Netflix VPN detection - actual engineer needed

Cryptographrix cryptographrix at gmail.com
Fri Jun 3 22:34:57 UTC 2016


But wait, content providers *do that.*

*Microsoft too...for illegal copies of Outlook, even...*

How do we know they do that?

Because your ISP can be held liable if they are contacted by a content
provider and do not follow graduated response guidelines either issued by
the nation the ISP resides in or governed by industry agreements and *do
not* shut off your service if you are found to be pirating content.

But all of this is moot against the point you mentioned: Netflix authored a
broken process.

There are at least 3 much more accurate ways to establish regional
provenance for any packet - and of course all of them can be hacked - but
those same content providers have established in their audit requirements
that they're perfectly willing to accept the risks involved.





On Fri, Jun 3, 2016 at 6:18 PM Cryptographrix <cryptographrix at gmail.com>
wrote:

> "
> there is no reliable geo-location method for Netflix to use"
>
> Any microprocessor that is connected to the Internet is subject to being
> hacked - let's just turn off all of our computers, since we're talking in
> absolutes.
>
> From the perspective of the "lawyers and MBA types that negotiate
> agreements with Netflix and similar services" (to quote Eric), there *are* reliable
> methods within a specific risk profile, and those include (thanks to Google
> and Apple, whom most of the content providers *also* have agreements
> with) AGPS based on Wifi and other industry now-standard methods.
>
> I don't think there _is_ a contractual requirement to attempt to block VPN
> traffic. I think there's a contractual requirement to provide geographic
> controls for content, which is a completely different discussion, and is
> what those same cable and satellite TV providers (many of which _are_ the
> ISPs for Netflix's customer base) provide.
>
> As has been pointed out, Slingbox is an excellent proxy for over-the-air
> and cable-tv video, but you don't see content providers pressuring
> regulation on them because they limit their risk with the station or cable
> TV provider.
>
>
>
>
> On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <SNaslund at medline.com>
> wrote:
>
>> That is true.  The problem is that traditionally the ISPs have to deal
>> with customers that can’t get to the content they want.  Netflix ridiculous
>> detection schemes do nothing but create tons of work for the service
>> provider which in turn creates stupid work-arounds and network
>> configurations that are ill conceived.  Myself, I had to shut off IPv6 at
>> home to get things to work reliably several times for dumb reasons.   Kind
>> of hard to preach the v6 message when I had to shut it off myself several
>> time to get my own stuff to work Ok.  Netflix just decided that creating
>> issues for a subset of their customers was better than having the real
>> fight with the content providers.
>>
>> My point is that there is no reliable geo-location method for Netflix to
>> use, at least there never has been yet.  Good luck ever getting that to
>> work behind the great firewall of China.
>>
>> Steven Naslund
>> Chicago IL
>>
>> From: Cryptographrix [mailto:cryptographrix at gmail.com]
>> Sent: Friday, June 03, 2016 4:56 PM
>> To: Naslund, Steve; nanog at nanog.org
>> Subject: Re: Netflix VPN detection - actual engineer needed
>>
>> Oh I'm not suggesting for a microsecond that any provenance of location
>> can not be hacked, but I totally think that - until the content providers
>> change their business model to not rely on regional controls - they could
>> at least use a more accurate source for that information than my IP(4 or 6)
>> address.
>>
>> I just don't think that this is an appropriate venue to discuss the value
>> of their business model as that's something their business needs to work on
>> changing internally, and fighting it (at least for the moment) will only
>> land Netflix in court.
>>
>> In short, I'm pointing the finger at Netflix's developers for coming up
>> with such a lazy control for geolocation.
>>
>> On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund at medline.com
>> <mailto:SNaslund at medline.com>> wrote:
>> Wifi location depends on a bunch of problematic things.  First, your SSID
>> needs to get collected and put in a database somewhere.  That itself is a
>> crap shoot.  Next, you can stop google (and some other wifi databases) from
>> collecting the data by putting _nomap at the end of your SSID.  Lastly, not
>> everyone has wifi or iOS or GPS or whatever location method you can think
>> of.  BTW, my apple TV is on a wired Ethernet, not wifi.
>>
>> Point is, for whatever location technology you want to use be it IP, GPS,
>> WiFi location, sextant…..they can be inaccurate and they can be faked and
>> there are privacy concerns with all of them.  What the content producers
>> need to figure out is that regionalization DOES NOT WORK ANYMORE!  The
>> original point was that they could have different release dates in
>> different areas at different prices and availability.  They are going to
>> have to get over it because they will lose the technological arms race.
>>
>> There is no reason you could not beat all of the location systems with a
>> simple proxy.  A proxy makes a Netflix connection from an allowed IP,
>> location or whatever and then builds a new video/audio stream out the back
>> end to the client anywhere in the world.  Simple to implement and damn near
>> impossible to beat.  Ever hear of Slingbox?
>>
>> Steven Naslund
>> Chicago IL
>>
>> From: Cryptographrix [mailto:cryptographrix at gmail.com<mailto:
>> cryptographrix at gmail.com>]
>> Sent: Friday, June 03, 2016 3:42 PM
>> To: Naslund, Steve; nanog at nanog.org<mailto:nanog at nanog.org>
>> Subject: Re: Netflix VPN detection - actual engineer needed
>>
>> Apple TVs get their location indoors using the same method they use for
>> other iOS devices when indoors - wifi ssid/Mac scanning.
>>
>> Non-iOS devices are often capable of this as well.
>>
>> (As someone that spends >67% of his time underground and whose Apple TV
>> requests my location from my underground bedroom and is very accurate)
>>
>> On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund at medline.com
>> <mailto:SNaslund at medline.com><mailto:SNaslund at medline.com<mailto:
>> SNaslund at medline.com>>> wrote:
>> Their app could request your devices location.  Problem is a lot of
>> devices (like TVs, Apple TVs, most DVD player, i.e. device with built in
>> Netflix) don't know where they are and it cannot easily be added (indoor
>> GPS is still difficult/expensive) and even if they could should they be
>> believed.  I think the bigger issue is whether any kind of regional
>> controls are enforceable or effective any more.
>>
>> Steven Naslund
>> Chicago IL
>>
>> -----Original Message-----
>> From: NANOG [mailto:nanog-bounces at nanog.org<mailto:
>> nanog-bounces at nanog.org><mailto:nanog-bounces at nanog.org<mailto:
>> nanog-bounces at nanog.org>>] On Behalf Of Cryptographrix
>> Sent: Friday, June 03, 2016 3:21 PM
>> To: Spencer Ryan
>> Cc: North American Network Operators' Group
>> Subject: Re: Netflix VPN detection - actual engineer needed
>>
>> Come now, content providers really just care that they have access to
>> regional controls more so than their ability to blanket-deny access (ok,
>> minus the MLB who are just insane).
>>
>> And part of those regional controls deal with the accuracy of the
>> location information.
>>
>> If their app can request my device's precise location, it doesn't need to
>> infer my location from my IP any more.
>>
>> As a matter of fact, it's only detrimental to them for it to do so,
>> because of the lack of accuracy from geo databases and the various reasons
>> that people use VPNs nowadays (i.e. for some devices that you can't even
>> turn VPN connections off for - OR in the case of IPv6, when you can't reach
>> a segment of the Internet without it).
>>
>>
>> On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan at arbor.net<mailto:
>> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>> wrote:
>>
>> > There is a large difference between "the VPN run at your house" and
>> > "Arguably the most popular, free, mostly anonymous tunnel broker
>> service"
>> >
>> > If it were up to the content providers, they probably would block any
>> > IP they saw a VPN server listening on.
>> >
>> >
>> > *Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net<mailto:
>> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>> *Arbor
>> > Networks*
>> > +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> > www.arbornetworks.com<http://www.arbornetworks.com><
>> http://www.arbornetworks.com>
>> >
>> > On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix
>> > <cryptographrix at gmail.com<mailto:cryptographrix at gmail.com><mailto:
>> cryptographrix at gmail.com<mailto:cryptographrix at gmail.com>>>
>> > wrote:
>> >
>> >> I have a VPN connection at my house. There's no way for them to know
>> >> the difference between me using my home network connection from Hong
>> >> Kong or my home network connection from my house.
>> >>
>> >> Are they going to disable connectivity from everywhere they can
>> >> detect an open VPN port to, also?
>> >>
>> >> If they trust my v4 address, they can use that to establish
>> >> historical reference. Additionally, they can fail over to v4 if they
>> >> do not trust the
>> >> v6 address.
>> >>
>> >>
>> >>
>> >>
>> >> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan at arbor.net<mailto:
>> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>> wrote:
>> >>
>> >>> There is no way for Netflix to know the difference between you being
>> >>> in NY and using the tunnel, and you living in Hong Kong and using the
>> tunnel.
>> >>>
>> >>>
>> >>> *Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net
>> <mailto:sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>
>> >>> *Arbor Networks*
>> >>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> >>> www.arbornetworks.com<http://www.arbornetworks.com><
>> http://www.arbornetworks.com>
>> >>>
>> >>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix
>> >>> <cryptographrix at gmail.com<mailto:cryptographrix at gmail.com><mailto:
>> cryptographrix at gmail.com<mailto:cryptographrix at gmail.com>>
>> >>> > wrote:
>> >>>
>> >>>> Same, but until there's a real IPv6 presence in the US, it's really
>> >>>> annoying that they haven't come up with some fix for this.
>> >>>>
>> >>>> I have no plans to turn off IPv6 at home - I actually have many
>> >>>> uses for it, and as much as I dislike the controversy around it,
>> >>>> think that adoption needs to be prioritized, not penalized.
>> >>>>
>> >>>> Additionally, I think that discussing content provider control over
>> >>>> regional decisions isn't productive to the conversation, as they
>> >>>> didn't build the banhammer (wouldn't you want to control your own
>> >>>> content if you had made content specific to regional laws etc?).
>> >>>>
>> >>>> I.e. - not all shows need to have regional restrictions between New
>> >>>> York (where I live) and California (where my IPv6 /64 says I live).
>> >>>>
>> >>>> I'm able to watch House in the any state in the U.S.? Great -
>> >>>> ignore my intra-US proxy connection.
>> >>>>
>> >>>> My Netflix account randomly tries to connect from Tokyo because I
>> >>>> forgot to shut off my work VPN? Fine....let me know and I'll turn
>> >>>> *that* off.
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan at arbor.net<mailto:
>> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>> wrote:
>> >>>>
>> >>>>> I don't blame them for blocking a (effectively) anonymous tunnel
>> >>>>> broker. I'm sure their content providers are forcing their hand.
>> >>>>> On Jun 3, 2016 3:46 PM, "Cryptographrix"
>> >>>>> <cryptographrix at gmail.com<mailto:cryptographrix at gmail.com><mailto:
>> cryptographrix at gmail.com<mailto:cryptographrix at gmail.com>>>
>> >>>>> wrote:
>> >>>>>
>> >>>>>> Netflix needs to figure out a fix for this until ISPs actually
>> >>>>>> provide IPv6 natively.
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper
>> >>>>>> <blair.trosper at gmail.com<mailto:blair.trosper at gmail.com><mailto:
>> blair.trosper at gmail.com<mailto:blair.trosper at gmail.com>>
>> >>>>>> >
>> >>>>>> wrote:
>> >>>>>>
>> >>>>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked
>> >>>>>> > by Netflix.  Anyone nice people from Netflix perhaps want to
>> >>>>>> > take a
>> >>>>>> crack at
>> >>>>>> > this?
>> >>>>>> >
>> >>>>>> >
>> >>>>>> >
>> >>>>>> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1 at gmail.com<mailto:
>> mike.hyde1 at gmail.com><mailto:mike.hyde1 at gmail.com<mailto:
>> mike.hyde1 at gmail.com>>> wrote:
>> >>>>>> >
>> >>>>>> > > Had the same problem at my house, but it was caused by the
>> >>>>>> > > IPv6
>> >>>>>> > connection
>> >>>>>> > > to HE.  Turned of V6 and the device worked.
>> >>>>>> > >
>> >>>>>> > >
>> >>>>>> > > --
>> >>>>>> > >
>> >>>>>> > > Sent with Airmail
>> >>>>>> > >
>> >>>>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
>> >>>>>> matthew at matthew.at<mailto:matthew at matthew.at><mailto:
>> matthew at matthew.at<mailto:matthew at matthew.at>>)
>> >>>>>> > > wrote:
>> >>>>>> > >
>> >>>>>> > > Every device in my house is blocked from Netflix this evening
>> >>>>>> > > due
>> >>>>>> to
>> >>>>>> > > their new "VPN blocker". My house is on my own IP space, and
>> >>>>>> > > the
>> >>>>>> outside
>> >>>>>> > > of the NAT that the family devices are on is 198.202.199.254,
>> >>>>>> announced
>> >>>>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my
>> >>>>>> house
>> >>>>>> > > should show that I'm no farther away than Santa Cruz, CA as
>> >>>>>> microwaves
>> >>>>>> > > fly.
>> >>>>>> > >
>> >>>>>> > > Unfortunately, when one calls Netflix support to talk about
>> >>>>>> > > this,
>> >>>>>> the
>> >>>>>> > > only response is to say "call your ISP and have them turn off
>> >>>>>> > > the
>> >>>>>> VPN
>> >>>>>> > > software they've added to your account". And they absolutely
>> >>>>>> refuse to
>> >>>>>> > > escalate. Even if you tell them that you are essentially your
>> >>>>>> > > own
>> >>>>>> ISP.
>> >>>>>> > >
>> >>>>>> > > So... where's the Netflix network engineer on the list who
>> >>>>>> > > all of
>> >>>>>> us can
>> >>>>>> > > send these issues to directly?
>> >>>>>> > >
>> >>>>>> > > Matthew Kaufman
>> >>>>>> > >
>> >>>>>> >
>> >>>>>>
>> >>>>>
>> >>>
>> >
>>
>



More information about the NANOG mailing list