[189623] in North American Network Operators' Group
Re: Netflix VPN detection - actual engineer needed
daemon@ATHENA.MIT.EDU (Mike Hammett)
Fri Jun 3 17:17:03 2016
X-Original-To: nanog@nanog.org
Date: Fri, 3 Jun 2016 16:16:54 -0500 (CDT)
From: Mike Hammett <nanog@ics-il.net>
Cc: nanog@nanog.org
In-Reply-To: <9578293AE169674F9A048B2BC9A081B401E6619FC2@MUNPRDMBXA1.medline.com>
Errors-To: nanog-bounces@nanog.org
As bad as some are in the telecom industry, they don't hold a candle to tho=
se in the content industry.=20
-----=20
Mike Hammett=20
Intelligent Computing Solutions=20
http://www.ics-il.com=20
Midwest-IX=20
http://www.midwest-ix.com=20
----- Original Message -----
From: "Steve Naslund" <SNaslund@medline.com>=20
To: nanog@nanog.org=20
Sent: Friday, June 3, 2016 3:55:43 PM=20
Subject: RE: Netflix VPN detection - actual engineer needed=20
Wifi location depends on a bunch of problematic things. First, your SSID ne=
eds to get collected and put in a database somewhere. That itself is a crap=
shoot. Next, you can stop google (and some other wifi databases) from coll=
ecting the data by putting _nomap at the end of your SSID. Lastly, not ever=
yone has wifi or iOS or GPS or whatever location method you can think of. B=
TW, my apple TV is on a wired Ethernet, not wifi.=20
Point is, for whatever location technology you want to use be it IP, GPS, W=
iFi location, sextant=E2=80=A6..they can be inaccurate and they can be fake=
d and there are privacy concerns with all of them. What the content produce=
rs need to figure out is that regionalization DOES NOT WORK ANYMORE! The or=
iginal point was that they could have different release dates in different =
areas at different prices and availability. They are going to have to get o=
ver it because they will lose the technological arms race.=20
There is no reason you could not beat all of the location systems with a si=
mple proxy. A proxy makes a Netflix connection from an allowed IP, location=
or whatever and then builds a new video/audio stream out the back end to t=
he client anywhere in the world. Simple to implement and damn near impossib=
le to beat. Ever hear of Slingbox?=20
Steven Naslund=20
Chicago IL=20
From: Cryptographrix [mailto:cryptographrix@gmail.com]=20
Sent: Friday, June 03, 2016 3:42 PM=20
To: Naslund, Steve; nanog@nanog.org=20
Subject: Re: Netflix VPN detection - actual engineer needed=20
Apple TVs get their location indoors using the same method they use for oth=
er iOS devices when indoors - wifi ssid/Mac scanning.=20
Non-iOS devices are often capable of this as well.=20
(As someone that spends >67% of his time underground and whose Apple TV req=
uests my location from my underground bedroom and is very accurate)=20
On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com<mailto:=
SNaslund@medline.com>> wrote:=20
Their app could request your devices location. Problem is a lot of devices =
(like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) d=
on't know where they are and it cannot easily be added (indoor GPS is still=
difficult/expensive) and even if they could should they be believed. I thi=
nk the bigger issue is whether any kind of regional controls are enforceabl=
e or effective any more.=20
Steven Naslund=20
Chicago IL=20
-----Original Message-----=20
From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>=
] On Behalf Of Cryptographrix=20
Sent: Friday, June 03, 2016 3:21 PM=20
To: Spencer Ryan=20
Cc: North American Network Operators' Group=20
Subject: Re: Netflix VPN detection - actual engineer needed=20
Come now, content providers really just care that they have access to regio=
nal controls more so than their ability to blanket-deny access (ok, minus t=
he MLB who are just insane).=20
And part of those regional controls deal with the accuracy of the location =
information.=20
If their app can request my device's precise location, it doesn't need to i=
nfer my location from my IP any more.=20
As a matter of fact, it's only detrimental to them for it to do so, because=
of the lack of accuracy from geo databases and the various reasons that pe=
ople use VPNs nowadays (i.e. for some devices that you can't even turn VPN =
connections off for - OR in the case of IPv6, when you can't reach a segmen=
t of the Internet without it).=20
On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@a=
rbor.net>> wrote:=20
> There is a large difference between "the VPN run at your house" and=20
> "Arguably the most popular, free, mostly anonymous tunnel broker service"=
=20
>=20
> If it were up to the content providers, they probably would block any=20
> IP they saw a VPN server listening on.=20
>=20
>=20
> *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sr=
yan@arbor.net> *Arbor=20
> Networks*=20
> +1.734.794.5033 (d) | +1.734.846.2053 (m)=20
> www.arbornetworks.com<http://www.arbornetworks.com>=20
>=20
> On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix=20
> <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>=20
> wrote:=20
>=20
>> I have a VPN connection at my house. There's no way for them to know=20
>> the difference between me using my home network connection from Hong=20
>> Kong or my home network connection from my house.=20
>>=20
>> Are they going to disable connectivity from everywhere they can=20
>> detect an open VPN port to, also?=20
>>=20
>> If they trust my v4 address, they can use that to establish=20
>> historical reference. Additionally, they can fail over to v4 if they=20
>> do not trust the=20
>> v6 address.=20
>>=20
>>=20
>>=20
>>=20
>> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto:srya=
n@arbor.net>> wrote:=20
>>=20
>>> There is no way for Netflix to know the difference between you being=20
>>> in NY and using the tunnel, and you living in Hong Kong and using the t=
unnel.=20
>>>=20
>>>=20
>>> *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:=
sryan@arbor.net>=20
>>> *Arbor Networks*=20
>>> +1.734.794.5033 (d) | +1.734.846.2053 (m)=20
>>> www.arbornetworks.com<http://www.arbornetworks.com>=20
>>>=20
>>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix=20
>>> <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>=20
>>> > wrote:=20
>>>=20
>>>> Same, but until there's a real IPv6 presence in the US, it's really=20
>>>> annoying that they haven't come up with some fix for this.=20
>>>>=20
>>>> I have no plans to turn off IPv6 at home - I actually have many=20
>>>> uses for it, and as much as I dislike the controversy around it,=20
>>>> think that adoption needs to be prioritized, not penalized.=20
>>>>=20
>>>> Additionally, I think that discussing content provider control over=20
>>>> regional decisions isn't productive to the conversation, as they=20
>>>> didn't build the banhammer (wouldn't you want to control your own=20
>>>> content if you had made content specific to regional laws etc?).=20
>>>>=20
>>>> I.e. - not all shows need to have regional restrictions between New=20
>>>> York (where I live) and California (where my IPv6 /64 says I live).=20
>>>>=20
>>>> I'm able to watch House in the any state in the U.S.? Great -=20
>>>> ignore my intra-US proxy connection.=20
>>>>=20
>>>> My Netflix account randomly tries to connect from Tokyo because I=20
>>>> forgot to shut off my work VPN? Fine....let me know and I'll turn=20
>>>> *that* off.=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto:sr=
yan@arbor.net>> wrote:=20
>>>>=20
>>>>> I don't blame them for blocking a (effectively) anonymous tunnel=20
>>>>> broker. I'm sure their content providers are forcing their hand.=20
>>>>> On Jun 3, 2016 3:46 PM, "Cryptographrix"=20
>>>>> <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>=20
>>>>> wrote:=20
>>>>>=20
>>>>>> Netflix needs to figure out a fix for this until ISPs actually=20
>>>>>> provide IPv6 natively.=20
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper=20
>>>>>> <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com>=20
>>>>>> >=20
>>>>>> wrote:=20
>>>>>>=20
>>>>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked=20
>>>>>> > by Netflix. Anyone nice people from Netflix perhaps want to=20
>>>>>> > take a=20
>>>>>> crack at=20
>>>>>> > this?=20
>>>>>> >=20
>>>>>> >=20
>>>>>> >=20
>>>>>> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto:mike.=
hyde1@gmail.com>> wrote:=20
>>>>>> >=20
>>>>>> > > Had the same problem at my house, but it was caused by the=20
>>>>>> > > IPv6=20
>>>>>> > connection=20
>>>>>> > > to HE. Turned of V6 and the device worked.=20
>>>>>> > >=20
>>>>>> > >=20
>>>>>> > > --=20
>>>>>> > >=20
>>>>>> > > Sent with Airmail=20
>>>>>> > >=20
>>>>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (=20
>>>>>> matthew@matthew.at<mailto:matthew@matthew.at>)=20
>>>>>> > > wrote:=20
>>>>>> > >=20
>>>>>> > > Every device in my house is blocked from Netflix this evening=20
>>>>>> > > due=20
>>>>>> to=20
>>>>>> > > their new "VPN blocker". My house is on my own IP space, and=20
>>>>>> > > the=20
>>>>>> outside=20
>>>>>> > > of the NAT that the family devices are on is 198.202.199.254,=20
>>>>>> announced=20
>>>>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my=20
>>>>>> house=20
>>>>>> > > should show that I'm no farther away than Santa Cruz, CA as=20
>>>>>> microwaves=20
>>>>>> > > fly.=20
>>>>>> > >=20
>>>>>> > > Unfortunately, when one calls Netflix support to talk about=20
>>>>>> > > this,=20
>>>>>> the=20
>>>>>> > > only response is to say "call your ISP and have them turn off=20
>>>>>> > > the=20
>>>>>> VPN=20
>>>>>> > > software they've added to your account". And they absolutely=20
>>>>>> refuse to=20
>>>>>> > > escalate. Even if you tell them that you are essentially your=20
>>>>>> > > own=20
>>>>>> ISP.=20
>>>>>> > >=20
>>>>>> > > So... where's the Netflix network engineer on the list who=20
>>>>>> > > all of=20
>>>>>> us can=20
>>>>>> > > send these issues to directly?=20
>>>>>> > >=20
>>>>>> > > Matthew Kaufman=20
>>>>>> > >=20
>>>>>> >=20
>>>>>>=20
>>>>>=20
>>>=20
>=20
