[189853] in North American Network Operators' Group
Re: Netflix VPN detection - actual engineer needed
daemon@ATHENA.MIT.EDU (Baldur Norddahl)
Wed Jun 8 11:15:21 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Baldur Norddahl <baldur.norddahl@gmail.com>
Date: Wed, 8 Jun 2016 17:13:04 +0200
In-Reply-To: <20160608052705.15C904B00B9F@rock.dv.isc.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2016-06-08 07:27, Mark Andrews wrote:
> In message <20160608070525.06fd5995@echo.ms.redpill-linpro.com>, Tore Anderson writes:
>> * Davide Davini <diotonante@gmail.com>
>>
>> Blocking access to Netflix via the tunnel seems like an obvious
>> solution to me, for what it's worth.
> And which set of prefixes is that? How often do they change? etc.
>
A start would be blocking 2620:108:700f::/64 as discovered by a simple
DNS lookup on netflix.com. I am not running a HE tunnel (I got native
IPv6) and I am not blocked from accessing Netflix over IPv6 so can't
really try it. I am curious however that none of the vocal HE tunnel
users here appears to have tried even simple counter measures such as a
simple firewall rule to drop traffic to that one /64 prefix.
It might be that more needs to be blocked, but in that case it will be
trivial to find the required prefixes by launching Wireshark and observe
the IPv6 traffic generated when accessing netflix.com. Maybe someone
could do that and post the results, as it is apparent that many people
are in need of a solution.
Regards,
Baldur
