Netflix VPN detection - actual engineer needed

Sun Jun 5 22:48:52 UTC 2016

On Sun, Jun 5, 2016 at 2:59 PM, Owen DeLong <owen at delong.com> wrote:
>
> > On Jun 5, 2016, at 14:18 , Damian Menscher <menscher at gmail.com> wrote:
> > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl <
> baldur.norddahl at gmail.com> wrote:
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix at gmail.com
> >:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net tunnels is not killing ipv6. You just need need
> native
> >> ipv6.
> >
> > This entire thread confuses me.  Are there normal home users who are
> being
> > blocked from Netflix because their ISP forces them through a HE VPN?  Or
> is
> > this massive thread just about a handful of geeks who think IPv6 is cool
> > and insist they be allowed to use it despite not having it natively?  I
> > could certainly understand ISP concerns that they are receiving user
> > complaints because they failed to provide native IPv6 (why not?), but
> > whining that you've managed to create a non-standard network setup
> doesn't
> > work with some providers seems a bit silly.
>
> What is non-standard about an HE tunnel? It conforms to the relevant RFCs
> and
> is a very common configuration widely deployed to many thousands of
> locations
> around the internet.
>

What *is* standard about them?  My earliest training as a sysadmin taught
me that any time you switch away from a default setting, you're venturing
into the unknown.  Your config is no longer well-tested; you may experience
strange errors; nobody else will have seen the same bugs.

That's exactly what's happening here -- people are setting up IPv6 tunnel
broker connections, then complaining that there are unexpected side
effects.

It’s not that Netflix happens to not work with these tunnels, the problem is
> that they are taking deliberate active steps to specifically block them.
>

[Citation needed] ;)

You're taking this as an attack on Hurricane Electric, and by extension on
IPv6.  But the reality is that Netflix has presumably identified HE tunnel
broker as a frequent source of VPN connections that violate their ToS, and
they are blocking it as they would any other widescale abuse.  The impact
to their userbase is miniscule -- as noted above, normal users won't be
affected, and those who are have the trivial workaround of disabling
tunnelbroker for Netflix-bound connections.  (I agree Netflix could
helpfully 302 such users to ipv4.netflix.com instead, but it's already such
a small problem I doubt that's a priority for them.  And it probably
wouldn't reduce the hype here anyway.)

As a side note, this is a common meme: recently Tor claimed CloudFlare is
anti-privacy for requiring captchas for their users.  The reality is much
more mundane -- service providers need to protect their own networks, and
Tor traffic is (according to CloudFlare [
https://blog.cloudflare.com/the-trouble-with-tor/]) 94% abuse.

I suggest you focus your efforts on bringing native IPv6 to the masses, not
criticizing service providers for defending themselves against abuse, just
because that abuse happens to be over a network (HE tunnel broker; Tor;
etc) you support.  Netflix isn't hurting IPv6 adoption in any real way, but
the (incorrect!) claim that IPv6 doesn't work with Netflix will (if this
thread is picked up by the press).

Damian