[189801] in North American Network Operators' Group
Re: Netflix VPN detection - actual engineer needed
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jun 7 02:00:44 2016
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAA5Ek4fqSpA1HtxTDKNzHt2TWDfSEASO0kpo_oHAE719x4a7Ug@mail.gmail.com>
Date: Mon, 6 Jun 2016 23:00:43 -0700
To: Blair Trosper <blair.trosper@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I=E2=80=99m sorry to say, Blair, that there are, in fact, many who do =
use HE tunnels
for Geo Fence evasion. Sure, it doesn=E2=80=99t represent even a =
significant fraction
of tunnel users, but they exist and they=E2=80=99ve been vocal, thus =
spoiling it for the
rest of us.
Owen
> On Jun 6, 2016, at 8:27 PM, Blair Trosper <blair.trosper@gmail.com> =
wrote:
>=20
> Right, but I think we know what Netflix is implying when they say =
"proxy
> unblocker" or "VPN" -- they mean people are deliberately going around
> GeoIP. In this case, I don't know anyone who uses TunnelBroker that =
way.
> They're using it for V6. That is to say, everyone I know with this =
issue
> could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning
> they're already in the US (or $region) -- and the IPv6 detection on =
the
> CDN/web is what's wrong.
>=20
> I think I will go further here and say that the message sort if =
implies the
> user is acting in bad faith, which may raise some animosity towards =
Netflix.
>=20
> On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan <sryan@arbor.net> wrote:
>=20
>> The tunnelbroker service acts exactly like a VPN. It allows you, from =
any
>> arbitrary location in the world with an IPv4 address, to bring =
traffic out
>> via one of HE's 4 POP's, while completely masking your actual =
location.
>>=20
>>=20
>> *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>>=20
>> On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper =
<blair.trosper@gmail.com>
>> wrote:
>>=20
>>> It should be pointed out that -- the SPECIFIC accusation from =
Netflix --
>>> is
>>> that people on TunnelBroker are on a VPN or proxy unblocker.
>>>=20
>>> The data does not bear that out. Hash tag just saying.
>>>=20
>>> </soapbox>
>>>=20
>>> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfbeam@gmail.com> wrote:
>>>=20
>>>> On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka@isc.org> =
wrote:
>>>>=20
>>>>> What lie? Truly who is lying here. Not the end user. Not HE. =
There
>>> is
>>>>> no requirement to report physical location.
>>>>>=20
>>>>=20
>>>> The general lie that is IP Geolocation. HE only has what I tell =
them
>>> (100%
>>>> unverified), and what MaxMind (et.al.) tell them (~95% unverified.)
>>> They
>>>> know my IPv4 endpoint address, but that doesn't give them a =
concrete
>>> street
>>>> address -- they're guessing in exactly the same way everyone else =
does.
>>> And
>>>> more to the point, HE doesn't share that information with anyone.
>>> (whois is
>>>> populated with your account information. they don't ask where your
>>> tunnels
>>>> are going.)
>>>>=20
>>>> Are they legally required to go to this level?
>>>>>=20
>>>>=20
>>>> Possibly, but Netflix isn't going to push this. Win or Lose, they =
still
>>>> lose distribution rights.
>>>>=20
>>>> Netflix (and their licensees) know people are using HE tunnels to =
get
>>>>>> around region restrictions. Their hands are tied; they have to =
show
>>>>>> they're doing something to limit this.
>>>>>>=20
>>>>>=20
>>>>> No, they do not know. The purpose of HE tunnels is to get IPv6
>>> service.
>>>>> The fact that the endpoints are in different countries some of the =
time
>>>>> is incidental to that.
>>>>>=20
>>>>=20
>>>> YES. THEY. DO. There have been entire COMPANIES doing this. (which =
is
>>>> likely what sparked this level of response.) Neither HE nor Netflix =
are
>>>> naming names, but a short walk through the more colorful parts of =
the
>>>> internet should be enlightening.
>>>>=20
>>>> Garbage. You have to establish the tunnel which requires =
registering
>>>>> a account. It also requires a machine at the other end. Virtual
>>>>> or physical they don't move around the world in a DDNS update. The
>>>>> addresses associated with a tunnel don't change for the life of
>>>>> that tunnel.
>>>>>=20
>>>>=20
>>>> True. 'tho, you can list any nonsense address you want. They do =
nothing
>>> to
>>>> validate it. (Use my favorite BS address: Independence MT -- pop: =
zero.
>>>> It's a dirt road across a mountain in the middle of absolutely =
nowhere.
>>>> Google it!)
>>>>=20
>>>> The tunnel endpoint (your IPv4 address) is known only to HE, and =
not
>>>> exposed to ANYONE. That's not going to EVER change. Once your =
tunnel has
>>>> been setup, that address ("Client IPv4 Address") is not set in =
stone.
>>>> People have dynamic addresses, and HE recognizes this, so there are
>>>> numerous methods to change the tunnel endpoint address. (tunnel
>>>> configuration page, update through an http(s) request, etc.) THUS, =
a
>>> tunnel
>>>> can move; it can be terminated anywhere, at anytime. Not only can =
one
>>>> update the endpoint to a different address on the same box, but to =
a
>>>> completely different box entirely.
>>>>=20
>>>> Furthermore, one account can have several tunnels through different
>>>> servers that present addresses from different regions. Where I =
appear
>>> to be
>>>> in the world, thus, depends on which tunnel I have enabled. (and in
>>> which
>>>> countries HE has prefixes, which currently appears to be 4)
>>>>=20
>>>=20
>>=20
>>=20
