[189857] in North American Network Operators' Group
Re: Netflix VPN detection - actual engineer needed
daemon@ATHENA.MIT.EDU (Steve Atkins)
Wed Jun 8 11:33:29 2016
X-Original-To: nanog@nanog.org
From: Steve Atkins <steve@blighty.com>
In-Reply-To: <57583600.3020902@gmail.com>
Date: Wed, 8 Jun 2016 08:30:40 -0700
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Jun 8, 2016, at 8:13 AM, Baldur Norddahl =
<baldur.norddahl@gmail.com> wrote:
>=20
>=20
>=20
> On 2016-06-08 07:27, Mark Andrews wrote:
>> In message <20160608070525.06fd5995@echo.ms.redpill-linpro.com>, Tore =
Anderson writes:
>>> * Davide Davini <diotonante@gmail.com>
>>>=20
>>> Blocking access to Netflix via the tunnel seems like an obvious
>>> solution to me, for what it's worth.
>> And which set of prefixes is that? How often do they change? etc.
>>=20
>=20
> A start would be blocking 2620:108:700f::/64 as discovered by a simple =
DNS lookup on netflix.com. I am not running a HE tunnel (I got native =
IPv6) and I am not blocked from accessing Netflix over IPv6 so can't =
really try it. I am curious however that none of the vocal HE tunnel =
users here appears to have tried even simple counter measures such as a =
simple firewall rule to drop traffic to that one /64 prefix.
>=20
> It might be that more needs to be blocked, but in that case it will be =
trivial to find the required prefixes by launching Wireshark and observe =
the IPv6 traffic generated when accessing netflix.com. Maybe someone =
could do that and post the results, as it is apparent that many people =
are in need of a solution.
I don't think that "getting to Netflix over an HE tunnel" is something =
that people here need a solution to, rather it's "stopping Netflix from =
discouraging IPv6 usage" or perhaps "encouraging Netflix to stop =
breaking service to IPv6 users, including their lack of support for IPv4 =
fallback".
The connection to NANOG isn't that NANOG users want to reach Netflix, =
it's that NANOG users have an interest in the broader health of the IPv6 =
ecosystem.
Given the number of pieces of off-the-shelf packaged software that are =
designed to allow the end-user, with no technical expertise required, to =
proxy through an HE tunnel so as to avoid Netflix geolocation[1] I don't =
blame Netflix for blocking HE tunnels, but I do blame them for doing so =
badly.
Cheers,
Steve
[1] e.g. https://github.com/ab77/netflix-proxy=
