Netflix VPN detection - actual engineer needed

Owen DeLong owen at delong.com
Tue Jun 7 06:00:43 UTC 2016


I’m sorry to say, Blair, that there are, in fact, many who do use HE tunnels
for Geo Fence evasion. Sure, it doesn’t represent even a significant fraction
of tunnel users, but they exist and they’ve been vocal, thus spoiling it for the
rest of us.

Owen

> On Jun 6, 2016, at 8:27 PM, Blair Trosper <blair.trosper at gmail.com> wrote:
> 
> Right, but I think we know what Netflix is implying when they say "proxy
> unblocker" or "VPN" -- they mean people are deliberately going around
> GeoIP.  In this case, I don't know anyone who uses TunnelBroker that way.
> They're using it for V6.  That is to say, everyone I know with this issue
> could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning
> they're already in the US (or $region) -- and the IPv6 detection on the
> CDN/web is what's wrong.
> 
> I think I will go further here and say that the message sort if implies the
> user is acting in bad faith, which may raise some animosity towards Netflix.
> 
> On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan <sryan at arbor.net> wrote:
> 
>> The tunnelbroker service acts exactly like a VPN. It allows you, from any
>> arbitrary location in the world with an IPv4 address, to bring traffic out
>> via one of HE's 4 POP's, while completely masking your actual location.
>> 
>> 
>> *Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>> 
>> On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper <blair.trosper at gmail.com>
>> wrote:
>> 
>>> It should be pointed out that -- the SPECIFIC accusation from Netflix --
>>> is
>>> that people on TunnelBroker are on a VPN or proxy unblocker.
>>> 
>>> The data does not bear that out.  Hash tag just saying.
>>> 
>>> </soapbox>
>>> 
>>> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfbeam at gmail.com> wrote:
>>> 
>>>> On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka at isc.org> wrote:
>>>> 
>>>>> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There
>>> is
>>>>> no requirement to report physical location.
>>>>> 
>>>> 
>>>> The general lie that is IP Geolocation. HE only has what I tell them
>>> (100%
>>>> unverified), and what MaxMind (et.al.) tell them (~95% unverified.)
>>> They
>>>> know my IPv4 endpoint address, but that doesn't give them a concrete
>>> street
>>>> address -- they're guessing in exactly the same way everyone else does.
>>> And
>>>> more to the point, HE doesn't share that information with anyone.
>>> (whois is
>>>> populated with your account information. they don't ask where your
>>> tunnels
>>>> are going.)
>>>> 
>>>> Are they legally required to go to this level?
>>>>> 
>>>> 
>>>> Possibly, but Netflix isn't going to push this. Win or Lose, they still
>>>> lose distribution rights.
>>>> 
>>>> Netflix (and their licensees) know people are using HE tunnels to get
>>>>>> around region restrictions. Their hands are tied; they have to show
>>>>>> they're doing something to limit this.
>>>>>> 
>>>>> 
>>>>> No, they do not know.  The purpose of HE tunnels is to get IPv6
>>> service.
>>>>> The fact that the endpoints are in different countries some of the time
>>>>> is incidental to that.
>>>>> 
>>>> 
>>>> YES. THEY. DO. There have been entire COMPANIES doing this. (which is
>>>> likely what sparked this level of response.) Neither HE nor Netflix are
>>>> naming names, but a short walk through the more colorful parts of the
>>>> internet should be enlightening.
>>>> 
>>>> Garbage.  You have to establish the tunnel which requires registering
>>>>> a account.  It also requires a machine at the other end.  Virtual
>>>>> or physical they don't move around the world in a DDNS update. The
>>>>> addresses associated with a tunnel don't change for the life of
>>>>> that tunnel.
>>>>> 
>>>> 
>>>> True. 'tho, you can list any nonsense address you want. They do nothing
>>> to
>>>> validate it. (Use my favorite BS address: Independence MT -- pop: zero.
>>>> It's a dirt road across a mountain in the middle of absolutely nowhere.
>>>> Google it!)
>>>> 
>>>> The tunnel endpoint (your IPv4 address) is known only to HE, and not
>>>> exposed to ANYONE. That's not going to EVER change. Once your tunnel has
>>>> been setup, that address ("Client IPv4 Address") is not set in stone.
>>>> People have dynamic addresses, and HE recognizes this, so there are
>>>> numerous methods to change the tunnel endpoint address. (tunnel
>>>> configuration page, update through an http(s) request, etc.) THUS, a
>>> tunnel
>>>> can move; it can be terminated anywhere, at anytime. Not only can one
>>>> update the endpoint to a different address on the same box, but to a
>>>> completely different box entirely.
>>>> 
>>>> Furthermore, one account can have several tunnels through different
>>>> servers that present addresses from different regions. Where I appear
>>> to be
>>>> in the world, thus, depends on which tunnel I have enabled. (and in
>>> which
>>>> countries HE has prefixes, which currently appears to be 4)
>>>> 
>>> 
>> 
>> 




More information about the NANOG mailing list