Re: Netflix VPN detection - actual engineer needed

[Owen DeLong <owen () delong com>]

> On Jun 5, 2016, at 15:18 , Matt Freitag <mlfreita () mtu edu> wrote:
>
> While it is damaging negative publicity it also makes sense. HE's tunnel service amounts to a free VPN that happens 
> to provide IPv6. I would love for someone from HE to jump in and explain better how their tunnel works, why it's been 
> blocked by Netflix, and what (if anything) they are doing to mitigate it.

Well… I’m no longer with HE (for about 2 years now), but it’s a pretty basic 6in4 tunnel set up. They have routers 
around the world and a web site that will automatically configure those routers for requested tunnels.

I’m not sure how you came to the conclusion that HE has responsibility or even the ability to explain Netflix’s actions 
or mitigate them.

HE provides a pipeline. That’s it. You send an encapsulated packet to their router, it unwraps it and forwards it on to 
the IPv6 internet.
Similarly, the IPv6 internet sends their router a packet destined for one of your addresses, HE encapsulates the packet 
and forwards the
encapsulated packet off to your designated router.

> For my part, I also found that my HE tunnel no longer worked with Netflix because, again, it amounts to a free VPN 
> service. I had to shut it off.

Interestingly, my HE tunnel has no such problem so far. However, I am not using HE address space for my tunnel (which I 
suspect is the mechanism Netflix is most likely using, most likely they have built a database of common tunnel 
addresses).

> However, I did discover that my ISP Charter Communications runs a 6rd tunnel service for their customers and enabled 
> that on my router instead. Here are the settings I put in my ASUS router, taken off of a Tomato router firmware forum 
> post:
>
> DHCP Option: Disable
> IPv6 Prefix: 2602:100::
> IPv6 Prefix Length: 32
> IPv4 Border Router: 68.114.165.1
> IPv4 Router Mask Length: 0
>
> I'm also using an MTU of 1480 and a Tunnel TTL of 255.

You probably shouldn’t use such a large TTL. Try 64.

> Works great, though I imagine it'll only work for other Charter customers who don't care what prefix they get 
> assigned as Charter uses prefix delegation to make this work.

Pretty common setup.

Owen

> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696 <tel:%28906%29%20487-3696>
> https://www.mtu.edu/ <https://www.mtu.edu/> 
> https://www.it.mtu.edu/ <https://www.it.mtu.edu/>
> On Sun, Jun 5, 2016 at 5:59 PM, Owen DeLong <owen () delong com <mailto:owen () delong com>> wrote:
>
> > On Jun 5, 2016, at 14:18 , Damian Menscher <menscher () gmail com <mailto:menscher () gmail com>> wrote:
> >
> > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl <baldur.norddahl () gmail com <mailto:baldur.norddahl () gmail com>>
> > wrote:
> >
> > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix () gmail com <mailto:cryptographrix () gmail com>>:
> > > > The information I'm getting from Netflix support now is explicitly
> > > telling
> > > > me to turn off IPv6 - someone might want to stop them before they
> > > > completely kill US IPv6 adoption.
> > >
> > > Not allowing he.net <http://he.net/> tunnels is not killing ipv6. You just need need native
> > > ipv6.
> >
> > This entire thread confuses me.  Are there normal home users who are being
> > blocked from Netflix because their ISP forces them through a HE VPN?  Or is
> > this massive thread just about a handful of geeks who think IPv6 is cool
> > and insist they be allowed to use it despite not having it natively?  I
> > could certainly understand ISP concerns that they are receiving user
> > complaints because they failed to provide native IPv6 (why not?), but
> > whining that you've managed to create a non-standard network setup doesn't
> > work with some providers seems a bit silly.
> >
> > Damian
>
> What is non-standard about an HE tunnel? It conforms to the relevant RFCs and
> is a very common configuration widely deployed to many thousands of locations
> around the internet.
>
> It’s not that Netflix happens to not work with these tunnels, the problem is
> that they are taking deliberate active steps to specifically block them.
>
> Most likely, these steps are being taken at the behest of their content providers,
> but to the best of my knowledge, that is merely speculation so far as I don’t
> believe Netflix themselves have confirmed this. (It’s not unlikely that they are
> unable to do so due to those same content providers likely insisting on these
> requirements being considered proprietary information subject to NDA.)
>
> So… I don’t know how many “normal users” use HE tunnels vs. “geeks” or how one
> would go about defining the difference. I can tell you that there are an awful
> lot of people using HE tunnels, and based on what I saw while working at HE,
> I don’t believe they are all geeks. While I would say that geeks are a larger
> fraction of the HE Tunnel using populace than of the general population, I’m
> not sure to what extent. Probably a lot less than you think based on the
> tone of your message.
>
> I think that a provider that has specifically claimed to be an early adopter
> supporting IPv6 and is now having their support department tell customers to
> turn off IPv6 altogether is certainly noteworthy and not in a good way.
>
> Further, if that provider is actively taking steps to damage previously working
> IPv6 network configurations, that is also worthy of substantial negative
> publicity.
>
> I’m confused as to why you would think otherwise.
>
> Owen