Re: ISPs in Spain are blocking CDN IP ranges to tackle soccer piracy
Theoretically IPv6 should provide enough addresses that a CDN doesn’t need to share an address between customers . Give each machine a /64 or longer and assign the customer a unique addresses within that prefix. Use the ability of modern kernels to bind to a range of addresses/interface and check the name to address mapping before returning content in addition to checking that it is configured for the name. You can share resources without sharing addresses. -- Mark Andrews
On 15 Apr 2025, at 03:00, Bryan Holloway via NANOG <nanog@lists.nanog.org> wrote:
While we're at it, who needs L3. A flat L2 should suffice.
On 4/14/25 18:00, Constantine A. Murenin via NANOG wrote: Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s C.
On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote: Hello, Nanog, This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages. A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers. The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place. The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT. These blockages are applied when the soccer matches are played and they are turned off hours later. Cloudflare has already taken legal action against this, but the issue is still ongoing. You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol). *Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPJCY6RF...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/CQITXJSP...
This is a good point about the benefits of IPv6. But it's missing the fact that the all-or-nothing architecture is somehow the preferred scenario by the likes of Cloudflare. Before the widespread adoption of HTTPS, you could easily block any website either through DNS, or by examining the "Host" and the "GET" headers of each HTTP request, the extra advantage being that it was even possible to block just the individual web-pages within a single web-site (ad-blocking on a network level was trivial and super-effective, too), without affecting the rest of the website (think specific articles on Wikipedia that may be illegal in some countries, without needing to block the rest of Wikipedia). Then we got HTTPS, and blocking individual web-pages was no longer possible. (So now the entire websites had to be blocked in some countries, since page-level blocks were no longer possible.) But because of SNI and also DNS, and before the CDNs, it was still possible to block just the individual websites in full, not the entire IP addresses or subnets. But that still wasn't good enough for the privacy zealots, so they plugged the SNI leaks with the Encrypted SNI and the Encrypted Client Hello (ECH), and also DNS with DNS-over-HTTPS, conveniently breaking many network-level ad-blockers in the process, and moving control over the ad-blocking away from the network administrators. (But we can still block ads in the web-browser, right? Well, guess what, they've now nearly "fixed" that issue, too, so, now that's not an option, either!) So, basically, yes, IPv6 can come to the rescue here, but it's actually not a problem that Cloudflare would be interested in solving, since they'd rather take the all-or-nothing approach because "privacy". C. On Mon, 14 Apr 2025 at 15:02, Mark Andrews via NANOG <nanog@lists.nanog.org> wrote:
Theoretically IPv6 should provide enough addresses that a CDN doesn’t need to share an address between customers . Give each machine a /64 or longer and assign the customer a unique addresses within that prefix. Use the ability of modern kernels to bind to a range of addresses/interface and check the name to address mapping before returning content in addition to checking that it is configured for the name. You can share resources without sharing addresses. -- Mark Andrews
On 15 Apr 2025, at 03:00, Bryan Holloway via NANOG <nanog@lists.nanog.org> wrote:
While we're at it, who needs L3. A flat L2 should suffice.
On 4/14/25 18:00, Constantine A. Murenin via NANOG wrote: Here's an idea, why don't we centralise the entire internet behind a single network to "solve" the issue of connectivity and availability? Oh, wait! Nevermind! /s C.
On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG <nanog@lists.nanog.org> wrote: Hello, Nanog, This is an ongoing issue that might affect your spanish users if you use services like Cloudflare, Vercel, BunnyCDN or GitHub pages. A couple of weeks ago, the most important ISPs in Spain started intercepting or nullrouting IP addresses from this CDN providers. The reason is that a couple of local court orders allowed LA LIGA (sports association responsible for administering the two professional football leagues in Spain) to provide ISPs with a list of IP addresses that host soccer piracy sites to be taken down in a short period of time, even when the football match is taken place. The issue is that most of this piracy sites use Cloudflare and others to protect themselves, so ISPs are nullrouting or intercepting IP ranges that serve thousands of websites, including all Cloudflare Free customers (but not limited to). For example, they blocked one IP address that served ChatGPT. These blockages are applied when the soccer matches are played and they are turned off hours later. Cloudflare has already taken legal action against this, but the issue is still ongoing. You can find more information about this issue on TorrentFreak (LaLiga Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way), BandaanchaEU (bandaancha bloqueos del fútbol). *Regards,* *Raúl Martínez* _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/PCJ6SCDU...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/TPJCY6RF...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/CQITXJSP...
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/WBQIME26...
participants (2)
-
Constantine A. Murenin -
Mark Andrews