Netflix VPN detection - actual engineer needed

Owen DeLong owen at delong.com
Mon Jun 6 17:54:46 UTC 2016 

> On Jun 5, 2016, at 15:48 , Damian Menscher <menscher at gmail.com> wrote:
> 
> On Sun, Jun 5, 2016 at 2:59 PM, Owen DeLong <owen at delong.com <mailto:owen at delong.com>> wrote:
> > On Jun 5, 2016, at 14:18 , Damian Menscher <menscher at gmail.com <mailto:menscher at gmail.com>> wrote:
> > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl <baldur.norddahl at gmail.com <mailto:baldur.norddahl at gmail.com>> wrote:
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix at gmail.com <mailto:cryptographrix at gmail.com>>:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net <http://he.net/> tunnels is not killing ipv6. You just need need native
> >> ipv6.
> >
> > This entire thread confuses me.  Are there normal home users who are being
> > blocked from Netflix because their ISP forces them through a HE VPN?  Or is
> > this massive thread just about a handful of geeks who think IPv6 is cool
> > and insist they be allowed to use it despite not having it natively?  I
> > could certainly understand ISP concerns that they are receiving user
> > complaints because they failed to provide native IPv6 (why not?), but
> > whining that you've managed to create a non-standard network setup doesn't
> > work with some providers seems a bit silly.
> 
> What is non-standard about an HE tunnel? It conforms to the relevant RFCs and
> is a very common configuration widely deployed to many thousands of locations
> around the internet.
> 
> What *is* standard about them?  My earliest training as a sysadmin taught me that any time you switch away from a default setting, you're venturing into the unknown.  Your config is no longer well-tested; you may experience strange errors; nobody else will have seen the same bugs.

Then your training was flat out wrong. By your definition, it’s an experiment every time you manually configure an IP address on a system.

Further, System Administration is somewhat different from Networking.

As long as one adheres to the protocols as described in the RFCs, things should generally work. HE tunnels conform to RFCs and operate in a well defined and well documented standard manner that complies with all applicable standards.

If you never configure a router for something other than default, it is basically a brick. A very very expensive brick.

So by your definition, the entire internet is no longer well-tested, etc.

That’s just silly.

> 
> That's exactly what's happening here -- people are setting up IPv6 tunnel broker connections, then complaining that there are unexpected side effects. 

No, that is not what is happening here.

What is happening here is that people set up tunnels through the tunnel broker and it worked just fine for years.

Some of the next part is speculation (the belief that it is content providers who are behind it), but the networking part is fact:

Netflix then likely got complaints from their content providers because some of those tunnels were being used to obfuscate geographic information allowing users outside the intended content distribution range to access the content. As a result, Netflix began deliberately blocking tunnels, including HE IPv6 tunnels and many other kinds of VPNs.

This isn’t a case of something didn’t work because it was non-standard. This is a case of Netflix deliberately blocking things that previously worked.

> 
> It’s not that Netflix happens to not work with these tunnels, the problem is
> that they are taking deliberate active steps to specifically block them.
> 
> [Citation needed] ;)

See the rest of the thread. See Netflix’s public statements about VPNs and Tunnels.

> You're taking this as an attack on Hurricane Electric, and by extension on IPv6.  But the reality is that Netflix has presumably identified HE tunnel broker as a frequent source of VPN connections that violate their ToS, and they are blocking it as they would any other widescale abuse.  The impact to their userbase is miniscule -- as noted above, normal users won't be affected, and those who are have the trivial workaround of disabling tunnelbroker for Netflix-bound connections.  (I agree Netflix could helpfully 302 such users to ipv4.netflix.com <http://ipv4.netflix.com/> instead, but it's already such a small problem I doubt that's a priority for them.  And it probably wouldn't reduce the hype here anyway.)

Actually, when I read them, the ToS did not prohibit me from using a VPN or a tunnel to reach their service.

The ToS did prohibit accessing content from a disallowed geographic region, but the problem here is that Netflix is indiscriminately blocking all tunnels and vpns that they can identify, not just the ones that are being used for geo-obfuscation.

> As a side note, this is a common meme: recently Tor claimed CloudFlare is anti-privacy for requiring captchas for their users.  The reality is much more mundane -- service providers need to protect their own networks, and Tor traffic is (according to CloudFlare [https://blog.cloudflare.com/the-trouble-with-tor/ <https://blog.cloudflare.com/the-trouble-with-tor/>]) 94% abuse.

Netflix isn’t protecting their own network by doing this. They are protecting the (stupid) policies of their content providers.

> I suggest you focus your efforts on bringing native IPv6 to the masses, not criticizing service providers for defending themselves against abuse, just because that abuse happens to be over a network (HE tunnel broker; Tor; etc) you support.  Netflix isn't hurting IPv6 adoption in any real way, but the (incorrect!) claim that IPv6 doesn't work with Netflix will (if this thread is picked up by the press).

Netflix isn’t just defending themselves from abuse. They are, in fact, attacking a valid user population attempting to get legitimate services that they have paid for.

Owen

More information about the NANOG mailing list