Netflix VPN detection - actual engineer needed

Tue Jun 7 03:27:26 UTC 2016

Right, but I think we know what Netflix is implying when they say "proxy
unblocker" or "VPN" -- they mean people are deliberately going around
GeoIP.  In this case, I don't know anyone who uses TunnelBroker that way.
They're using it for V6.  That is to say, everyone I know with this issue
could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning
they're already in the US (or $region) -- and the IPv6 detection on the
CDN/web is what's wrong.

I think I will go further here and say that the message sort if implies the
user is acting in bad faith, which may raise some animosity towards Netflix.

On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan <sryan at arbor.net> wrote:

> The tunnelbroker service acts exactly like a VPN. It allows you, from any
> arbitrary location in the world with an IPv4 address, to bring traffic out
> via one of HE's 4 POP's, while completely masking your actual location.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper <blair.trosper at gmail.com>
> wrote:
>
>> It should be pointed out that -- the SPECIFIC accusation from Netflix --
>> is
>> that people on TunnelBroker are on a VPN or proxy unblocker.
>>
>> The data does not bear that out.  Hash tag just saying.
>>
>> </soapbox>
>>
>> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfbeam at gmail.com> wrote:
>>
>> > On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka at isc.org> wrote:
>> >
>> >> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There
>> is
>> >> no requirement to report physical location.
>> >>
>> >
>> > The general lie that is IP Geolocation. HE only has what I tell them
>> (100%
>> > unverified), and what MaxMind (et.al.) tell them (~95% unverified.)
>> They
>> > know my IPv4 endpoint address, but that doesn't give them a concrete
>> street
>> > address -- they're guessing in exactly the same way everyone else does.
>> And
>> > more to the point, HE doesn't share that information with anyone.
>> (whois is
>> > populated with your account information. they don't ask where your
>> tunnels
>> > are going.)
>> >
>> > Are they legally required to go to this level?
>> >>
>> >
>> > Possibly, but Netflix isn't going to push this. Win or Lose, they still
>> > lose distribution rights.
>> >
>> > Netflix (and their licensees) know people are using HE tunnels to get
>> >>> around region restrictions. Their hands are tied; they have to show
>> >>> they're doing something to limit this.
>> >>>
>> >>
>> >> No, they do not know.  The purpose of HE tunnels is to get IPv6
>> service.
>> >> The fact that the endpoints are in different countries some of the time
>> >> is incidental to that.
>> >>
>> >
>> > YES. THEY. DO. There have been entire COMPANIES doing this. (which is
>> > likely what sparked this level of response.) Neither HE nor Netflix are
>> > naming names, but a short walk through the more colorful parts of the
>> > internet should be enlightening.
>> >
>> > Garbage.  You have to establish the tunnel which requires registering
>> >> a account.  It also requires a machine at the other end.  Virtual
>> >> or physical they don't move around the world in a DDNS update. The
>> >> addresses associated with a tunnel don't change for the life of
>> >> that tunnel.
>> >>
>> >
>> > True. 'tho, you can list any nonsense address you want. They do nothing
>> to
>> > validate it. (Use my favorite BS address: Independence MT -- pop: zero.
>> > It's a dirt road across a mountain in the middle of absolutely nowhere.
>> > Google it!)
>> >
>> > The tunnel endpoint (your IPv4 address) is known only to HE, and not
>> > exposed to ANYONE. That's not going to EVER change. Once your tunnel has
>> > been setup, that address ("Client IPv4 Address") is not set in stone.
>> > People have dynamic addresses, and HE recognizes this, so there are
>> > numerous methods to change the tunnel endpoint address. (tunnel
>> > configuration page, update through an http(s) request, etc.) THUS, a
>> tunnel
>> > can move; it can be terminated anywhere, at anytime. Not only can one
>> > update the endpoint to a different address on the same box, but to a
>> > completely different box entirely.
>> >
>> > Furthermore, one account can have several tunnels through different
>> > servers that present addresses from different regions. Where I appear
>> to be
>> > in the world, thus, depends on which tunnel I have enabled. (and in
>> which
>> > countries HE has prefixes, which currently appears to be 4)
>> >
>>
>
>