Netflix VPN detection - actual engineer needed

Mon Jun 6 00:07:03 UTC 2016

In message <CA+HzidShNFqabKN9nnNBVzKakw-gMqY27UW5X6YSG4PDUZuzCQ at mail.gmail.com>
, Spencer Ryan writes:
> I'm unaware of any US based user who gets native dual stack from their ISP
> having issues. Netflix is blocking anonymous VPNs based on their content
> providers requests. HE'S tunnel broker is effectively that.

No.  The addresses can be tied back to the individual that created
the tunnel which is exactly like tying back the addresses to the
person that ordered the cable or dsl service.  The HE addresses are
no more anonymous than that.

The difference is that HE don't have large geo located pools of
addresses covering lots of users.  Instead each allocated prefix
needs to be individually geopip located.  My HE /48 is registered
with at least one geoip service as they provided tools (a phone
app) which allow me to update their database based on the GPS data.

Additionally there is no requirement for any ISP to allocate addresses
in geoip blocks.

Mark

> On Jun 5, 2016 7:34 PM, "Laszlo Hanyecz" <laszlo at heliacal.net> wrote:
> 
> >
> >
> > On 2016-06-05 22:48, Damian Menscher wrote:
> >
> >>
> >> What *is* standard about them?  My earliest training as a sysadmin taught
> >> me that any time you switch away from a default setting, you're venturing
> >> into the unknown.  Your config is no longer well-tested; you may
> >> experience
> >> strange errors; nobody else will have seen the same bugs.
> >>
> >> That's exactly what's happening here -- people are setting up IPv6 tunnel
> >> broker connections, then complaining that there are unexpected side
> >> effects.
> >>
> >>
> >> Damian,
> >
> > If we were talking about some device that is outputting incorrect packets
> > and they are failing to work with Netflix I would agree with you, but in
> > this case the packets are standard and everything works fine.  Netflix went
> > out of their way to try to find a way to make it not work.  The users and
> > geeks aren't just breaking stuff and expecting others to work around their
> > broken setup, but this is actually what Netflix is doing.  All Netflix can
> > look at is the content of the packet and so they're using the source
> > address to discriminate.  It is true that some users might be able to work
> > around it if they can get on an ISP that gives them an allowed address, but
> > that isn't a good solution for an open internet.
> >
> > There are a lot of non technical Netflix users who are being told to turn
> > off IPv6, switch ISPs, get a new VPN, etc. because Netflix has a broken
> > system.  Those users don't care what IPv6 is, they just learn that it's bad
> > because it breaks Netflix.  Most users have no way to change these things
> > and they just aren't going to be able to use Netflix anymore.  That's a
> > very selfish way to operate, a huge step backwards, and it's a kick in the
> > balls to everyone who works to make technological progress on the
> > internet.   The simple truth is that Netflix is trying to figure out where
> > people are located, but this is not possible to do reliably with current
> > internet technology.  Instead they did something that is unreliable, and
> > many customers become collateral damage through no fault of their own. All
> > the breakage is on the Netflix side.
> >
> > -Laszlo
> >
> >
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org