netflix proxy/unblocker false detection

Sabri Berisha sabri at
Sat Jun 27 22:19:53 UTC 2020

----- On Jun 26, 2020, at 3:39 PM, nanog nanog at wrote:

> On 6/26/20 1:42 PM, Sabri Berisha wrote:

>> I'm also sure that in the past, enough people have abused their
>> trust.
> I question the veracity of that statement.

I for one, have been guilty of that. Using VPN when I was traveling
abroad to access the series I was following.
>> ... to the best of their abilities.

> I highly doubt the agreements that Netflix's has with content owners
> state that Hurricane Electric (et al.) must be blocked.  Maybe I'm
> wrong.  It wouldn't be the first time today.
> I believe that Netflix is choosing the lower / easier road and simply
> blocking Hurricane Electric's IPv6 tunnels as an easy / low hanging
> fruit option to achieve the contractual requirements.

In order to enforce geographical content restrictions, the origin of
a request must be determined. If that origin is a known tunneling
address, you are unable to determine the true geographical position
of that particular client. In that case, it is impossible for Netflix
to determine that the viewer is in a location authorized to view the

Since they know that HE's IPv6 broker range is most likely being
tunneled, and they know that there is no way to accurately determine
the true origin of the client, the must prevent it from accessing the
content. It's not like HE can insert an X-Origin-GEOIP: x.x.x.x or 
>> False positives (meaning, people being denied while being in-region), are going
>> to be an unwelcome side-effect.

> Without seeing actual licenses to support "you must block Hurricane
> Electric", I'm going to choose to disagree with the license scapegoat.

We'll never be privvy to those license agreements. All we'll know is 
that they'll most likely include geographical restrictions.



More information about the NANOG mailing list