[189760] in North American Network Operators' Group
Re: Netflix VPN detection - actual engineer needed
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Jun 6 13:56:48 2016
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAOZq8-g_w1+y+K0eSrVtR+MyHP_JVFCvnpmeZFLMOYL6NEd=hg@mail.gmail.com>
Date: Mon, 6 Jun 2016 10:54:46 -0700
To: Damian Menscher <menscher@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Jun 5, 2016, at 15:48 , Damian Menscher <menscher@gmail.com> wrote:
>=20
> On Sun, Jun 5, 2016 at 2:59 PM, Owen DeLong <owen@delong.com =
<mailto:owen@delong.com>> wrote:
> > On Jun 5, 2016, at 14:18 , Damian Menscher <menscher@gmail.com =
<mailto:menscher@gmail.com>> wrote:
> > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl =
<baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com>> wrote:
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" =
<cryptographrix@gmail.com <mailto:cryptographrix@gmail.com>>:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net <http://he.net/> tunnels is not killing ipv6. =
You just need need native
> >> ipv6.
> >
> > This entire thread confuses me. Are there normal home users who are =
being
> > blocked from Netflix because their ISP forces them through a HE VPN? =
Or is
> > this massive thread just about a handful of geeks who think IPv6 is =
cool
> > and insist they be allowed to use it despite not having it natively? =
I
> > could certainly understand ISP concerns that they are receiving user
> > complaints because they failed to provide native IPv6 (why not?), =
but
> > whining that you've managed to create a non-standard network setup =
doesn't
> > work with some providers seems a bit silly.
>=20
> What is non-standard about an HE tunnel? It conforms to the relevant =
RFCs and
> is a very common configuration widely deployed to many thousands of =
locations
> around the internet.
>=20
> What *is* standard about them? My earliest training as a sysadmin =
taught me that any time you switch away from a default setting, you're =
venturing into the unknown. Your config is no longer well-tested; you =
may experience strange errors; nobody else will have seen the same bugs.
Then your training was flat out wrong. By your definition, it=E2=80=99s =
an experiment every time you manually configure an IP address on a =
system.
Further, System Administration is somewhat different from Networking.
As long as one adheres to the protocols as described in the RFCs, things =
should generally work. HE tunnels conform to RFCs and operate in a well =
defined and well documented standard manner that complies with all =
applicable standards.
If you never configure a router for something other than default, it is =
basically a brick. A very very expensive brick.
So by your definition, the entire internet is no longer well-tested, =
etc.
That=E2=80=99s just silly.
>=20
> That's exactly what's happening here -- people are setting up IPv6 =
tunnel broker connections, then complaining that there are unexpected =
side effects.=20
No, that is not what is happening here.
What is happening here is that people set up tunnels through the tunnel =
broker and it worked just fine for years.
Some of the next part is speculation (the belief that it is content =
providers who are behind it), but the networking part is fact:
Netflix then likely got complaints from their content providers because =
some of those tunnels were being used to obfuscate geographic =
information allowing users outside the intended content distribution =
range to access the content. As a result, Netflix began deliberately =
blocking tunnels, including HE IPv6 tunnels and many other kinds of =
VPNs.
This isn=E2=80=99t a case of something didn=E2=80=99t work because it =
was non-standard. This is a case of Netflix deliberately blocking things =
that previously worked.
>=20
> It=E2=80=99s not that Netflix happens to not work with these tunnels, =
the problem is
> that they are taking deliberate active steps to specifically block =
them.
>=20
> [Citation needed] ;)
See the rest of the thread. See Netflix=E2=80=99s public statements =
about VPNs and Tunnels.
> You're taking this as an attack on Hurricane Electric, and by =
extension on IPv6. But the reality is that Netflix has presumably =
identified HE tunnel broker as a frequent source of VPN connections that =
violate their ToS, and they are blocking it as they would any other =
widescale abuse. The impact to their userbase is miniscule -- as noted =
above, normal users won't be affected, and those who are have the =
trivial workaround of disabling tunnelbroker for Netflix-bound =
connections. (I agree Netflix could helpfully 302 such users to =
ipv4.netflix.com <http://ipv4.netflix.com/> instead, but it's already =
such a small problem I doubt that's a priority for them. And it =
probably wouldn't reduce the hype here anyway.)
Actually, when I read them, the ToS did not prohibit me from using a VPN =
or a tunnel to reach their service.
The ToS did prohibit accessing content from a disallowed geographic =
region, but the problem here is that Netflix is indiscriminately =
blocking all tunnels and vpns that they can identify, not just the ones =
that are being used for geo-obfuscation.
> As a side note, this is a common meme: recently Tor claimed CloudFlare =
is anti-privacy for requiring captchas for their users. The reality is =
much more mundane -- service providers need to protect their own =
networks, and Tor traffic is (according to CloudFlare =
[https://blog.cloudflare.com/the-trouble-with-tor/ =
<https://blog.cloudflare.com/the-trouble-with-tor/>]) 94% abuse.
Netflix isn=E2=80=99t protecting their own network by doing this. They =
are protecting the (stupid) policies of their content providers.
> I suggest you focus your efforts on bringing native IPv6 to the =
masses, not criticizing service providers for defending themselves =
against abuse, just because that abuse happens to be over a network (HE =
tunnel broker; Tor; etc) you support. Netflix isn't hurting IPv6 =
adoption in any real way, but the (incorrect!) claim that IPv6 doesn't =
work with Netflix will (if this thread is picked up by the press).
Netflix isn=E2=80=99t just defending themselves from abuse. They are, in =
fact, attacking a valid user population attempting to get legitimate =
services that they have paid for.
Owen
