Re: Netflix VPN detection - actual engineer needed

[Mark Andrews <marka () isc org>]

In message <CAOZq8-g_w1+y+K0eSrVtR+MyHP_JVFCvnpmeZFLMOYL6NEd=hg () mail gmail com>
, Damian Menscher writes:
> On Sun, Jun 5, 2016 at 2:59 PM, Owen DeLong <owen () delong com> wrote:
> > > On Jun 5, 2016, at 14:18 , Damian Menscher <menscher () gmail com> wrote:
> > > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl <
> > baldur.norddahl () gmail com> wrote:
> > > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix () gmail com
> > > :
> > > > > The information I'm getting from Netflix support now is explicitly
> > > > telling
> > > > > me to turn off IPv6 - someone might want to stop them before they
> > > > > completely kill US IPv6 adoption.
> > > >
> > > > Not allowing he.net tunnels is not killing ipv6. You just need need
> > > > native ipv6.
> > >
> > > This entire thread confuses me.  Are there normal home users who are
> > being
> > > blocked from Netflix because their ISP forces them through a HE VPN?
> Or
> > is
> > > this massive thread just about a handful of geeks who think IPv6 is
> cool
> > > and insist they be allowed to use it despite not having it natively?
> I
> > > could certainly understand ISP concerns that they are receiving user
> > > complaints because they failed to provide native IPv6 (why not?), but
> > > whining that you've managed to create a non-standard network setup
> > doesn't
> > > work with some providers seems a bit silly.
> >
> > What is non-standard about an HE tunnel? It conforms to the relevant
> RFCs
> > and
> > is a very common configuration widely deployed to many thousands of
> > locations
> > around the internet.
>
> What *is* standard about them?  My earliest training as a sysadmin taught
> me that any time you switch away from a default setting, you're venturing
> into the unknown.  Your config is no longer well-tested; you may
> experience strange errors; nobody else will have seen the same bugs.

Well the encapsulation is standardised.  There are 100's of thousands
of tunnels many of which have been running for over a decade now.
My tunnel is 13 years old at this point.  But hey, I may be venturing
into the unknown.

> That's exactly what's happening here -- people are setting up IPv6 tunnel
> broker connections, then complaining that there are unexpected side
> effects.

Side effects that took 13 years to materialise.  Yeah pull the other one.

> It’s not that Netflix happens to not work with these tunnels, the problem
> is
> > that they are taking deliberate active steps to specifically block them.
>
> [Citation needed] ;)

http://www.wired.com/2016/03/netflix-discontent-blocked-vpns-boiling/

> You're taking this as an attack on Hurricane Electric, and by extension on
> IPv6.  But the reality is that Netflix has presumably identified HE tunnel
> broker as a frequent source of VPN connections that violate their ToS, and
> they are blocking it as they would any other widescale abuse.  The impact
> to their userbase is miniscule -- as noted above, normal users won't be
> affected, and those who are have the trivial workaround of disabling
> tunnelbroker for Netflix-bound connections.  (I agree Netflix could
> helpfully 302 such users to ipv4.netflix.com instead, but it's already
> such
> a small problem I doubt that's a priority for them.  And it probably
> wouldn't reduce the hype here anyway.)

It is a attack on HE.  HE also provides stable user -> address
mappings so you can do fine grained geo location based on HE IPv6
addresses.

Also despite what the content cartel say using a VPN to bypass
georestrictions to get movies is not illegal, nor is it "piracy".
Individuals are allowed to import content from other countries.  It
is commercial importing that is banned.

> As a side note, this is a common meme: recently Tor claimed CloudFlare is
> anti-privacy for requiring captchas for their users.  The reality is much
> more mundane -- service providers need to protect their own networks, and
> Tor traffic is (according to CloudFlare [
> https://blog.cloudflare.com/the-trouble-with-tor/]) 94% abuse.

HE is not Tor.  HE is just a ISP that doesn't do large geographic IP
blocks.

> I suggest you focus your efforts on bringing native IPv6 to the masses,
> not
> criticizing service providers for defending themselves against abuse, just
> because that abuse happens to be over a network (HE tunnel broker; Tor;
> etc) you support.  Netflix isn't hurting IPv6 adoption in any real way,
> but
> the (incorrect!) claim that IPv6 doesn't work with Netflix will (if this
> thread is picked up by the press).
>
> Damian
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org