Netflix VPN detection - actual engineer needed

Mon Jun 6 23:41:14 UTC 2016

In message <op.yinof8sotfhldh at rbeam.xactional.com>, "Ricky Beam" writes:
> On Sun, 05 Jun 2016 19:35:27 -0400, Mark Andrews <marka at isc.org> wrote:
> > It is a attack on HE.  HE also provides stable user -> address
> > mappings so you can do fine grained geo location based on HE IPv6
> > addresses.
> 
> They may be "fine grained", but they are still lies. One's tunnel can be  
> terminated from *anywhere*, at *anytime*. HE doesn't publish the IPv4  
> address of the tunnel endpoint, nor do they update any public facing  
> registry w.r.t. the "address" of that IPv4 address. (which is 99% voodoo  
> as well.)

What lie?  Truly who is lying here.  Not the end user.  Not HE.  There is
no requirement to report physical location.

> > Also despite what the content cartel say using a VPN to bypass
> > georestrictions to get movies is not illegal, nor is it "piracy".
> > Individuals are allowed to import content from other countries.  It
> > is commercial importing that is banned.
> 
> While the end user may not be violating any law (other than their  
> "contract" with Netflix), Netflix certainly is. They signed a contract  
> that says they cannot send X to Romania / X is only allowed in the USA. In  
> the end, they are allowing content to go where they agreed to not send it.  
> They are legally required to do something about that. (or at least, *look*  
> like they are.)

Are they legally required to go to this level?  I actually doubt
it.  I would love to see this tested in a court because I suspect
the content cartel would loose as they were well aware that the
geoip databases are imperfect and no one in the world can accurately
determine from the IP address where a machine is located.  There
is a difference between knowingly sending to a different region and
incidentally sending to another region.  The courts understand this.

> Netflix (and their licensees) know people are using HE tunnels to get  
> around region restrictions. Their hands are tied; they have to show  
> they're doing something to limit this.

No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
The fact that the endpoints are in different countries some of the time
is incidental to that.

I have a HE tunnel.  It terminates at the topologically closest
point which is in California.  There is a physically closer endpoint
in Hong Kong but it would require a double trip across the Pacific
to get to it.  Unless you are crazy you don't put the topological
tunnel endpoint further from you than you can.  When HE finish
getting their Sydney pop set up (it wasn't the last time I looked)
I'll set up a new tunnel to it and tear down the existing tunnel.

It's going to be a few years more before I can get native IPv6.
The NBN really put the breaks on IPv6 deployment in Australia as
ISP's don't want to invest in the existing technology they are using
knowing that the customer is going to be switched to using the NBN
in a couple of years.

> All you can tell about a HE tunnel is the tunnel broker server that's  
> hosting it. (it's in the hostname -- eg. ash1) Beyond that, you have  
> absolutely no idea where in the universe the other end actually is. Plus,  
> it can move in an instant... one DDNS update, and it's somewhere else.

Garbage.  You have to establish the tunnel which requires registering
a account.  It also requires a machine at the other end.  Virtual
or physical they don't move around the world in a DDNS update. The
addresses associated with a tunnel don't change for the life of
that tunnel.  It's not like you get new IPv6 addresses everytime
you reconnect.  The tunnels are designed so you can run services
at the end of them.  They are not a typical VPN service where you
get a new IPv4 address from a local pool each time you connect to
them.  They are setup so you can delegate nameserver to serve the
reverse addresses for the namespace being allocated.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org