Netflix VPN detection - actual engineer needed

Blair Trosper blair.trosper at gmail.com
Tue Jun 7 03:22:35 UTC 2016


It should be pointed out that -- the SPECIFIC accusation from Netflix -- is
that people on TunnelBroker are on a VPN or proxy unblocker.

The data does not bear that out.  Hash tag just saying.

</soapbox>

On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfbeam at gmail.com> wrote:

> On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka at isc.org> wrote:
>
>> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There is
>> no requirement to report physical location.
>>
>
> The general lie that is IP Geolocation. HE only has what I tell them (100%
> unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They
> know my IPv4 endpoint address, but that doesn't give them a concrete street
> address -- they're guessing in exactly the same way everyone else does. And
> more to the point, HE doesn't share that information with anyone. (whois is
> populated with your account information. they don't ask where your tunnels
> are going.)
>
> Are they legally required to go to this level?
>>
>
> Possibly, but Netflix isn't going to push this. Win or Lose, they still
> lose distribution rights.
>
> Netflix (and their licensees) know people are using HE tunnels to get
>>> around region restrictions. Their hands are tied; they have to show
>>> they're doing something to limit this.
>>>
>>
>> No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
>> The fact that the endpoints are in different countries some of the time
>> is incidental to that.
>>
>
> YES. THEY. DO. There have been entire COMPANIES doing this. (which is
> likely what sparked this level of response.) Neither HE nor Netflix are
> naming names, but a short walk through the more colorful parts of the
> internet should be enlightening.
>
> Garbage.  You have to establish the tunnel which requires registering
>> a account.  It also requires a machine at the other end.  Virtual
>> or physical they don't move around the world in a DDNS update. The
>> addresses associated with a tunnel don't change for the life of
>> that tunnel.
>>
>
> True. 'tho, you can list any nonsense address you want. They do nothing to
> validate it. (Use my favorite BS address: Independence MT -- pop: zero.
> It's a dirt road across a mountain in the middle of absolutely nowhere.
> Google it!)
>
> The tunnel endpoint (your IPv4 address) is known only to HE, and not
> exposed to ANYONE. That's not going to EVER change. Once your tunnel has
> been setup, that address ("Client IPv4 Address") is not set in stone.
> People have dynamic addresses, and HE recognizes this, so there are
> numerous methods to change the tunnel endpoint address. (tunnel
> configuration page, update through an http(s) request, etc.) THUS, a tunnel
> can move; it can be terminated anywhere, at anytime. Not only can one
> update the endpoint to a different address on the same box, but to a
> completely different box entirely.
>
> Furthermore, one account can have several tunnels through different
> servers that present addresses from different regions. Where I appear to be
> in the world, thus, depends on which tunnel I have enabled. (and in which
> countries HE has prefixes, which currently appears to be 4)
>



More information about the NANOG mailing list