Netflix VPN detection - actual engineer needed
Mark Andrews
marka at isc.org
Mon Jun 6 21:53:53 UTC 2016
In message <CAB69EHhOr7fUvEMT9GsNDNtb7n7d3YmSh4QG426a3yD7DK_bOA at mail.gmail.com>
, Eric Kuhnke writes:
> None of this is a problem with actual network engineering, HE's tunnels
> work fine. It goes in the category of political/economic/contractual , not
> "this is a technical problem we need to solve".
>
> The problem exists with business/contractual relationship Netflix has with
> its content providers, which barring a miraculous data leak from a
> disgruntled sysadmin at Netflix, will remain completely opaque to everyone
> on the outside looking in.
>
> Due to the large sums of money involved, my best guess is that the recent
> crackdown on VPN and VPN-like tunnels is a result of major content
> providers staff that have been provided with greatly increased visibility
> into Netflix's internal processes for identifying and blocking VPNs.
> Undoubtedly there are dozens of pages in the contracts defining metrics for
> geolocation and acceptable vs unacceptable levels of "leakage" of content.
And they could easily redirect HE IPv6 addresses to a IPv4 only
service. This would satify both the content providers and the
customers. It's not like there tunneled traffic is IPv6 only as
there has to be a IPv4 endpoint for the tunnel.
You can't argue that HE is too small to do this for as they are
targeting HE tunnels.
Mark
> On Mon, Jun 6, 2016 at 12:39 PM, Christopher Morrow <morrowc.lists at gmail.co=
> m
> > wrote:
>
> > On Mon, Jun 6, 2016 at 3:30 PM, Aled Morris <aledm at qix.co.uk> wrote:
> >
> > > Maybe HE's IPv6 tunnel packets could be flagged with a destination opti=
> on
> > > (extension header field) that records the end-user's IPv4 tunnel endpoi=
> nt
> > > so geolocation could be done in the "old fashioned" way on that address=
> .
> > >
> > > Similar to the way that edns-client-subnet records the end user's addre=
> ss
> > > for geolocation purposes.
> > >
> > >
> > =E2=80=8Bwhy is this any problem at all for HE to solve?
> > why is this any problem at all for NetFlix to solve?
> >
> > HE just provides transport
> > Netflix is just complying (I suspect) with the wishes of the content
> > owners.
> >
> > complain to your local content owner about this? show the content owners
> > that this sort of restriction in a global economy is
> > silly/counter-productive? explain that: "while I'm a Citizen of locale X,=
> I
> > may often travel around to A, B, C and I'd like for my NetFlix to work in
> > all locations, since I pay good pesos for that access?"=E2=80=8B
> >
> > =E2=80=8BDoing any sort of 'authentication' or 'authorization' on src-IP =
> is just ..
> > broken.=E2=80=8B
> >
> >
> >
> > > I have to say though, how many Netflix customers are using HE IPv6
> > tunnels,
> > > really? zero percent (to two decimal places)?
> > >
> > > Aled
> > >
> >
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list