Re: Netflix VPN detection - actual engineer needed

4 Jun 2016

...
On Jun 3, 2016, at 18:32 , Raymond Beaudoin <raymond.beaudoin@icarustech.com> wrote:
Fair point, Spencer! Only Netflix engineers could tell us how they're
determining networks to be blocked, but I'm paranoid they're dynamically
updating based  AS PATH. I figured HE's ASN may have made the naughty list.
Admittedly, that would be pretty drastic. Time to do some testing. :>
I tend to doubt it:

route-views6.routeviews.org> sh bgp 2620:0:930::/48
BGP routing table entry for 2620:0:930::/48
Paths: (31 available, best #26, table Default-IP-Routing-Table)
  Not advertised to any peer
  3257 8121 1734, (aggregated by 1734 192.124.40.251)
    2001:668:0:4::2 from 2001:668:0:4::2 (213.200.87.91)
      Origin IGP, metric 770, localpref 100, valid, external
      Community: 3257:4560 3257:5010
      Last update: Fri Jun  3 09:07:40 2016

  47872 6939 1734, (aggregated by 1734 192.124.40.251)
    2a01:73e0::1 from 2a01:73e0::1 (185.44.116.227)
    (fe80::223:9c03:9b50:ffc0)
      Origin IGP, localpref 100, valid, external
      Community: 47872:1200
      Last update: Fri Jun  3 05:48:08 2016

  3741 6939 1734, (aggregated by 1734 192.124.40.251)
    2c0f:fc00::2 from 2c0f:fc00::2 (168.209.255.56)
      Origin IGP, localpref 100, valid, external
      Last update: Thu Jun  2 23:12:06 2016

  31019 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:67c:22dc:def1::1 from 2001:67c:22dc:def1::1 (91.228.151.1)
      Origin incomplete, localpref 100, valid, external
      Last update: Sat Jun  4 18:31:19 2016

  3277 3267 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:b08:2:280::4:100 from 2001:b08:2:280::4:100 (194.85.4.4)
      Origin IGP, localpref 100, valid, external
      Community: 3277:3267
      Last update: Wed Jun  1 12:54:09 2016

  7660 4635 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:200:901::5 from 2001:200:901::5 (203.181.248.168)
      Origin IGP, localpref 100, valid, external
      Community: 0:12989 0:13335 0:15169 0:20940 0:22822 4635:800 7660:4 7660:6
      Last update: Tue May 31 03:14:20 2016

  7018 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:1890:111d:1::63 from 2001:1890:111d:1::63 (12.0.1.63)
    (fe80::5254:ff:fe61:b8e6)
      Origin IGP, localpref 100, valid, external
      Community: 7018:5000 7018:37232
      Last update: Tue May 31 02:36:49 2016

  209 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:428::205:171:203:138 from 2001:428::205:171:203:138 (205.171.203.138)
      Origin IGP, metric 8000051, localpref 100, valid, external
      Community: 209:888
      Last update: Tue May 31 02:36:49 2016

  20912 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:40d0::126 from 2001:40d0::126 (212.66.96.126)
      Origin IGP, localpref 100, valid, external
      Community: 20912:65016
      Last update: Tue May 31 02:37:02 2016

  13030 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:1620:1::203 from 2001:1620:1::203 (213.144.128.203)
      Origin IGP, metric 1, localpref 100, valid, external
      Community: 13030:61 13030:1604 13030:51107
      Last update: Tue May 31 02:36:50 2016

  30071 8121 1734, (aggregated by 1734 192.124.40.251)
    2001:4830::e from 2001:4830::e (66.55.128.18)
      Origin IGP, metric 42, localpref 100, valid, external
      Community: 30071:57062
      Last update: Tue May 31 02:39:32 2016

  57463 6939 1734, (aggregated by 1734 192.124.40.251)
    2a00:1728::1f:4 from 2a00:1728::1f:4 (192.168.7.118)
      Origin IGP, localpref 100, valid, external
      Community: 64700:6939
      Last update: Tue May 31 02:37:03 2016

My NF is still working over IPv6.

Owen
...
On Fri, Jun 3, 2016 at 8:27 PM, Spencer Ryan <sryan@arbor.net> wrote:
...
Well if you have PI space just use HE's BGP tunnel offerings.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com
On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
raymond.beaudoin@icarustech.com> wrote:
...
As an alternative, there are multiple cloud service offerings that will
advertise your IPv6 allocations on your behalf direct to a server in their
data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
up a *<insert
favorite virtual router instance> *and then route through it. The Internet
is such an amazing place.
On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <cryptographrix@gmail.com>
wrote:
...
Yeah I RAWRed to them pretty hard whilst being as understanding to the
CS
rep that it wasn't their fault.
They thought I was weird as anything.
If there are any Verizon FiOS network engineers on the thread, a fellow
Verizon employee would thank you kindly for an off-thread email
regarding
BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
configure my account to listen for route advertisement).
Strange that it has to come to this to get "legit" IPv6 service.
On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
raymond.beaudoin@icarustech.com> wrote:
...
I wasn't originally affected on my he.net tunnel, but this evening it
started blocking. The recommended ACLs are a functional temporary
workaround, but I've also opened a request with Netflix.
On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer@spawar.navy.mil
...
wrote:
...
So far I am not seeing a Netflix block on my he.net tunnel yet. I
connect
to the Los Angeles node, so maybe not all of HE's address space is
being
blocked.
Not going to be disabling IPv6 here either. + HAD native IPv6 from
Time
Warner, but they decided to in their wisdom to disable IPv6 service
for
anyone that has an Arris SB6183 due to an Arris firmware bug.  And
they
are
taking their sweet time pushing out the fixed firmware update that
Comcast
and Cox seemed to be able to push to their customers last fall.
-Mark Ganzer
On 6/3/2016 4:49 PM, Cryptographrix wrote:
> Depends - how many US users have native IPv6 through their ISPs?
> 
> If I remember correctly (I can't find the source at the moment),
HE.net
> represents something like 70% of IPv6 traffic in the US.
> 
> And yeah, not doing that - actually in the middle of an IPv6
project at
> work at the moment that's a bit important to me.
> 
> 
> 
> 
> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
baldur.norddahl@gmail.com
>> 
> wrote:
> 
> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
cryptographrix@gmail.com>:
>> 
>>> The information I'm getting from Netflix support now is explicitly
>>> 
>> telling
>> 
>>> me to turn off IPv6 - someone might want to stop them before they
>>> completely kill US IPv6 adoption.
>>> 
>> Not allowing he.net tunnels is not killing ipv6. You just need
need
>> native
>> ipv6.
>> 
>> On the other hand it would be nice if Netflix would try the other
>> protocol
>> before blocking.
>> 
>>

Re: Netflix VPN detection - actual engineer needed

Owen DeLong