Netflix VPN detection - actual engineer needed

Mark Andrews marka at isc.org
Mon Jun 6 21:53:53 UTC 2016


In message <CAB69EHhOr7fUvEMT9GsNDNtb7n7d3YmSh4QG426a3yD7DK_bOA at mail.gmail.com>
, Eric Kuhnke writes:
> None of this is a problem with actual network engineering, HE's tunnels
> work fine. It goes in the category of political/economic/contractual , not
> "this is a technical problem we need to solve".
> 
> The problem exists with business/contractual relationship Netflix has with
> its content providers, which barring a miraculous data leak from a
> disgruntled sysadmin at Netflix, will remain completely opaque to everyone
> on the outside looking in.
> 
> Due to the large sums of money involved, my best guess is that the recent
> crackdown on VPN and VPN-like tunnels is a result of major content
> providers staff that have been provided with greatly increased visibility
> into Netflix's internal processes for identifying and blocking VPNs.
> Undoubtedly there are dozens of pages in the contracts defining metrics for
> geolocation and acceptable vs unacceptable levels of "leakage" of content.

And they could easily redirect HE IPv6 addresses to a IPv4 only
service.  This would satify both the content providers and the
customers.  It's not like there tunneled traffic is IPv6 only as
there has to be a IPv4 endpoint for the tunnel.

You can't argue that HE is too small to do this for as they are
targeting HE tunnels.

Mark

> On Mon, Jun 6, 2016 at 12:39 PM, Christopher Morrow <morrowc.lists at gmail.co=
> m
> > wrote:
> 
> > On Mon, Jun 6, 2016 at 3:30 PM, Aled Morris <aledm at qix.co.uk> wrote:
> >
> > > Maybe HE's IPv6 tunnel packets could be flagged with a destination opti=
> on
> > > (extension header field) that records the end-user's IPv4 tunnel endpoi=
> nt
> > > so geolocation could be done in the "old fashioned" way on that address=
> .
> > >
> > > Similar to the way that edns-client-subnet records the end user's addre=
> ss
> > > for geolocation purposes.
> > >
> > >
> > =E2=80=8Bwhy is this any problem at all for HE to solve?
> > why is this any problem at all for NetFlix to solve?
> >
> > HE just provides transport
> > Netflix is just complying (I suspect) with the wishes of the content
> > owners.
> >
> > complain to your local content owner about this? show the content owners
> > that this sort of restriction in a global economy is
> > silly/counter-productive? explain that: "while I'm a Citizen of locale X,=
>  I
> > may often travel around to A, B, C and I'd like for my NetFlix to work in
> > all locations, since I pay good pesos for that access?"=E2=80=8B
> >
> > =E2=80=8BDoing any sort of 'authentication' or 'authorization' on src-IP =
> is just ..
> > broken.=E2=80=8B
> >
> >
> >
> > > I have to say though, how many Netflix customers are using HE IPv6
> > tunnels,
> > > really?  zero percent (to two decimal places)?
> > >
> > > Aled
> > >
> >
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list