[189871] in North American Network Operators' Group
Re: Netflix VPN detection - actual engineer needed
daemon@ATHENA.MIT.EDU (Baldur Norddahl)
Wed Jun 8 13:04:03 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Baldur Norddahl <baldur.norddahl@gmail.com>
Date: Wed, 8 Jun 2016 19:03:55 +0200
In-Reply-To: <CANjRqpaZGb3zQXH7hfwVZ3RVU=jUFDUQG+GRetf=jM80p3u2Ug@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 2016-06-08 17:58, Nicholas Suan wrote:
>
>
> On Wednesday, June 8, 2016, Baldur Norddahl <baldur.norddahl@gmail.com
> <mailto:baldur.norddahl@gmail.com>> wrote:
>
>
> A start would be blocking 2620:108:700f::/64 as discovered by a
> simple DNS lookup on netflix.com <http://netflix.com>. I am not
> running a HE tunnel (I got native IPv6) and I am not blocked from
> accessing Netflix over IPv6 so can't really try it. I am curious
> however that none of the vocal HE tunnel users here appears to
> have tried even simple counter measures such as a simple firewall
> rule to drop traffic to that one /64 prefix.
>
>
> That's a start but Netflix has a few more prefixes than that:
> http://bgp.he.net/AS2906#_prefixes6
They do but that is irrelevant. Blocking just that one /64 prefix works
because that is where their tunnel detector apparently lives.
I think we are at the point where we can say it would be nice if Netflix
could just redirect users from IPv6 to IPv4 when a tunnel is suspected.
They do deserve flames for being bad guys here when they have such an
easy out.
But you can also just fix the issue yourself with a simple firewall rule.
Regards,
Baldur
