 AM
> > To: Mark Tinka <mark.ti...@seacom.mu>
> > Cc: NANOG list <nanog@nanog.org>
> > Subject: Re: Netflix VPN detection - actual engineer needed
> >
> > I have Hulu Plus and Amazon Prime. The only thing I would miss from
> > Netflix
> > is their Marvel original series. And I can live with that. I can't live
> > without my IPv6 enabled home network and Internet connection since
> > that's
> > an essential part of my job. (I'm the IPv6 transition technical lead
> > for a
> > large organization.) While I actually manage my home internet gateway
> > through a linux server and have fine-grained control over the firewall
> > rules, I'm still debating whether I care enough about a handful of
> > series
> > to continue paying a company that is deliberately acting against its
> > users'
> > interests. Right now I'm leaning toward no. But I'll discuss it with my
> > wife before making a final decision.
> >
> > Scott
> >
> > On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.ti...@seacom.mu>
> > wrote:
> >
> > >
> > >
> > > On 6/Jun/16 01:45, Damian Menscher wrote:
> > >
> > > >
> > > > Who are these non-technical Netflix users who accidentally stumbled
> > into
> > > > having a HE tunnel broker connection without their knowledge?  I
> > wasn't
> > > > aware this sort of thing could happen without user consent, and
> > would
> > > like
> > > > to know if I'm wrong.  Only thing I can imagine is if ISPs are
> > using HE
> > > as
> > > > a form of CGN.
> > >
> > > There are several networks around the world that rely on 6-in-4
> > because
> > > their local provider does not offer IPv6.
> > >
> > > Mark.
> > >
>

RE: Netflix VPN detection - actual engineer needed

[Matthew Huff]

Netflix IS acting in their user's best interest. In order to provide content 
that the user's want, the content providers have mandated that they do their 
due diligence to block out of region users including VPN and open tunnel 
access. As Hulu and Amazon prime become more popular and their contracts with 
the content provides come due, they will have to also.

You can argue about the content provides business model all you want, but 
Netflix has to do what they are doing. They aren't blocking IPv6 users, they 
are blocking users that are using VPNs and/or tunnels since their currently is 
no practical way of providing GEOIP information about that users that the 
content providers require.



Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-694-5669

> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Scott Morizot
> Sent: Monday, June 6, 2016 10:50 AM
> To: Mark Tinka <mark.ti...@seacom.mu>
> Cc: NANOG list <nanog@nanog.org>
> Subject: Re: Netflix VPN detection - actual engineer needed
> 
> I have Hulu Plus and Amazon Prime. The only thing I would miss from
> Netflix
> is their Marvel original series. And I can live with that. I can't live
> without my IPv6 enabled home network and Internet connection since
> that's
> an essential part of my job. (I'm the IPv6 transition technical lead
> for a
> large organization.) While I actually manage my home internet gateway
> through a linux server and have fine-grained control over the firewall
> rules, I'm still debating whether I care enough about a handful of
> series
> to continue paying a company that is deliberately acting against its
> users'
> interests. Right now I'm leaning toward no. But I'll discuss it with my
> wife before making a final decision.
> 
> Scott
> 
> On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.ti...@seacom.mu>
> wrote:
> 
> >
> >
> > On 6/Jun/16 01:45, Damian Menscher wrote:
> >
> > >
> > > Who are these non-technical Netflix users who accidentally stumbled
> into
> > > having a HE tunnel broker connection without their knowledge?  I
> wasn't
> > > aware this sort of thing could happen without user consent, and
> would
> > like
> > > to know if I'm wrong.  Only thing I can imagine is if ISPs are
> using HE
> > as
> > > a form of CGN.
> >
> > There are several networks around the world that rely on 6-in-4
> because
> > their local provider does not offer IPv6.
> >
> > Mark.
> >

Re: Netflix VPN detection - actual engineer needed

[Scott Morizot]

I have Hulu Plus and Amazon Prime. The only thing I would miss from Netflix
is their Marvel original series. And I can live with that. I can't live
without my IPv6 enabled home network and Internet connection since that's
an essential part of my job. (I'm the IPv6 transition technical lead for a
large organization.) While I actually manage my home internet gateway
through a linux server and have fine-grained control over the firewall
rules, I'm still debating whether I care enough about a handful of series
to continue paying a company that is deliberately acting against its users'
interests. Right now I'm leaning toward no. But I'll discuss it with my
wife before making a final decision.

Scott

On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka  wrote:

>
>
> On 6/Jun/16 01:45, Damian Menscher wrote:
>
> >
> > Who are these non-technical Netflix users who accidentally stumbled into
> > having a HE tunnel broker connection without their knowledge?  I wasn't
> > aware this sort of thing could happen without user consent, and would
> like
> > to know if I'm wrong.  Only thing I can imagine is if ISPs are using HE
> as
> > a form of CGN.
>
> There are several networks around the world that rely on 6-in-4 because
> their local provider does not offer IPv6.
>
> Mark.
>

Re: Netflix VPN detection - actual engineer needed

[Mark Tinka]

On 6/Jun/16 01:45, Damian Menscher wrote:

>
> Who are these non-technical Netflix users who accidentally stumbled into
> having a HE tunnel broker connection without their knowledge?  I wasn't
> aware this sort of thing could happen without user consent, and would like
> to know if I'm wrong.  Only thing I can imagine is if ISPs are using HE as
> a form of CGN.

There are several networks around the world that rely on 6-in-4 because
their local provider does not offer IPv6.

Mark.

Re: Netflix VPN detection - actual engineer needed

[Mark Tinka]

On 6/Jun/16 00:48, Damian Menscher wrote:

> What *is* standard about them?  My earliest training as a sysadmin taught
> me that any time you switch away from a default setting, you're venturing
> into the unknown.  Your config is no longer well-tested; you may experience
> strange errors; nobody else will have seen the same bugs.
>
> That's exactly what's happening here -- people are setting up IPv6 tunnel
> broker connections, then complaining that there are unexpected side
> effects.

In that case, let's shutdown the entire Internet and be done with it.

If any network operator here is running their entire network in a
"standard" way as described by Damian, then they are doing something wrong.

Mark.

Re: Netflix VPN detection - actual engineer needed

[Mark Tinka]

On 6/Jun/16 00:18, Matt Freitag wrote:

> While it is damaging negative publicity it also makes sense. HE's tunnel
> service amounts to a free VPN that happens to provide IPv6. I would love
> for someone from HE to jump in and explain better how their tunnel works,
> why it's been blocked by Netflix, and what (if anything) they are doing to
> mitigate it.
>
> For my part, I also found that my HE tunnel no longer worked with Netflix
> because, again, it amounts to a free VPN service. I had to shut it off.

You use the word "free" like as though Netflix would not block a "paid
for" VPN service.

I don't think the commercial state of the VPN service matters.

Mark.

Re: Netflix VPN detection - actual engineer needed

[Mark Tinka]

On 5/Jun/16 23:18, Damian Menscher wrote:

> This entire thread confuses me.  Are there normal home users who are being
> blocked from Netflix because their ISP forces them through a HE VPN?  Or is
> this massive thread just about a handful of geeks who think IPv6 is cool
> and insist they be allowed to use it despite not having it natively?  I
> could certainly understand ISP concerns that they are receiving user
> complaints because they failed to provide native IPv6 (why not?), but
> whining that you've managed to create a non-standard network setup doesn't
> work with some providers seems a bit silly.

Non-standard?

Sounds like one of those "best-of-breed" words that get thrown around
inside companies.

Mark.

Re: Netflix VPN detection - actual engineer needed

[Josh Reynolds]

I've worked at my fair share of eyeball ISPs, and many of them used HE
as one of their connections,

On Mon, Jun 6, 2016 at 12:38 AM, joel jaeggli  wrote:
> On 6/5/16 6:23 PM, Josh Reynolds wrote:
>> Uhm, what? Where do you think ISPs get their transit exactly?
>
> They buy from 2 or more wholesale transit providers and in general they
> opportunistically peer, although scale helps a lot there.
>
>> On Jun 5, 2016 8:17 PM, "joel jaeggli" > > wrote:
>>
>> HE's downstream cone does not include a whole lot of residential ISPs.
>> if you further exclude the ones that are multihomed you're left with a
>> pretty small subset. that said they (HE) can be and are a valuable peer
>> both in v4 and v6.
>>
>> Personally I wouldn't single home to anything that looks tier-1ish but
>> your mileage may vary the residential operators I look  at tend to be
>> fairly diversly connected.
>>
>> On 6/3/16 5:46 PM, Josh Reynolds wrote:
>> > You might be one of a handful.
>> > On Jun 3, 2016 7:35 PM, "Gary E. Miller" > > wrote:
>> >
>> >> Yo Spencer!
>> >>
>> >> On Fri, 3 Jun 2016 20:13:03 -0400
>> >> Spencer Ryan > wrote:
>> >>
>> >>> Yes but HE doesn't serve residential users directly.
>> >>
>> >> Really?  I am the only one?  Doubtful.
>> >>
>> >> RGDS
>> >> GARY
>> >>
>> 
>> ---
>> >> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>> >> g...@rellim.com   Tel:+1 541 382
>> 8588 
>> >>
>> >
>>
>>
>
>

Re: Netflix VPN detection - actual engineer needed

[Todd Crane]

Fixed it for you


> On Jun 5, 2016, at 10:38 PM, joel jaeggli  wrote:
> 
> 
> They buy from 2 or more wholesale transit providers and in general they
> opportunistically bureaucratically peer, although scale helps a lot there.

Re: Netflix VPN detection - actual engineer needed

[joel jaeggli]

On 6/5/16 6:23 PM, Josh Reynolds wrote:
> Uhm, what? Where do you think ISPs get their transit exactly?

They buy from 2 or more wholesale transit providers and in general they
opportunistically peer, although scale helps a lot there.

> On Jun 5, 2016 8:17 PM, "joel jaeggli"  > wrote:
> 
> HE's downstream cone does not include a whole lot of residential ISPs.
> if you further exclude the ones that are multihomed you're left with a
> pretty small subset. that said they (HE) can be and are a valuable peer
> both in v4 and v6.
> 
> Personally I wouldn't single home to anything that looks tier-1ish but
> your mileage may vary the residential operators I look  at tend to be
> fairly diversly connected.
> 
> On 6/3/16 5:46 PM, Josh Reynolds wrote:
> > You might be one of a handful.
> > On Jun 3, 2016 7:35 PM, "Gary E. Miller"  > wrote:
> >
> >> Yo Spencer!
> >>
> >> On Fri, 3 Jun 2016 20:13:03 -0400
> >> Spencer Ryan > wrote:
> >>
> >>> Yes but HE doesn't serve residential users directly.
> >>
> >> Really?  I am the only one?  Doubtful.
> >>
> >> RGDS
> >> GARY
> >>
> 
> ---
> >> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
> >> g...@rellim.com   Tel:+1 541 382
> 8588 
> >>
> >
> 
> 




signature.asc
Description: OpenPGP digital signature

Re: Netflix VPN detection - actual engineer needed

[Mark Andrews]

In message , Jon Lewis write
s:
> On Sun, 5 Jun 2016, Owen DeLong wrote:
> 
> > What is non-standard about an HE tunnel? It conforms to the relevant RFCs a
> nd
> > is a very common configuration widely deployed to many thousands of locatio
> ns
> > around the internet.
> >
> > Itÿÿs not that Netflix happens to not work with these tunnels, the problem 
> > is
> > that they are taking deliberate active steps to specifically block them.
> 
> It's not a question of standard vs non-standard.  If Netflix is blocking 
> HE IPv6 space (tunnel customers), I suspect they're doing so because this 
> is effectively an IPv6 VPN service that masks the end-user's real IP 
> making invalid any IP-based GEO assumptions Netflix would like to make 
> about customer connections in order to satisfy their content licenses.

What's not "real" about the HE allocated IPv6 address?  They are
more stable that most IPv4 addresses you get from residential ISP's.
I've had the oldest of my addresses for 13 years.  The /48 is
slightly newer but it is stable across IPv4 renumberings.  They
don't change on power cycle of the modem / router.  My IPv4 address
changes periodically with no notice with the ISP not even honouring
the DHCP lease requiring me to take corrective measures.

Just because they are not in a big geoip friendly IP block doesn't
make them not "real".  They are stable addresses and if Netflix or
any other geoip based service did their homework they could workout
where the addresses are located.  The only reason they don't work
is that Netflix is lazy and would rather annoy their customers
rather than deliver a paid for service.

> > Soÿÿ I donÿÿt know how many ÿÿnormal usersÿÿ use HE tunnels vs. ÿÿgeeksÿÿ 
> > or how one
> > would go about defining the difference. I can tell you that there are an aw
> ful
> > lot of people using HE tunnels, and based on what I saw while working at HE
> ,
> > I donÿÿt believe they are all geeks. While I would say that geeks are a 
> > large
> r
> 
> You have to be at least somewhat of a geek to even care about IPv6 and 
> know that HE provides free IPv6 tunnels for those who can't get it 
> natively from their own ISP.  Ideally, HE's v6 tunnel service should 
> become more or less redundant as more service provider networks dual-stack 
> their customers.
> 
> 
> --
>   Jon Lewis, MCP :)   |  I route
>   |  therefore you are
> _ http://www.lewis.org/~jlewis/pgp for PGP public key_
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: Netflix VPN detection - actual engineer needed

[Jon Lewis]

On Sun, 5 Jun 2016, Owen DeLong wrote:


What is non-standard about an HE tunnel? It conforms to the relevant RFCs and
is a very common configuration widely deployed to many thousands of locations
around the internet.

Itÿÿs not that Netflix happens to not work with these tunnels, the problem is
that they are taking deliberate active steps to specifically block them.


It's not a question of standard vs non-standard.  If Netflix is blocking 
HE IPv6 space (tunnel customers), I suspect they're doing so because this 
is effectively an IPv6 VPN service that masks the end-user's real IP 
making invalid any IP-based GEO assumptions Netflix would like to make 
about customer connections in order to satisfy their content licenses.



Soÿÿ I donÿÿt know how many ÿÿnormal usersÿÿ use HE tunnels vs. ÿÿgeeksÿÿ or 
how one
would go about defining the difference. I can tell you that there are an awful
lot of people using HE tunnels, and based on what I saw while working at HE,
I donÿÿt believe they are all geeks. While I would say that geeks are a larger


You have to be at least somewhat of a geek to even care about IPv6 and 
know that HE provides free IPv6 tunnels for those who can't get it 
natively from their own ISP.  Ideally, HE's v6 tunnel service should 
become more or less redundant as more service provider networks dual-stack 
their customers.



--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Netflix VPN detection - actual engineer needed

[John Levine]

>What is non-standard about an HE tunnel? It conforms to the relevant RFCs and
>is a very common configuration widely deployed to many thousands of locations
>around the internet.

Nothing whatsoever, but so what?

>Most likely, these steps are being taken at the behest of their content 
>providers,
>but to the best of my knowledge, that is merely speculation so far as I don’t
>believe Netflix themselves have confirmed this. (It’s not unlikely that they 
>are
>unable to do so due to those same content providers likely insisting on these
>requirements being considered proprietary information subject to NDA.)

Of course they are.  Movie licenses are invariably country specific.

R's,
John

Re: Netflix VPN detection - actual engineer needed

[Josh Reynolds]

Uhm, what? Where do you think ISPs get their transit exactly?
On Jun 5, 2016 8:17 PM, "joel jaeggli"  wrote:

> HE's downstream cone does not include a whole lot of residential ISPs.
> if you further exclude the ones that are multihomed you're left with a
> pretty small subset. that said they (HE) can be and are a valuable peer
> both in v4 and v6.
>
> Personally I wouldn't single home to anything that looks tier-1ish but
> your mileage may vary the residential operators I look  at tend to be
> fairly diversly connected.
>
> On 6/3/16 5:46 PM, Josh Reynolds wrote:
> > You might be one of a handful.
> > On Jun 3, 2016 7:35 PM, "Gary E. Miller"  wrote:
> >
> >> Yo Spencer!
> >>
> >> On Fri, 3 Jun 2016 20:13:03 -0400
> >> Spencer Ryan  wrote:
> >>
> >>> Yes but HE doesn't serve residential users directly.
> >>
> >> Really?  I am the only one?  Doubtful.
> >>
> >> RGDS
> >> GARY
> >>
> ---
> >> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
> >> g...@rellim.com  Tel:+1 541 382 8588
> >>
> >
>
>
>

Re: Netflix VPN detection - actual engineer needed

[joel jaeggli]

HE's downstream cone does not include a whole lot of residential ISPs.
if you further exclude the ones that are multihomed you're left with a
pretty small subset. that said they (HE) can be and are a valuable peer
both in v4 and v6.

Personally I wouldn't single home to anything that looks tier-1ish but
your mileage may vary the residential operators I look  at tend to be
fairly diversly connected.

On 6/3/16 5:46 PM, Josh Reynolds wrote:
> You might be one of a handful.
> On Jun 3, 2016 7:35 PM, "Gary E. Miller"  wrote:
> 
>> Yo Spencer!
>>
>> On Fri, 3 Jun 2016 20:13:03 -0400
>> Spencer Ryan  wrote:
>>
>>> Yes but HE doesn't serve residential users directly.
>>
>> Really?  I am the only one?  Doubtful.
>>
>> RGDS
>> GARY
>> ---
>> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>> g...@rellim.com  Tel:+1 541 382 8588
>>
> 




signature.asc
Description: OpenPGP digital signature

Re: Netflix VPN detection - actual engineer needed

[Christopher Morrow]

On Sun, Jun 5, 2016 at 8:15 PM, Laszlo Hanyecz  wrote:

> For P2P stuff it's a way to get around NAT - you can get inbound torrent
> connections or host a shooting game match on your desktop behind the NAT
> router.


​but to be fair, stun/ice/upnp has made all that work for 'years'...​

Re: Netflix VPN detection - actual engineer needed

[Laszlo Hanyecz]

On 2016-06-05 23:45, Damian Menscher wrote:
Who are these non-technical Netflix users who accidentally stumbled 
into having a HE tunnel broker connection without their knowledge?  I 
wasn't aware this sort of thing could happen without user consent, and 
would like to know if I'm wrong.  Only thing I can imagine is if ISPs 
are using HE as a form of CGN.


Another question: what benefit does one get from having a HE tunnel 
broker connection?  Is it just geek points, or is there a practical 
benefit too?


Damian


Well, you could use the HE.net tunnels to work around the problem if 
their GeoIP checks block you in the first place.
HE.net tunnelbroker is commonly used by home users on ISPs which don't 
provide v6 on their own, like Verizon's fios.  Home routers generally 
have support for this built in and it doesn't take someone with a lot of 
technical knowledge to set it up.


You can also set up BGP with HE and they will give you free transit on 
the free tunnel and accept your announcements.  Personally I have set it 
up with and without BGP at small office locations as a way to provide 
IPv6 to the office workers, when only v4 was available.  You just click 
to get a HE.net /48.


For P2P stuff it's a way to get around NAT - you can get inbound torrent 
connections or host a shooting game match on your desktop behind the NAT 
router.


-Laszlo

Re: Netflix VPN detection - actual engineer needed

[Mark Andrews]

In message 

Re: Netflix VPN detection - actual engineer needed

[Mark Andrews]

In message 
, Spencer Ryan writes:
> I'm unaware of any US based user who gets native dual stack from their ISP
> having issues. Netflix is blocking anonymous VPNs based on their content
> providers requests. HE'S tunnel broker is effectively that.

No.  The addresses can be tied back to the individual that created
the tunnel which is exactly like tying back the addresses to the
person that ordered the cable or dsl service.  The HE addresses are
no more anonymous than that.

The difference is that HE don't have large geo located pools of
addresses covering lots of users.  Instead each allocated prefix
needs to be individually geopip located.  My HE /48 is registered
with at least one geoip service as they provided tools (a phone
app) which allow me to update their database based on the GPS data.

Additionally there is no requirement for any ISP to allocate addresses
in geoip blocks.

Mark

> On Jun 5, 2016 7:34 PM, "Laszlo Hanyecz"  wrote:
> 
> >
> >
> > On 2016-06-05 22:48, Damian Menscher wrote:
> >
> >>
> >> What *is* standard about them?  My earliest training as a sysadmin taught
> >> me that any time you switch away from a default setting, you're venturing
> >> into the unknown.  Your config is no longer well-tested; you may
> >> experience
> >> strange errors; nobody else will have seen the same bugs.
> >>
> >> That's exactly what's happening here -- people are setting up IPv6 tunnel
> >> broker connections, then complaining that there are unexpected side
> >> effects.
> >>
> >>
> >> Damian,
> >
> > If we were talking about some device that is outputting incorrect packets
> > and they are failing to work with Netflix I would agree with you, but in
> > this case the packets are standard and everything works fine.  Netflix went
> > out of their way to try to find a way to make it not work.  The users and
> > geeks aren't just breaking stuff and expecting others to work around their
> > broken setup, but this is actually what Netflix is doing.  All Netflix can
> > look at is the content of the packet and so they're using the source
> > address to discriminate.  It is true that some users might be able to work
> > around it if they can get on an ISP that gives them an allowed address, but
> > that isn't a good solution for an open internet.
> >
> > There are a lot of non technical Netflix users who are being told to turn
> > off IPv6, switch ISPs, get a new VPN, etc. because Netflix has a broken
> > system.  Those users don't care what IPv6 is, they just learn that it's bad
> > because it breaks Netflix.  Most users have no way to change these things
> > and they just aren't going to be able to use Netflix anymore.  That's a
> > very selfish way to operate, a huge step backwards, and it's a kick in the
> > balls to everyone who works to make technological progress on the
> > internet.   The simple truth is that Netflix is trying to figure out where
> > people are located, but this is not possible to do reliably with current
> > internet technology.  Instead they did something that is unreliable, and
> > many customers become collateral damage through no fault of their own. All
> > the breakage is on the Netflix side.
> >
> > -Laszlo
> >
> >
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org