[189702] in North American Network Operators' Group
Re: Netflix VPN detection - actual engineer needed
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Jun 5 19:01:12 2016
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAJWk1pQdM2wMNAhcnV15UL0up_bxcDQh5VQ734nS2EnRvvH+0Q@mail.gmail.com>
Date: Sun, 5 Jun 2016 16:01:08 -0700
To: mlfreita@mtu.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Jun 5, 2016, at 15:18 , Matt Freitag <mlfreita@mtu.edu> wrote:
>=20
> While it is damaging negative publicity it also makes sense. HE's =
tunnel service amounts to a free VPN that happens to provide IPv6. I =
would love for someone from HE to jump in and explain better how their =
tunnel works, why it's been blocked by Netflix, and what (if anything) =
they are doing to mitigate it.
Well=E2=80=A6 I=E2=80=99m no longer with HE (for about 2 years now), but =
it=E2=80=99s a pretty basic 6in4 tunnel set up. They have routers around =
the world and a web site that will automatically configure those routers =
for requested tunnels.
I=E2=80=99m not sure how you came to the conclusion that HE has =
responsibility or even the ability to explain Netflix=E2=80=99s actions =
or mitigate them.
HE provides a pipeline. That=E2=80=99s it. You send an encapsulated =
packet to their router, it unwraps it and forwards it on to the IPv6 =
internet.
Similarly, the IPv6 internet sends their router a packet destined for =
one of your addresses, HE encapsulates the packet and forwards the
encapsulated packet off to your designated router.
> For my part, I also found that my HE tunnel no longer worked with =
Netflix because, again, it amounts to a free VPN service. I had to shut =
it off.
Interestingly, my HE tunnel has no such problem so far. However, I am =
not using HE address space for my tunnel (which I suspect is the =
mechanism Netflix is most likely using, most likely they have built a =
database of common tunnel addresses).
> However, I did discover that my ISP Charter Communications runs a 6rd =
tunnel service for their customers and enabled that on my router =
instead. Here are the settings I put in my ASUS router, taken off of a =
Tomato router firmware forum post:
>=20
> DHCP Option: Disable
> IPv6 Prefix: 2602:100::
> IPv6 Prefix Length: 32
> IPv4 Border Router: 68.114.165.1
> IPv4 Router Mask Length: 0
>=20
> I'm also using an MTU of 1480 and a Tunnel TTL of 255.
You probably shouldn=E2=80=99t use such a large TTL. Try 64.
> Works great, though I imagine it'll only work for other Charter =
customers who don't care what prefix they get assigned as Charter uses =
prefix delegation to make this work.
Pretty common setup.
Owen
>=20
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696 <tel:%28906%29%20487-3696>
> https://www.mtu.edu/ <https://www.mtu.edu/>=20
> https://www.it.mtu.edu/ <https://www.it.mtu.edu/>
> On Sun, Jun 5, 2016 at 5:59 PM, Owen DeLong <owen@delong.com =
<mailto:owen@delong.com>> wrote:
>=20
> > On Jun 5, 2016, at 14:18 , Damian Menscher <menscher@gmail.com =
<mailto:menscher@gmail.com>> wrote:
> >
> > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl =
<baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com>>
> > wrote:
> >
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" =
<cryptographrix@gmail.com <mailto:cryptographrix@gmail.com>>:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net <http://he.net/> tunnels is not killing ipv6. =
You just need need native
> >> ipv6.
> >>
> >
> > This entire thread confuses me. Are there normal home users who are =
being
> > blocked from Netflix because their ISP forces them through a HE VPN? =
Or is
> > this massive thread just about a handful of geeks who think IPv6 is =
cool
> > and insist they be allowed to use it despite not having it natively? =
I
> > could certainly understand ISP concerns that they are receiving user
> > complaints because they failed to provide native IPv6 (why not?), =
but
> > whining that you've managed to create a non-standard network setup =
doesn't
> > work with some providers seems a bit silly.
> >
> > Damian
>=20
> What is non-standard about an HE tunnel? It conforms to the relevant =
RFCs and
> is a very common configuration widely deployed to many thousands of =
locations
> around the internet.
>=20
> It=E2=80=99s not that Netflix happens to not work with these tunnels, =
the problem is
> that they are taking deliberate active steps to specifically block =
them.
>=20
> Most likely, these steps are being taken at the behest of their =
content providers,
> but to the best of my knowledge, that is merely speculation so far as =
I don=E2=80=99t
> believe Netflix themselves have confirmed this. (It=E2=80=99s not =
unlikely that they are
> unable to do so due to those same content providers likely insisting =
on these
> requirements being considered proprietary information subject to NDA.)
>=20
> So=E2=80=A6 I don=E2=80=99t know how many =E2=80=9Cnormal users=E2=80=9D=
use HE tunnels vs. =E2=80=9Cgeeks=E2=80=9D or how one
> would go about defining the difference. I can tell you that there are =
an awful
> lot of people using HE tunnels, and based on what I saw while working =
at HE,
> I don=E2=80=99t believe they are all geeks. While I would say that =
geeks are a larger
> fraction of the HE Tunnel using populace than of the general =
population, I=E2=80=99m
> not sure to what extent. Probably a lot less than you think based on =
the
> tone of your message.
>=20
> I think that a provider that has specifically claimed to be an early =
adopter
> supporting IPv6 and is now having their support department tell =
customers to
> turn off IPv6 altogether is certainly noteworthy and not in a good =
way.
>=20
> Further, if that provider is actively taking steps to damage =
previously working
> IPv6 network configurations, that is also worthy of substantial =
negative
> publicity.
>=20
> I=E2=80=99m confused as to why you would think otherwise.
>=20
> Owen
>=20
>=20
