netflix proxy/unblocker false detection

Owen DeLong owen at delong.com
Mon Jun 29 05:53:35 UTC 2020


> There is nothing to stop Netflix from probing a mixture of IPv4 and IPv6 during the same video playing session.  Thus they could correlate the IPv6 with the IPv4 which correlates with my CC which correlates with my address on file.

This only works in environments that have both IPv4 and IPv6. Further, with CGN, your IPv4 address visible to Netflix is likely to represent an ever increasing geographic area in the coming years.

They aren’t blocking all IPv6, just certain things like HE tunnels. If your provider implements native IPv6, you shouldn’t have any issues.

If you _REALLY_ want a workaround for IPv6 over an HE tunnel, it is doable… If you get a /48 from ARIN (dirt simple to do and currently $150/year with a $500 initial cost IIRC) and set up a BGP tunnel with HE, you’ll be all set. Those seem to pass muster for Netflix Geolocation because the addresses don’t look like a tunnel to them. This does require you to have at least one public dedicated IPv4 address from your ISP, but that’s true for any HE tunnel, so if you get stuck behind CGN, your other HE tunnel options will evaporate as well.

> I firmly believe that Netflix /could/ solve IPv6 playback, even through VPN, if they wanted to.  I completely believe that Netflix is capable of solving this.  I also completely believe that Netflix doesn't give a REDACTED and chooses to ignore this problem.

OK.. Assume the following:

	1.	Some users want to violate geofencing.
	2.	HE tunnel endpoints are easily updated (this is a fact more than an assumption)
	3.	It’s quite simple to use the same tunnel registered in a particular location in a variety of countries on several continents.
			(I haven’t don this for Netflix, but I have done it for IPv6 training purposes, I have a portable IPv6 classroom
			which uses an HE tunnel for the IPv6 routing. It uses a single IPv4 address at the site where the class is being
			taught and works the rest out either through NAT (IPv4) or HE Tunnel (IPv6).)

How, from the Netflix side of the equation, do you determine where the tunnel actually terminates? Not where it’s registered, but
where it actually terminates.

How do you do this with sufficient reliability that studios who have lots of money to try the same tricks can’t easily produce enough
proof that it’s easy to circumvent and you are in breech of contract and subject to significant penalties?

> Instead, they choose to foist the problem onto other parties.  Or pass the blame.

Again, the solutions you think easily solve this really aren’t viable. You’re looking from the very narrow perspective of your situation. The problem is that everyone with an HE tunnel isn’t in your situation and there’s no reliable way for Netflix to tell them apart.

>> And too many content owners care very much where you are right this
>> instant.
> 
> Nope.  I disagree.

Oh, trust me, content owners are ape about this shit. They really do care.

> I can just as easily extend my IPv4 address through a VPN as I can an IPv6 address.  --  Performance may suffer, but that's a different issue.

Yes, but when you extend your IPv4 address through a VPN, that’s nearly impossible for them to detect.

OTOH, if you use an address known to be associated with one of the many IPv4 VPN services out there, it’s not unlikely for them to block that too.

> I can use my home's IPv4 address, which is GeoIP located to the same area as my home which matches my CC billing address, can be used anywhere in the world.

Again, it comes down to detection. First, it actually requires some sophistication to do what you’re suggesting. Not a lot, but some. It takes almost nothing to do an HE tunnel.
In fact, several portable routers will do HE tunnels semi-automatically through the HE API.

If the studios could figure out a way to block what you’re suggesting, believe me, they’d foist that on to Netflix as well.

OTOH, it’s easy to detect an HE addressed HE tunnel and those have a relatively low fraction of legitimate users compared to the numbers intent on circumventing geofencing.

> So ... if I can use my IPv4 address outside of where Netflix thinks that I am at, why is my IPv6 address any different?

Because they don’t have a way to KNOW about your IPv4 address mobility. They can’t easily detect it.

OTOH, your HE tunnel IPv6 address is easily detected.

> I completely believe that there are technical solutions to this problem.  I also completely agree that Netflix is choosing to ignore them.

OK… Explain one that you think is feasible across the entire spectrum of Netflix’s user base that will keep the studios off their case.

>> Because they are unreasonable luddites who think that geographic monopolies make good business sense.
> 
> As stated above, where the Luddites, or Netflix as their agent, thinks my IP is located is actually divorced from where I am really watching from.  Or at least can be.

Yes… However, when you divorce them, you’re actually violating your contract with Netflix. In the case of the HE tunnel, it’s easy for them to detect that you’re using a
tunnel which is a popular method for enacting such a divorce, so they shut those down.

When you extend your IPv4 address through a VPN on the back side of your router, that’s much harder (nearly impossible) for them to reliably detect.

It turns out it’s also nearly impossible for them to detect MIP6 when I’m using that, so if I really cared to violate geofencing, I could probably do it with that tool.

It’s a numbers game.

HE tunnels represent a small perceived fraction of legitimate users and a high perceived fraction of geofencing violators. Logical action: Block them.

IPv4 extensions via backside VPN are rare among Netflix users. Not saying they don’t happen, but they’re a very small fraction of Netflix IPv4 users and
they're very hard to reliably detect. Thus blocking them is harder and higher risk vs. leaving them alone.


Owen



More information about the NANOG mailing list