(and this is coming from someone that has serious issues with IPv6 but understands that we need to move forward) On Fri, Jun 3, 2016 at 7:49 PM Cryptographrix <cryptographrix@gmail.com> wrote:

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <baldur.norddahl@gmail.com> wrote:

...

Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix@gmail.com>:

...

The information I'm getting from Netflix support now is explicitly

telling

...

me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

On the other hand it would be nice if Netflix would try the other protocol before blocking.

On Jun 3, 2016, at 4:59 PM, jim deleskie <deleskie@gmail.com> wrote:

I don't suspect many folks that are outside of this list would likely have any idea how to set up a v6 tunnel. Those of us on the list, likely have a much greater ability to influence v6 adoption or not via day job deployments then Netflix supporting v6 tunnels or not.

In western Canada, Telus is on a big push to deploy IPv6. TekSavvy less so. But it's happening. I cancelled my Netflix subscription last summer. I needed native IPv6 more than I needed Grace and Frankie. Which isn't to say I didn't want to watch Grace and Frankie more than having IPv6 access to machines I need to have access to in order to earn the money I need to pay to (not) watch Grace and Frankie ... --lyndon

I don't remember the source, but I do remember that even with Comcast's deployment, HE still represented the majority of IPv6 traffic in the US. Of course, it could just be a bunch of us heavy IPv6 users. On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan <sryan@arbor.net> wrote:

Comcast is near 100% on their DOCSIS network (Busniess and residential). That should be the largest single ISP for IPv6 for end users in the USA.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <baldur.norddahl@gmail.com

...

wrote:

...

Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix@gmail.com :

...

The information I'm getting from Netflix support now is explicitly

telling

...

me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

On the other hand it would be nice if Netflix would try the other protocol before blocking.

Very true. Telling people to turn off IPv6 support through their customer service portal is completely infuriating for those that can't get IPv6 through their ISP and need it. On Fri, Jun 3, 2016 at 8:13 PM Spencer Ryan <sryan@arbor.net> wrote:

Yes but HE doesn't serve residential users directly. To a normal person HE is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier. They may move the most v6 traffic, but Comcast is the largest ISP actually getting v6 to end users.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

I don't remember the source, but I do remember that even with Comcast's deployment, HE still represented the majority of IPv6 traffic in the US.

Of course, it could just be a bunch of us heavy IPv6 users.

On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan <sryan@arbor.net> wrote:

...

Comcast is near 100% on their DOCSIS network (Busniess and residential). That should be the largest single ISP for IPv6 for end users in the USA.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix <cryptographrix@gmail.com

...

wrote:

...

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com> wrote:

...

Den 4. jun. 2016 01.26 skrev "Cryptographrix" < cryptographrix@gmail.com>:

...

The information I'm getting from Netflix support now is explicitly

telling

...

me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

On the other hand it would be nice if Netflix would try the other protocol before blocking.

Yeah today I cancelled Netflix for exactly this reason. On Fri, Jun 3, 2016 at 8:35 PM Owen DeLong <owen@delong.com> wrote:

I think the day that Netflix tells me to turn off IPv6 or doesn’t serve me content because one of my routes to the internet for IPv6 is via an HE tunnel (the other two are different tunnels, but all of my IPv4 also goes through tunnels) will be the day I tell Netflix that I will turn them off instead.

Let’s face it folks, if we want to encourage Netflix to tell the content providers to give up the silly geo-shit, then we have to stop patronizing channels that do silly geo-shit.

The only real impact is to vote with your $$$ and tell the companies you are unsubscribing from exactly why you are unsubscribing.

So far, I haven’t run into an issue where I couldn’t get what I wanted to watch via a tunnel I was able to set up. When/If Netflix gets good enough to detect and block my tunnel, I’ll stop using Netflix and stop paying them. I’ll also make sure that they know why.

I’m sure if they lose enough customers for this reason, they’ll choose to do something about it with their content providers. After all, the fewer subscribers Netflix has, the less they pay the content providers, too.

Sure, nobody cares about my $10/month or whatever it’s up to these days, but if a few thousand of us start walking off and it starts to look like a trend, it can change things.

Owen

...

On Jun 3, 2016, at 17:17 , Cryptographrix <cryptographrix@gmail.com> wrote:

Very true. Telling people to turn off IPv6 support through their customer service portal is completely infuriating for those that can't get IPv6 through their ISP and need it.

On Fri, Jun 3, 2016 at 8:13 PM Spencer Ryan <sryan@arbor.net> wrote:

...

Yes but HE doesn't serve residential users directly. To a normal person HE is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier. They may move the most v6 traffic, but Comcast is the largest ISP actually getting v6 to end users.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

I don't remember the source, but I do remember that even with Comcast's deployment, HE still represented the majority of IPv6 traffic in the US.

Of course, it could just be a bunch of us heavy IPv6 users.

On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan <sryan@arbor.net> wrote:

...

Comcast is near 100% on their DOCSIS network (Busniess and residential). That should be the largest single ISP for IPv6 for end users in the USA.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix < cryptographrix@gmail.com

...

wrote:

...

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com> wrote:

> Den 4. jun. 2016 01.26 skrev "Cryptographrix" < cryptographrix@gmail.com>: >> >> The information I'm getting from Netflix support now is explicitly > telling >> me to turn off IPv6 - someone might want to stop them before they >> completely kill US IPv6 adoption. > > Not allowing he.net tunnels is not killing ipv6. You just need need native > ipv6. > > On the other hand it would be nice if Netflix would try the other protocol > before blocking. >

Yo Spencer! On Fri, 3 Jun 2016 20:13:03 -0400 Spencer Ryan <sryan@arbor.net> wrote:

Yes but HE doesn't serve residential users directly.

Really? I am the only one? Doubtful. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 gem@rellim.com Tel:+1 541 382 8588

HE's downstream cone does not include a whole lot of residential ISPs. if you further exclude the ones that are multihomed you're left with a pretty small subset. that said they (HE) can be and are a valuable peer both in v4 and v6. Personally I wouldn't single home to anything that looks tier-1ish but your mileage may vary the residential operators I look at tend to be fairly diversly connected. On 6/3/16 5:46 PM, Josh Reynolds wrote:

You might be one of a handful. On Jun 3, 2016 7:35 PM, "Gary E. Miller" <gem@rellim.com> wrote:

...

Yo Spencer!

On Fri, 3 Jun 2016 20:13:03 -0400 Spencer Ryan <sryan@arbor.net> wrote:

...

Yes but HE doesn't serve residential users directly.

Really? I am the only one? Doubtful.

RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 gem@rellim.com Tel:+1 541 382 8588

On 6/5/16 6:23 PM, Josh Reynolds wrote:

Uhm, what? Where do you think ISPs get their transit exactly?

They buy from 2 or more wholesale transit providers and in general they opportunistically peer, although scale helps a lot there.

On Jun 5, 2016 8:17 PM, "joel jaeggli" <joelja@bogus.com <mailto:joelja@bogus.com>> wrote:

HE's downstream cone does not include a whole lot of residential ISPs. if you further exclude the ones that are multihomed you're left with a pretty small subset. that said they (HE) can be and are a valuable peer both in v4 and v6.

Personally I wouldn't single home to anything that looks tier-1ish but your mileage may vary the residential operators I look at tend to be fairly diversly connected.

On 6/3/16 5:46 PM, Josh Reynolds wrote: > You might be one of a handful. > On Jun 3, 2016 7:35 PM, "Gary E. Miller" <gem@rellim.com <mailto:gem@rellim.com>> wrote: > >> Yo Spencer! >> >> On Fri, 3 Jun 2016 20:13:03 -0400 >> Spencer Ryan <sryan@arbor.net <mailto:sryan@arbor.net>> wrote: >> >>> Yes but HE doesn't serve residential users directly. >> >> Really? I am the only one? Doubtful. >> >> RGDS >> GARY >> --------------------------------------------------------------------------- >> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 >> gem@rellim.com <mailto:gem@rellim.com> Tel:+1 541 382 8588 <tel:%2B1%20541%20382%208588> >> >

I've worked at my fair share of eyeball ISPs, and many of them used HE as one of their connections, On Mon, Jun 6, 2016 at 12:38 AM, joel jaeggli <joelja@bogus.com> wrote:

On 6/5/16 6:23 PM, Josh Reynolds wrote:

...

Uhm, what? Where do you think ISPs get their transit exactly?

They buy from 2 or more wholesale transit providers and in general they opportunistically peer, although scale helps a lot there.

...

On Jun 5, 2016 8:17 PM, "joel jaeggli" <joelja@bogus.com <mailto:joelja@bogus.com>> wrote:

HE's downstream cone does not include a whole lot of residential ISPs. if you further exclude the ones that are multihomed you're left with a pretty small subset. that said they (HE) can be and are a valuable peer both in v4 and v6.

Personally I wouldn't single home to anything that looks tier-1ish but your mileage may vary the residential operators I look at tend to be fairly diversly connected.

On 6/3/16 5:46 PM, Josh Reynolds wrote: > You might be one of a handful. > On Jun 3, 2016 7:35 PM, "Gary E. Miller" <gem@rellim.com <mailto:gem@rellim.com>> wrote: > >> Yo Spencer! >> >> On Fri, 3 Jun 2016 20:13:03 -0400 >> Spencer Ryan <sryan@arbor.net <mailto:sryan@arbor.net>> wrote: >> >>> Yes but HE doesn't serve residential users directly. >> >> Really? I am the only one? Doubtful. >> >> RGDS >> GARY >> --------------------------------------------------------------------------- >> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 >> gem@rellim.com <mailto:gem@rellim.com> Tel:+1 541 382 8588 <tel:%2B1%20541%20382%208588> >> >

On Fri, 03 Jun 2016 17:21:16 -0700, Blair Trosper said:

...IF (and that's a big IF in the Bay Area at least) you can get the newest modems. Easier said than done.

http://www.amazon.com/ARRIS-SURFboard-SB6141-DOCSIS-Cable/dp/B00AJHDZSI/ $68.75 and Done. And the damned thing even pays for itself by not paying a rental every month.

So far I am not seeing a Netflix block on my he.net tunnel yet. I connect to the Los Angeles node, so maybe not all of HE's address space is being blocked. Not going to be disabling IPv6 here either. + HAD native IPv6 from Time Warner, but they decided to in their wisdom to disable IPv6 service for anyone that has an Arris SB6183 due to an Arris firmware bug. And they are taking their sweet time pushing out the fixed firmware update that Comcast and Cox seemed to be able to push to their customers last fall. -Mark Ganzer On 6/3/2016 4:49 PM, Cryptographrix wrote:

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <baldur.norddahl@gmail.com> wrote:

...

Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix@gmail.com>:

...

The information I'm getting from Netflix support now is explicitly telling me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption. Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

On the other hand it would be nice if Netflix would try the other protocol before blocking.

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS rep that it wasn't their fault. They thought I was weird as anything. If there are any Verizon FiOS network engineers on the thread, a fellow Verizon employee would thank you kindly for an off-thread email regarding BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you configure my account to listen for route advertisement). Strange that it has to come to this to get "legit" IPv6 service. On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

I wasn't originally affected on my he.net tunnel, but this evening it started blocking. The recommended ACLs are a functional temporary workaround, but I've also opened a request with Netflix.

On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer@spawar.navy.mil> wrote:

...

So far I am not seeing a Netflix block on my he.net tunnel yet. I connect to the Los Angeles node, so maybe not all of HE's address space is being blocked.

Not going to be disabling IPv6 here either. + HAD native IPv6 from Time Warner, but they decided to in their wisdom to disable IPv6 service for anyone that has an Arris SB6183 due to an Arris firmware bug. And they are taking their sweet time pushing out the fixed firmware update that Comcast and Cox seemed to be able to push to their customers last fall.

-Mark Ganzer

On 6/3/2016 4:49 PM, Cryptographrix wrote:

...

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com

...

wrote:

Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix@gmail.com :

...

...

The information I'm getting from Netflix support now is explicitly

telling

...

me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

On the other hand it would be nice if Netflix would try the other protocol before blocking.

Well if you have PI space just use HE's BGP tunnel offerings. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

As an alternative, there are multiple cloud service offerings that will advertise your IPv6 allocations on your behalf direct to a server in their data centers. It seems pretty tongue-in-cheek, and satisfying, to turn up a *<insert favorite virtual router instance> *and then route through it. The Internet is such an amazing place.

On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS rep that it wasn't their fault.

They thought I was weird as anything.

If there are any Verizon FiOS network engineers on the thread, a fellow Verizon employee would thank you kindly for an off-thread email regarding BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you configure my account to listen for route advertisement).

Strange that it has to come to this to get "legit" IPv6 service.

On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

I wasn't originally affected on my he.net tunnel, but this evening it started blocking. The recommended ACLs are a functional temporary workaround, but I've also opened a request with Netflix.

On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer@spawar.navy.mil> wrote:

...

So far I am not seeing a Netflix block on my he.net tunnel yet. I connect to the Los Angeles node, so maybe not all of HE's address space is being blocked.

Not going to be disabling IPv6 here either. + HAD native IPv6 from Time Warner, but they decided to in their wisdom to disable IPv6 service for anyone that has an Arris SB6183 due to an Arris firmware bug. And they are taking their sweet time pushing out the fixed firmware update that Comcast and Cox seemed to be able to push to their customers last fall.

-Mark Ganzer

On 6/3/2016 4:49 PM, Cryptographrix wrote:

...

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com

...

wrote:

Den 4. jun. 2016 01.26 skrev "Cryptographrix" < cryptographrix@gmail.com>:

...

> The information I'm getting from Netflix support now is explicitly > telling

> me to turn off IPv6 - someone might want to stop them before they > completely kill US IPv6 adoption. > Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

On the other hand it would be nice if Netflix would try the other protocol before blocking.

On Jun 3, 2016, at 18:32 , Raymond Beaudoin <raymond.beaudoin@icarustech.com> wrote:

Fair point, Spencer! Only Netflix engineers could tell us how they're determining networks to be blocked, but I'm paranoid they're dynamically updating based AS PATH. I figured HE's ASN may have made the naughty list. Admittedly, that would be pretty drastic. Time to do some testing. :>

I tend to doubt it: route-views6.routeviews.org> sh bgp 2620:0:930::/48 BGP routing table entry for 2620:0:930::/48 Paths: (31 available, best #26, table Default-IP-Routing-Table) Not advertised to any peer 3257 8121 1734, (aggregated by 1734 192.124.40.251) 2001:668:0:4::2 from 2001:668:0:4::2 (213.200.87.91) Origin IGP, metric 770, localpref 100, valid, external Community: 3257:4560 3257:5010 Last update: Fri Jun 3 09:07:40 2016 47872 6939 1734, (aggregated by 1734 192.124.40.251) 2a01:73e0::1 from 2a01:73e0::1 (185.44.116.227) (fe80::223:9c03:9b50:ffc0) Origin IGP, localpref 100, valid, external Community: 47872:1200 Last update: Fri Jun 3 05:48:08 2016 3741 6939 1734, (aggregated by 1734 192.124.40.251) 2c0f:fc00::2 from 2c0f:fc00::2 (168.209.255.56) Origin IGP, localpref 100, valid, external Last update: Thu Jun 2 23:12:06 2016 31019 6939 1734, (aggregated by 1734 192.124.40.251) 2001:67c:22dc:def1::1 from 2001:67c:22dc:def1::1 (91.228.151.1) Origin incomplete, localpref 100, valid, external Last update: Sat Jun 4 18:31:19 2016 3277 3267 6939 1734, (aggregated by 1734 192.124.40.251) 2001:b08:2:280::4:100 from 2001:b08:2:280::4:100 (194.85.4.4) Origin IGP, localpref 100, valid, external Community: 3277:3267 Last update: Wed Jun 1 12:54:09 2016 7660 4635 6939 1734, (aggregated by 1734 192.124.40.251) 2001:200:901::5 from 2001:200:901::5 (203.181.248.168) Origin IGP, localpref 100, valid, external Community: 0:12989 0:13335 0:15169 0:20940 0:22822 4635:800 7660:4 7660:6 Last update: Tue May 31 03:14:20 2016 7018 6939 1734, (aggregated by 1734 192.124.40.251) 2001:1890:111d:1::63 from 2001:1890:111d:1::63 (12.0.1.63) (fe80::5254:ff:fe61:b8e6) Origin IGP, localpref 100, valid, external Community: 7018:5000 7018:37232 Last update: Tue May 31 02:36:49 2016 209 6939 1734, (aggregated by 1734 192.124.40.251) 2001:428::205:171:203:138 from 2001:428::205:171:203:138 (205.171.203.138) Origin IGP, metric 8000051, localpref 100, valid, external Community: 209:888 Last update: Tue May 31 02:36:49 2016 20912 6939 1734, (aggregated by 1734 192.124.40.251) 2001:40d0::126 from 2001:40d0::126 (212.66.96.126) Origin IGP, localpref 100, valid, external Community: 20912:65016 Last update: Tue May 31 02:37:02 2016 13030 6939 1734, (aggregated by 1734 192.124.40.251) 2001:1620:1::203 from 2001:1620:1::203 (213.144.128.203) Origin IGP, metric 1, localpref 100, valid, external Community: 13030:61 13030:1604 13030:51107 Last update: Tue May 31 02:36:50 2016 30071 8121 1734, (aggregated by 1734 192.124.40.251) 2001:4830::e from 2001:4830::e (66.55.128.18) Origin IGP, metric 42, localpref 100, valid, external Community: 30071:57062 Last update: Tue May 31 02:39:32 2016 57463 6939 1734, (aggregated by 1734 192.124.40.251) 2a00:1728::1f:4 from 2a00:1728::1f:4 (192.168.7.118) Origin IGP, localpref 100, valid, external Community: 64700:6939 Last update: Tue May 31 02:37:03 2016 My NF is still working over IPv6. Owen

On Fri, Jun 3, 2016 at 8:27 PM, Spencer Ryan <sryan@arbor.net> wrote:

...

Well if you have PI space just use HE's BGP tunnel offerings.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

As an alternative, there are multiple cloud service offerings that will advertise your IPv6 allocations on your behalf direct to a server in their data centers. It seems pretty tongue-in-cheek, and satisfying, to turn up a *<insert favorite virtual router instance> *and then route through it. The Internet

is such an amazing place.

On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS rep that it wasn't their fault.

They thought I was weird as anything.

If there are any Verizon FiOS network engineers on the thread, a fellow Verizon employee would thank you kindly for an off-thread email regarding BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you configure my account to listen for route advertisement).

Strange that it has to come to this to get "legit" IPv6 service.

On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

I wasn't originally affected on my he.net tunnel, but this evening it started blocking. The recommended ACLs are a functional temporary workaround, but I've also opened a request with Netflix.

On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer@spawar.navy.mil

...

wrote:

...

So far I am not seeing a Netflix block on my he.net tunnel yet. I connect to the Los Angeles node, so maybe not all of HE's address space is being blocked.

Not going to be disabling IPv6 here either. + HAD native IPv6 from Time Warner, but they decided to in their wisdom to disable IPv6 service for anyone that has an Arris SB6183 due to an Arris firmware bug. And they are taking their sweet time pushing out the fixed firmware update that Comcast and Cox seemed to be able to push to their customers last fall.

-Mark Ganzer

On 6/3/2016 4:49 PM, Cryptographrix wrote:

> Depends - how many US users have native IPv6 through their ISPs? > > If I remember correctly (I can't find the source at the moment), HE.net > represents something like 70% of IPv6 traffic in the US. > > And yeah, not doing that - actually in the middle of an IPv6 project at > work at the moment that's a bit important to me. > > > > > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com >> > wrote: > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" < cryptographrix@gmail.com>: >> >>> The information I'm getting from Netflix support now is explicitly >>> >> telling >> >>> me to turn off IPv6 - someone might want to stop them before they >>> completely kill US IPv6 adoption. >>> >> Not allowing he.net tunnels is not killing ipv6. You just need need >> native >> ipv6. >> >> On the other hand it would be nice if Netflix would try the other >> protocol >> before blocking. >> >>

We should crowdsource a /40 and split it up into /64's for each of us. On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman <matthew@matthew.at> wrote:

If early adopter PI IPv6 was the same price as early adopter PI v4 space, my wife would be totally on board with this solution.

Matthew Kaufman

(Sent from my iPhone)

...

On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote:

Well if you have PI space just use HE's BGP tunnel offerings.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

As an alternative, there are multiple cloud service offerings that will advertise your IPv6 allocations on your behalf direct to a server in their data centers. It seems pretty tongue-in-cheek, and satisfying, to turn up a *<insert favorite virtual router instance> *and then route through it. The Internet is such an amazing place.

On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS rep that it wasn't their fault.

They thought I was weird as anything.

If there are any Verizon FiOS network engineers on the thread, a fellow Verizon employee would thank you kindly for an off-thread email regarding BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you configure my account to listen for route advertisement).

Strange that it has to come to this to get "legit" IPv6 service.

On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

I wasn't originally affected on my he.net tunnel, but this evening it started blocking. The recommended ACLs are a functional temporary workaround, but I've also opened a request with Netflix.

On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer < ganzer@spawar.navy.mil> wrote:

...

So far I am not seeing a Netflix block on my he.net tunnel yet. I connect to the Los Angeles node, so maybe not all of HE's address space is being blocked.

Not going to be disabling IPv6 here either. + HAD native IPv6 from Time Warner, but they decided to in their wisdom to disable IPv6 service for anyone that has an Arris SB6183 due to an Arris firmware bug. And they are taking their sweet time pushing out the fixed firmware update that Comcast and Cox seemed to be able to push to their customers last fall.

-Mark Ganzer

> On 6/3/2016 4:49 PM, Cryptographrix wrote: > > Depends - how many US users have native IPv6 through their ISPs? > > If I remember correctly (I can't find the source at the moment), HE.net > represents something like 70% of IPv6 traffic in the US. > > And yeah, not doing that - actually in the middle of an IPv6 project at > work at the moment that's a bit important to me. > > > > > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com > wrote: > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" < cryptographrix@gmail.com>: >> >>> The information I'm getting from Netflix support now is explicitly >> telling >> >>> me to turn off IPv6 - someone might want to stop them before they >>> completely kill US IPv6 adoption. >> Not allowing he.net tunnels is not killing ipv6. You just need need >> native >> ipv6. >> >> On the other hand it would be nice if Netflix would try the other >> protocol >> before blocking.

This is a good idea. We should do this. On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

Make it a /56 each and you've got a deal. Hell, I'll throw in a round of drinks.

On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

We should crowdsource a /40 and split it up into /64's for each of us.

On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman <matthew@matthew.at> wrote:

...

If early adopter PI IPv6 was the same price as early adopter PI v4 space, my wife would be totally on board with this solution.

Matthew Kaufman

(Sent from my iPhone)

...

On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote:

Well if you have PI space just use HE's BGP tunnel offerings.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

As an alternative, there are multiple cloud service offerings that will advertise your IPv6 allocations on your behalf direct to a server in their data centers. It seems pretty tongue-in-cheek, and satisfying, to turn up a *<insert favorite virtual router instance> *and then route through it. The Internet is such an amazing place.

On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS rep that it wasn't their fault.

They thought I was weird as anything.

If there are any Verizon FiOS network engineers on the thread, a fellow Verizon employee would thank you kindly for an off-thread email regarding BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you configure my account to listen for route advertisement).

Strange that it has to come to this to get "legit" IPv6 service.

On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

> I wasn't originally affected on my he.net tunnel, but this evening it > started blocking. The recommended ACLs are a functional temporary > workaround, but I've also opened a request with Netflix. > > On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer < ganzer@spawar.navy.mil> > wrote: > >> So far I am not seeing a Netflix block on my he.net tunnel yet. I > connect >> to the Los Angeles node, so maybe not all of HE's address space is being >> blocked. >> >> Not going to be disabling IPv6 here either. + HAD native IPv6 from Time >> Warner, but they decided to in their wisdom to disable IPv6 service for >> anyone that has an Arris SB6183 due to an Arris firmware bug. And they > are >> taking their sweet time pushing out the fixed firmware update that > Comcast >> and Cox seemed to be able to push to their customers last fall. >> >> -Mark Ganzer >> >> >>> On 6/3/2016 4:49 PM, Cryptographrix wrote: >>> >>> Depends - how many US users have native IPv6 through their ISPs? >>> >>> If I remember correctly (I can't find the source at the moment), HE.net >>> represents something like 70% of IPv6 traffic in the US. >>> >>> And yeah, not doing that - actually in the middle of an IPv6 project at >>> work at the moment that's a bit important to me. >>> >>> >>> >>> >>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < > baldur.norddahl@gmail.com >>> wrote: >>> >>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" < > cryptographrix@gmail.com>: >>>> >>>>> The information I'm getting from Netflix support now is explicitly >>>> telling >>>> >>>>> me to turn off IPv6 - someone might want to stop them before they >>>>> completely kill US IPv6 adoption. >>>> Not allowing he.net tunnels is not killing ipv6. You just need need >>>> native >>>> ipv6. >>>> >>>> On the other hand it would be nice if Netflix would try the other >>>> protocol >>>> before blocking.

Nope - You'd have the /56 and only people within your /56 (or /64 if you sliced it up nicely) would be able to do things with it routed by your ISP. Of course this means we'll have to get our ISPs to listen for our BGP advertisement... On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani <mnathani.lists@gmail.com> wrote:

Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts logging in from the same IPv6 range?

On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

This is a good idea. We should do this.

On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

Make it a /56 each and you've got a deal. Hell, I'll throw in a round of drinks.

On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

We should crowdsource a /40 and split it up into /64's for each of us.

On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman <matthew@matthew.at> wrote:

...

If early adopter PI IPv6 was the same price as early adopter PI v4 space, my wife would be totally on board with this solution.

Matthew Kaufman

(Sent from my iPhone)

...

On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote:

Well if you have PI space just use HE's BGP tunnel offerings.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

> As an alternative, there are multiple cloud service offerings that will > advertise your IPv6 allocations on your behalf direct to a server in their > data centers. It seems pretty tongue-in-cheek, and satisfying, to turn > up a *<insert > favorite virtual router instance> *and then route through it. The Internet > is such an amazing place. > > On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix < cryptographrix@gmail.com> > wrote: > >> Yeah I RAWRed to them pretty hard whilst being as understanding to the CS >> rep that it wasn't their fault. >> >> They thought I was weird as anything. >> >> If there are any Verizon FiOS network engineers on the thread, a fellow >> Verizon employee would thank you kindly for an off-thread email regarding >> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you >> configure my account to listen for route advertisement). >> >> Strange that it has to come to this to get "legit" IPv6 service. >> >> >> >> >> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < >> raymond.beaudoin@icarustech.com> wrote: >> >>> I wasn't originally affected on my he.net tunnel, but this evening it >>> started blocking. The recommended ACLs are a functional temporary >>> workaround, but I've also opened a request with Netflix. >>> >>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer < ganzer@spawar.navy.mil> >>> wrote: >>> >>>> So far I am not seeing a Netflix block on my he.net tunnel yet. I >>> connect >>>> to the Los Angeles node, so maybe not all of HE's address space is > being >>>> blocked. >>>> >>>> Not going to be disabling IPv6 here either. + HAD native IPv6 from > Time >>>> Warner, but they decided to in their wisdom to disable IPv6 service > for >>>> anyone that has an Arris SB6183 due to an Arris firmware bug. And > they >>> are >>>> taking their sweet time pushing out the fixed firmware update that >>> Comcast >>>> and Cox seemed to be able to push to their customers last fall. >>>> >>>> -Mark Ganzer >>>> >>>> >>>>> On 6/3/2016 4:49 PM, Cryptographrix wrote: >>>>> >>>>> Depends - how many US users have native IPv6 through their ISPs? >>>>> >>>>> If I remember correctly (I can't find the source at the moment), > HE.net >>>>> represents something like 70% of IPv6 traffic in the US. >>>>> >>>>> And yeah, not doing that - actually in the middle of an IPv6 project > at >>>>> work at the moment that's a bit important to me. >>>>> >>>>> >>>>> >>>>> >>>>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < >>> baldur.norddahl@gmail.com >>>>> wrote: >>>>> >>>>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" < >>> cryptographrix@gmail.com>: >>>>>> >>>>>>> The information I'm getting from Netflix support now is explicitly >>>>>> telling >>>>>> >>>>>>> me to turn off IPv6 - someone might want to stop them before they >>>>>>> completely kill US IPv6 adoption. >>>>>> Not allowing he.net tunnels is not killing ipv6. You just need need >>>>>> native >>>>>> ipv6. >>>>>> >>>>>> On the other hand it would be nice if Netflix would try the other >>>>>> protocol >>>>>> before blocking. >

Typically, yes. On Jun 3, 2016 10:15 PM, "Mansoor Nathani" <mnathani.lists@gmail.com> wrote:

The smallest IPv6 prefix for advertising on the Internet via BGP is a /48, isn't it?

On Fri, Jun 3, 2016 at 10:11 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

Nope - You'd have the /56 and only people within your /56 (or /64 if you sliced it up nicely) would be able to do things with it routed by your ISP.

Of course this means we'll have to get our ISPs to listen for our BGP advertisement...

On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani < mnathani.lists@gmail.com> wrote:

...

Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts logging in from the same IPv6 range?

On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

This is a good idea. We should do this.

On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

Make it a /56 each and you've got a deal. Hell, I'll throw in a round of drinks.

On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

We should crowdsource a /40 and split it up into /64's for each of us.

On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman <matthew@matthew.at> wrote:

> If early adopter PI IPv6 was the same price as early adopter PI v4 space, > my wife would be totally on board with this solution. > > Matthew Kaufman > > (Sent from my iPhone) > > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote: > > > > Well if you have PI space just use HE's BGP tunnel offerings. > > > > > > *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net > > *Arbor Networks* > > +1.734.794.5033 (d) | +1.734.846.2053 (m) > > www.arbornetworks.com > > > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < > > raymond.beaudoin@icarustech.com> wrote: > > > >> As an alternative, there are multiple cloud service offerings that will > >> advertise your IPv6 allocations on your behalf direct to a server in > their > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn > >> up a *<insert > >> favorite virtual router instance> *and then route through it. The > Internet > >> is such an amazing place. > >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix < > cryptographrix@gmail.com> > >> wrote: > >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding to the > CS > >>> rep that it wasn't their fault. > >>> > >>> They thought I was weird as anything. > >>> > >>> If there are any Verizon FiOS network engineers on the thread, a fellow > >>> Verizon employee would thank you kindly for an off-thread email > regarding > >>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you > >>> configure my account to listen for route advertisement). > >>> > >>> Strange that it has to come to this to get "legit" IPv6 service. > >>> > >>> > >>> > >>> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < > >>> raymond.beaudoin@icarustech.com> wrote: > >>> > >>>> I wasn't originally affected on my he.net tunnel, but this evening it > >>>> started blocking. The recommended ACLs are a functional temporary > >>>> workaround, but I've also opened a request with Netflix. > >>>> > >>>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer < > ganzer@spawar.navy.mil> > >>>> wrote: > >>>> > >>>>> So far I am not seeing a Netflix block on my he.net tunnel yet. I > >>>> connect > >>>>> to the Los Angeles node, so maybe not all of HE's address space is > >> being > >>>>> blocked. > >>>>> > >>>>> Not going to be disabling IPv6 here either. + HAD native IPv6 from > >> Time > >>>>> Warner, but they decided to in their wisdom to disable IPv6 service > >> for > >>>>> anyone that has an Arris SB6183 due to an Arris firmware bug. And > >> they > >>>> are > >>>>> taking their sweet time pushing out the fixed firmware update that > >>>> Comcast > >>>>> and Cox seemed to be able to push to their customers last fall. > >>>>> > >>>>> -Mark Ganzer > >>>>> > >>>>> > >>>>>> On 6/3/2016 4:49 PM, Cryptographrix wrote: > >>>>>> > >>>>>> Depends - how many US users have native IPv6 through their ISPs? > >>>>>> > >>>>>> If I remember correctly (I can't find the source at the moment), > >> HE.net > >>>>>> represents something like 70% of IPv6 traffic in the US. > >>>>>> > >>>>>> And yeah, not doing that - actually in the middle of an IPv6 project > >> at > >>>>>> work at the moment that's a bit important to me. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < > >>>> baldur.norddahl@gmail.com > >>>>>> wrote: > >>>>>> > >>>>>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" < > >>>> cryptographrix@gmail.com>: > >>>>>>> > >>>>>>>> The information I'm getting from Netflix support now is explicitly > >>>>>>> telling > >>>>>>> > >>>>>>>> me to turn off IPv6 - someone might want to stop them before they > >>>>>>>> completely kill US IPv6 adoption. > >>>>>>> Not allowing he.net tunnels is not killing ipv6. You just need > need > >>>>>>> native > >>>>>>> ipv6. > >>>>>>> > >>>>>>> On the other hand it would be nice if Netflix would try the other > >>>>>>> protocol > >>>>>>> before blocking. > >> > >

"Hello Time Warner?....I happen to have 1.2Septillion IPv6 IPs I need to advertise...." On Fri, Jun 3, 2016 at 10:19 PM Cryptographrix <cryptographrix@gmail.com> wrote:

"A /48 is officially the smallest"...but apparently smaller gets advertised all over, and I imagine esp for private ASNs...sooooo we buy a /40 and 256 people here get /48s?

That would also be hilarious if Netflix blocking HE resulted in 256-some people each getting a /48.

On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix <cryptographrix@gmail.com> wrote:

...

Nope - You'd have the /56 and only people within your /56 (or /64 if you sliced it up nicely) would be able to do things with it routed by your ISP.

Of course this means we'll have to get our ISPs to listen for our BGP advertisement...

On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani <mnathani.lists@gmail.com> wrote:

...

Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts logging in from the same IPv6 range?

On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix <cryptographrix@gmail.com

...

wrote:

...

This is a good idea. We should do this.

On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

Make it a /56 each and you've got a deal. Hell, I'll throw in a round of drinks.

On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

We should crowdsource a /40 and split it up into /64's for each of us.

On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman <matthew@matthew.at> wrote:

> If early adopter PI IPv6 was the same price as early adopter PI v4 space, > my wife would be totally on board with this solution. > > Matthew Kaufman > > (Sent from my iPhone) > > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote: > > > > Well if you have PI space just use HE's BGP tunnel offerings. > > > > > > *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net > > *Arbor Networks* > > +1.734.794.5033 (d) | +1.734.846.2053 (m) > > www.arbornetworks.com > > > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < > > raymond.beaudoin@icarustech.com> wrote: > > > >> As an alternative, there are multiple cloud service offerings that will > >> advertise your IPv6 allocations on your behalf direct to a server in > their > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn > >> up a *<insert > >> favorite virtual router instance> *and then route through it. The > Internet > >> is such an amazing place. > >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix < > cryptographrix@gmail.com> > >> wrote: > >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding to the > CS > >>> rep that it wasn't their fault. > >>> > >>> They thought I was weird as anything. > >>> > >>> If there are any Verizon FiOS network engineers on the thread, a fellow > >>> Verizon employee would thank you kindly for an off-thread email > regarding > >>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you > >>> configure my account to listen for route advertisement). > >>> > >>> Strange that it has to come to this to get "legit" IPv6 service. > >>> > >>> > >>> > >>> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < > >>> raymond.beaudoin@icarustech.com> wrote: > >>> > >>>> I wasn't originally affected on my he.net tunnel, but this evening it > >>>> started blocking. The recommended ACLs are a functional temporary > >>>> workaround, but I've also opened a request with Netflix. > >>>> > >>>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer < > ganzer@spawar.navy.mil> > >>>> wrote: > >>>> > >>>>> So far I am not seeing a Netflix block on my he.net tunnel yet. I > >>>> connect > >>>>> to the Los Angeles node, so maybe not all of HE's address space is > >> being > >>>>> blocked. > >>>>> > >>>>> Not going to be disabling IPv6 here either. + HAD native IPv6 from > >> Time > >>>>> Warner, but they decided to in their wisdom to disable IPv6 service > >> for > >>>>> anyone that has an Arris SB6183 due to an Arris firmware bug. And > >> they > >>>> are > >>>>> taking their sweet time pushing out the fixed firmware update that > >>>> Comcast > >>>>> and Cox seemed to be able to push to their customers last fall. > >>>>> > >>>>> -Mark Ganzer > >>>>> > >>>>> > >>>>>> On 6/3/2016 4:49 PM, Cryptographrix wrote: > >>>>>> > >>>>>> Depends - how many US users have native IPv6 through their ISPs? > >>>>>> > >>>>>> If I remember correctly (I can't find the source at the moment), > >> HE.net > >>>>>> represents something like 70% of IPv6 traffic in the US. > >>>>>> > >>>>>> And yeah, not doing that - actually in the middle of an IPv6 project > >> at > >>>>>> work at the moment that's a bit important to me. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < > >>>> baldur.norddahl@gmail.com > >>>>>> wrote: > >>>>>> > >>>>>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" < > >>>> cryptographrix@gmail.com>: > >>>>>>> > >>>>>>>> The information I'm getting from Netflix support now is explicitly > >>>>>>> telling > >>>>>>> > >>>>>>>> me to turn off IPv6 - someone might want to stop them before they > >>>>>>>> completely kill US IPv6 adoption. > >>>>>>> Not allowing he.net tunnels is not killing ipv6. You just need > need > >>>>>>> native > >>>>>>> ipv6. > >>>>>>> > >>>>>>> On the other hand it would be nice if Netflix would try the other > >>>>>>> protocol > >>>>>>> before blocking. > >> > >

How is this better than getting native IPv6 from a provider? If they are willing to run a BGP session with you (that too with a private ASN), surely they can offer native IPv6 as well. On Fri, Jun 3, 2016 at 10:19 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

"A /48 is officially the smallest"...but apparently smaller gets advertised all over, and I imagine esp for private ASNs...sooooo we buy a /40 and 256 people here get /48s?

That would also be hilarious if Netflix blocking HE resulted in 256-some people each getting a /48.

On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix <cryptographrix@gmail.com> wrote:

...

Nope - You'd have the /56 and only people within your /56 (or /64 if you sliced it up nicely) would be able to do things with it routed by your ISP.

Of course this means we'll have to get our ISPs to listen for our BGP advertisement...

On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani <mnathani.lists@gmail.com> wrote:

...

Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts logging in from the same IPv6 range?

On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix <cryptographrix@gmail.com

...

wrote:

...

This is a good idea. We should do this.

On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

Make it a /56 each and you've got a deal. Hell, I'll throw in a round of drinks.

On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

We should crowdsource a /40 and split it up into /64's for each of us.

On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman <matthew@matthew.at> wrote:

> If early adopter PI IPv6 was the same price as early adopter PI v4 space, > my wife would be totally on board with this solution. > > Matthew Kaufman > > (Sent from my iPhone) > > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote: > > > > Well if you have PI space just use HE's BGP tunnel offerings. > > > > > > *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net > > *Arbor Networks* > > +1.734.794.5033 (d) | +1.734.846.2053 (m) > > www.arbornetworks.com > > > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < > > raymond.beaudoin@icarustech.com> wrote: > > > >> As an alternative, there are multiple cloud service offerings that will > >> advertise your IPv6 allocations on your behalf direct to a server in > their > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn > >> up a *<insert > >> favorite virtual router instance> *and then route through it. The > Internet > >> is such an amazing place. > >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix < > cryptographrix@gmail.com> > >> wrote: > >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding to the > CS > >>> rep that it wasn't their fault. > >>> > >>> They thought I was weird as anything. > >>> > >>> If there are any Verizon FiOS network engineers on the thread, a fellow > >>> Verizon employee would thank you kindly for an off-thread email > regarding > >>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you > >>> configure my account to listen for route advertisement). > >>> > >>> Strange that it has to come to this to get "legit" IPv6 service. > >>> > >>> > >>> > >>> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < > >>> raymond.beaudoin@icarustech.com> wrote: > >>> > >>>> I wasn't originally affected on my he.net tunnel, but this evening it > >>>> started blocking. The recommended ACLs are a functional temporary > >>>> workaround, but I've also opened a request with Netflix. > >>>> > >>>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer < > ganzer@spawar.navy.mil> > >>>> wrote: > >>>> > >>>>> So far I am not seeing a Netflix block on my he.net tunnel yet. I > >>>> connect > >>>>> to the Los Angeles node, so maybe not all of HE's address space is > >> being > >>>>> blocked. > >>>>> > >>>>> Not going to be disabling IPv6 here either. + HAD native IPv6 from > >> Time > >>>>> Warner, but they decided to in their wisdom to disable IPv6 service > >> for > >>>>> anyone that has an Arris SB6183 due to an Arris firmware bug. And > >> they > >>>> are > >>>>> taking their sweet time pushing out the fixed firmware update that > >>>> Comcast > >>>>> and Cox seemed to be able to push to their customers last fall. > >>>>> > >>>>> -Mark Ganzer > >>>>> > >>>>> > >>>>>> On 6/3/2016 4:49 PM, Cryptographrix wrote: > >>>>>> > >>>>>> Depends - how many US users have native IPv6 through their ISPs? > >>>>>> > >>>>>> If I remember correctly (I can't find the source at the moment), > >> HE.net > >>>>>> represents something like 70% of IPv6 traffic in the US. > >>>>>> > >>>>>> And yeah, not doing that - actually in the middle of an IPv6 project > >> at > >>>>>> work at the moment that's a bit important to me. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < > >>>> baldur.norddahl@gmail.com > >>>>>> wrote: > >>>>>> > >>>>>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" < > >>>> cryptographrix@gmail.com>: > >>>>>>> > >>>>>>>> The information I'm getting from Netflix support now is explicitly > >>>>>>> telling > >>>>>>> > >>>>>>>> me to turn off IPv6 - someone might want to stop them before they > >>>>>>>> completely kill US IPv6 adoption. > >>>>>>> Not allowing he.net tunnels is not killing ipv6. You just need > need > >>>>>>> native > >>>>>>> ipv6. > >>>>>>> > >>>>>>> On the other hand it would be nice if Netflix would try the other > >>>>>>> protocol > >>>>>>> before blocking. > >> > >

And yeah, most every US ISP *can* route IPv6, but they just haven't for absolutely no reason. On Fri, Jun 3, 2016 at 11:11 PM Cryptographrix <cryptographrix@gmail.com> wrote:

Surely they could - for some reason they haven't.

It's not better - it's desperate.

But it's more than nothing.

Of course, there's always the possibility that I/we will be left with 300 septillion IPv6 IPs and nobody to route them.

On Fri, Jun 3, 2016 at 10:58 PM Mansoor Nathani <mnathani.lists@gmail.com> wrote:

...

How is this better than getting native IPv6 from a provider? If they are willing to run a BGP session with you (that too with a private ASN), surely they can offer native IPv6 as well.

On Fri, Jun 3, 2016 at 10:19 PM, Cryptographrix <cryptographrix@gmail.com

...

wrote:

...

"A /48 is officially the smallest"...but apparently smaller gets advertised all over, and I imagine esp for private ASNs...sooooo we buy a /40 and 256 people here get /48s?

That would also be hilarious if Netflix blocking HE resulted in 256-some people each getting a /48.

On Fri, Jun 3, 2016 at 10:11 PM Cryptographrix <cryptographrix@gmail.com> wrote:

...

Nope - You'd have the /56 and only people within your /56 (or /64 if you sliced it up nicely) would be able to do things with it routed by your ISP.

Of course this means we'll have to get our ISPs to listen for our BGP advertisement...

On Fri, Jun 3, 2016 at 10:09 PM Mansoor Nathani < mnathani.lists@gmail.com> wrote:

...

Wouldn't the /56 get blocked as soon as Netflix detects multiple accounts logging in from the same IPv6 range?

On Fri, Jun 3, 2016 at 9:49 PM, Cryptographrix < cryptographrix@gmail.com> wrote:

...

This is a good idea. We should do this.

On Fri, Jun 3, 2016 at 9:48 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

> Make it a /56 each and you've got a deal. Hell, I'll throw in a round of > drinks. > > On Fri, Jun 3, 2016 at 8:40 PM, Cryptographrix < cryptographrix@gmail.com> > wrote: > >> We should crowdsource a /40 and split it up into /64's for each of us. >> >> >> On Fri, Jun 3, 2016 at 9:38 PM Matthew Kaufman <matthew@matthew.at > >> wrote: >> >> > If early adopter PI IPv6 was the same price as early adopter PI v4 >> space, >> > my wife would be totally on board with this solution. >> > >> > Matthew Kaufman >> > >> > (Sent from my iPhone) >> > >> > > On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote: >> > > >> > > Well if you have PI space just use HE's BGP tunnel offerings. >> > > >> > > >> > > *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net >> > > *Arbor Networks* >> > > +1.734.794.5033 (d) | +1.734.846.2053 (m) >> > > www.arbornetworks.com >> > > >> > > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < >> > > raymond.beaudoin@icarustech.com> wrote: >> > > >> > >> As an alternative, there are multiple cloud service offerings that >> will >> > >> advertise your IPv6 allocations on your behalf direct to a server in >> > their >> > >> data centers. It seems pretty tongue-in-cheek, and satisfying, to >> turn >> > >> up a *<insert >> > >> favorite virtual router instance> *and then route through it. The >> > Internet >> > >> is such an amazing place. >> > >> >> > >> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix < >> > cryptographrix@gmail.com> >> > >> wrote: >> > >> >> > >>> Yeah I RAWRed to them pretty hard whilst being as understanding to >> the >> > CS >> > >>> rep that it wasn't their fault. >> > >>> >> > >>> They thought I was weird as anything. >> > >>> >> > >>> If there are any Verizon FiOS network engineers on the thread, a >> fellow >> > >>> Verizon employee would thank you kindly for an off-thread email >> > regarding >> > >>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, >> you >> > >>> configure my account to listen for route advertisement). >> > >>> >> > >>> Strange that it has to come to this to get "legit" IPv6 service. >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < >> > >>> raymond.beaudoin@icarustech.com> wrote: >> > >>> >> > >>>> I wasn't originally affected on my he.net tunnel, but this >> evening it >> > >>>> started blocking. The recommended ACLs are a functional temporary >> > >>>> workaround, but I've also opened a request with Netflix. >> > >>>> >> > >>>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer < >> > ganzer@spawar.navy.mil> >> > >>>> wrote: >> > >>>> >> > >>>>> So far I am not seeing a Netflix block on my he.net tunnel yet. I >> > >>>> connect >> > >>>>> to the Los Angeles node, so maybe not all of HE's address space is >> > >> being >> > >>>>> blocked. >> > >>>>> >> > >>>>> Not going to be disabling IPv6 here either. + HAD native IPv6 from >> > >> Time >> > >>>>> Warner, but they decided to in their wisdom to disable IPv6 >> service >> > >> for >> > >>>>> anyone that has an Arris SB6183 due to an Arris firmware bug. And >> > >> they >> > >>>> are >> > >>>>> taking their sweet time pushing out the fixed firmware update that >> > >>>> Comcast >> > >>>>> and Cox seemed to be able to push to their customers last fall. >> > >>>>> >> > >>>>> -Mark Ganzer >> > >>>>> >> > >>>>> >> > >>>>>> On 6/3/2016 4:49 PM, Cryptographrix wrote: >> > >>>>>> >> > >>>>>> Depends - how many US users have native IPv6 through their ISPs? >> > >>>>>> >> > >>>>>> If I remember correctly (I can't find the source at the moment), >> > >> HE.net >> > >>>>>> represents something like 70% of IPv6 traffic in the US. >> > >>>>>> >> > >>>>>> And yeah, not doing that - actually in the middle of an IPv6 >> project >> > >> at >> > >>>>>> work at the moment that's a bit important to me. >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < >> > >>>> baldur.norddahl@gmail.com >> > >>>>>> wrote: >> > >>>>>> >> > >>>>>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" < >> > >>>> cryptographrix@gmail.com>: >> > >>>>>>> >> > >>>>>>>> The information I'm getting from Netflix support now is >> explicitly >> > >>>>>>> telling >> > >>>>>>> >> > >>>>>>>> me to turn off IPv6 - someone might want to stop them before >> they >> > >>>>>>>> completely kill US IPv6 adoption. >> > >>>>>>> Not allowing he.net tunnels is not killing ipv6. You just need >> > need >> > >>>>>>> native >> > >>>>>>> ipv6. >> > >>>>>>> >> > >>>>>>> On the other hand it would be nice if Netflix would try the >> other >> > >>>>>>> protocol >> > >>>>>>> before blocking. >> > >> >> > >> > >> > >

If you’re wife is really worried about $100/year, give up your first 2 weeks of Starbucks each year in trade. Owen

On Jun 3, 2016, at 18:33 , Matthew Kaufman <matthew@matthew.at> wrote:

If early adopter PI IPv6 was the same price as early adopter PI v4 space, my wife would be totally on board with this solution.

Matthew Kaufman

(Sent from my iPhone)

...

On Jun 3, 2016, at 6:27 PM, Spencer Ryan <sryan@arbor.net> wrote:

Well if you have PI space just use HE's BGP tunnel offerings.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

As an alternative, there are multiple cloud service offerings that will advertise your IPv6 allocations on your behalf direct to a server in their data centers. It seems pretty tongue-in-cheek, and satisfying, to turn up a *<insert favorite virtual router instance> *and then route through it. The Internet is such an amazing place.

On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS rep that it wasn't their fault.

They thought I was weird as anything.

If there are any Verizon FiOS network engineers on the thread, a fellow Verizon employee would thank you kindly for an off-thread email regarding BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you configure my account to listen for route advertisement).

Strange that it has to come to this to get "legit" IPv6 service.

On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

I wasn't originally affected on my he.net tunnel, but this evening it started blocking. The recommended ACLs are a functional temporary workaround, but I've also opened a request with Netflix.

On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer@spawar.navy.mil> wrote:

...

So far I am not seeing a Netflix block on my he.net tunnel yet. I connect to the Los Angeles node, so maybe not all of HE's address space is being blocked.

Not going to be disabling IPv6 here either. + HAD native IPv6 from Time Warner, but they decided to in their wisdom to disable IPv6 service for anyone that has an Arris SB6183 due to an Arris firmware bug. And they are taking their sweet time pushing out the fixed firmware update that Comcast and Cox seemed to be able to push to their customers last fall.

-Mark Ganzer

> On 6/3/2016 4:49 PM, Cryptographrix wrote: > > Depends - how many US users have native IPv6 through their ISPs? > > If I remember correctly (I can't find the source at the moment), HE.net > represents something like 70% of IPv6 traffic in the US. > > And yeah, not doing that - actually in the middle of an IPv6 project at > work at the moment that's a bit important to me. > > > > > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com > wrote: > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" < cryptographrix@gmail.com>: >> >>> The information I'm getting from Netflix support now is explicitly >> telling >> >>> me to turn off IPv6 - someone might want to stop them before they >>> completely kill US IPv6 adoption. >> Not allowing he.net tunnels is not killing ipv6. You just need need >> native >> ipv6. >> >> On the other hand it would be nice if Netflix would try the other >> protocol >> before blocking.

Honestly I was trying to make that sound like a "missed connections" ad there for a moment, but seriously I'd buy a /40 right now if possible to have non-tunneled IPv6 if I could. It's so weird being on US internet - your content distributor makes you feel like a criminal because their content provider has standing orders to deny you from viewing the content they provide and the only other thing you can do about it is turn off the thing that gives you access to the way you make the money to pay for their stuff. On Fri, Jun 3, 2016 at 9:25 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

As an alternative, there are multiple cloud service offerings that will advertise your IPv6 allocations on your behalf direct to a server in their data centers. It seems pretty tongue-in-cheek, and satisfying, to turn up a *<insert favorite virtual router instance> *and then route through it. The Internet is such an amazing place.

On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <cryptographrix@gmail.com> wrote:

...

Yeah I RAWRed to them pretty hard whilst being as understanding to the CS rep that it wasn't their fault.

They thought I was weird as anything.

If there are any Verizon FiOS network engineers on the thread, a fellow Verizon employee would thank you kindly for an off-thread email regarding BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you configure my account to listen for route advertisement).

Strange that it has to come to this to get "legit" IPv6 service.

On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin < raymond.beaudoin@icarustech.com> wrote:

...

I wasn't originally affected on my he.net tunnel, but this evening it started blocking. The recommended ACLs are a functional temporary workaround, but I've also opened a request with Netflix.

On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer@spawar.navy.mil> wrote:

...

So far I am not seeing a Netflix block on my he.net tunnel yet. I connect to the Los Angeles node, so maybe not all of HE's address space is being blocked.

Not going to be disabling IPv6 here either. + HAD native IPv6 from Time Warner, but they decided to in their wisdom to disable IPv6 service for anyone that has an Arris SB6183 due to an Arris firmware bug. And they are taking their sweet time pushing out the fixed firmware update that Comcast and Cox seemed to be able to push to their customers last fall.

-Mark Ganzer

On 6/3/2016 4:49 PM, Cryptographrix wrote:

...

Depends - how many US users have native IPv6 through their ISPs?

If I remember correctly (I can't find the source at the moment), HE.net represents something like 70% of IPv6 traffic in the US.

And yeah, not doing that - actually in the middle of an IPv6 project at work at the moment that's a bit important to me.

On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < baldur.norddahl@gmail.com

...

wrote:

Den 4. jun. 2016 01.26 skrev "Cryptographrix" < cryptographrix@gmail.com>:

...

> The information I'm getting from Netflix support now is explicitly > telling

> me to turn off IPv6 - someone might want to stop them before they > completely kill US IPv6 adoption. > Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

On the other hand it would be nice if Netflix would try the other protocol before blocking.

On Sun, Jun 5, 2016, at 23:55, jim deleskie wrote:

Damian, I HIGHLY doubt regular folks are running into issues with this, I suspect its not even geeks in general having issues, I suspect 80% plus of those having issues spend most of their time complaining about something related to v6 and the rest of the geeks not loving them/it enough.

You don't even need a HE tunnel in order to be blocked for "VPN reasons": 2 providers, both dual-stacked (2 different v6 prefixes on the home LAN, adresses from both /64s on each machine), only one used for IPv4 exit. With this set-up you DO get random messages about being on a VPN (at least on some devices).

While it is damaging negative publicity it also makes sense. HE's tunnel service amounts to a free VPN that happens to provide IPv6. I would love for someone from HE to jump in and explain better how their tunnel works, why it's been blocked by Netflix, and what (if anything) they are doing to mitigate it. For my part, I also found that my HE tunnel no longer worked with Netflix because, again, it amounts to a free VPN service. I had to shut it off. However, I did discover that my ISP Charter Communications runs a 6rd tunnel service for their customers and enabled that on my router instead. Here are the settings I put in my ASUS router, taken off of a Tomato router firmware forum post: DHCP Option: Disable IPv6 Prefix: 2602:100:: IPv6 Prefix Length: 32 IPv4 Border Router: 68.114.165.1 IPv4 Router Mask Length: 0 I'm also using an MTU of 1480 and a Tunnel TTL of 255. Works great, though I imagine it'll only work for other Charter customers who don't care what prefix they get assigned as Charter uses prefix delegation to make this work. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Sun, Jun 5, 2016 at 5:59 PM, Owen DeLong <owen@delong.com> wrote:

...

On Jun 5, 2016, at 14:18 , Damian Menscher <menscher@gmail.com> wrote:

On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl < baldur.norddahl@gmail.com> wrote:

...

Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix@gmail.com :

...

The information I'm getting from Netflix support now is explicitly

telling

...

me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

This entire thread confuses me. Are there normal home users who are being blocked from Netflix because their ISP forces them through a HE VPN? Or is this massive thread just about a handful of geeks who think IPv6 is cool and insist they be allowed to use it despite not having it natively? I could certainly understand ISP concerns that they are receiving user complaints because they failed to provide native IPv6 (why not?), but whining that you've managed to create a non-standard network setup doesn't work with some providers seems a bit silly.

Damian

What is non-standard about an HE tunnel? It conforms to the relevant RFCs and is a very common configuration widely deployed to many thousands of locations around the internet.

It’s not that Netflix happens to not work with these tunnels, the problem is that they are taking deliberate active steps to specifically block them.

Most likely, these steps are being taken at the behest of their content providers, but to the best of my knowledge, that is merely speculation so far as I don’t believe Netflix themselves have confirmed this. (It’s not unlikely that they are unable to do so due to those same content providers likely insisting on these requirements being considered proprietary information subject to NDA.)

So… I don’t know how many “normal users” use HE tunnels vs. “geeks” or how one would go about defining the difference. I can tell you that there are an awful lot of people using HE tunnels, and based on what I saw while working at HE, I don’t believe they are all geeks. While I would say that geeks are a larger fraction of the HE Tunnel using populace than of the general population, I’m not sure to what extent. Probably a lot less than you think based on the tone of your message.

I think that a provider that has specifically claimed to be an early adopter supporting IPv6 and is now having their support department tell customers to turn off IPv6 altogether is certainly noteworthy and not in a good way.

Further, if that provider is actively taking steps to damage previously working IPv6 network configurations, that is also worthy of substantial negative publicity.

I’m confused as to why you would think otherwise.

Owen

On Jun 5, 2016, at 15:18 , Matt Freitag <mlfreita@mtu.edu> wrote:

While it is damaging negative publicity it also makes sense. HE's tunnel service amounts to a free VPN that happens to provide IPv6. I would love for someone from HE to jump in and explain better how their tunnel works, why it's been blocked by Netflix, and what (if anything) they are doing to mitigate it.

Well… I’m no longer with HE (for about 2 years now), but it’s a pretty basic 6in4 tunnel set up. They have routers around the world and a web site that will automatically configure those routers for requested tunnels. I’m not sure how you came to the conclusion that HE has responsibility or even the ability to explain Netflix’s actions or mitigate them. HE provides a pipeline. That’s it. You send an encapsulated packet to their router, it unwraps it and forwards it on to the IPv6 internet. Similarly, the IPv6 internet sends their router a packet destined for one of your addresses, HE encapsulates the packet and forwards the encapsulated packet off to your designated router.

For my part, I also found that my HE tunnel no longer worked with Netflix because, again, it amounts to a free VPN service. I had to shut it off.

Interestingly, my HE tunnel has no such problem so far. However, I am not using HE address space for my tunnel (which I suspect is the mechanism Netflix is most likely using, most likely they have built a database of common tunnel addresses).

However, I did discover that my ISP Charter Communications runs a 6rd tunnel service for their customers and enabled that on my router instead. Here are the settings I put in my ASUS router, taken off of a Tomato router firmware forum post:

DHCP Option: Disable IPv6 Prefix: 2602:100:: IPv6 Prefix Length: 32 IPv4 Border Router: 68.114.165.1 IPv4 Router Mask Length: 0

I'm also using an MTU of 1480 and a Tunnel TTL of 255.

You probably shouldn’t use such a large TTL. Try 64.

Works great, though I imagine it'll only work for other Charter customers who don't care what prefix they get assigned as Charter uses prefix delegation to make this work.

Pretty common setup. Owen

Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <tel:%28906%29%20487-3696> https://www.mtu.edu/ <https://www.mtu.edu/> https://www.it.mtu.edu/ <https://www.it.mtu.edu/> On Sun, Jun 5, 2016 at 5:59 PM, Owen DeLong <owen@delong.com <mailto:owen@delong.com>> wrote:

...

On Jun 5, 2016, at 14:18 , Damian Menscher <menscher@gmail.com <mailto:menscher@gmail.com>> wrote:

On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com>> wrote:

...

Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix@gmail.com <mailto:cryptographrix@gmail.com>>:

...

The information I'm getting from Netflix support now is explicitly

telling

...

me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.

Not allowing he.net <http://he.net/> tunnels is not killing ipv6. You just need need native ipv6.

This entire thread confuses me. Are there normal home users who are being blocked from Netflix because their ISP forces them through a HE VPN? Or is this massive thread just about a handful of geeks who think IPv6 is cool and insist they be allowed to use it despite not having it natively? I could certainly understand ISP concerns that they are receiving user complaints because they failed to provide native IPv6 (why not?), but whining that you've managed to create a non-standard network setup doesn't work with some providers seems a bit silly.

Damian

What is non-standard about an HE tunnel? It conforms to the relevant RFCs and is a very common configuration widely deployed to many thousands of locations around the internet.

It’s not that Netflix happens to not work with these tunnels, the problem is that they are taking deliberate active steps to specifically block them.

Most likely, these steps are being taken at the behest of their content providers, but to the best of my knowledge, that is merely speculation so far as I don’t believe Netflix themselves have confirmed this. (It’s not unlikely that they are unable to do so due to those same content providers likely insisting on these requirements being considered proprietary information subject to NDA.)

So… I don’t know how many “normal users” use HE tunnels vs. “geeks” or how one would go about defining the difference. I can tell you that there are an awful lot of people using HE tunnels, and based on what I saw while working at HE, I don’t believe they are all geeks. While I would say that geeks are a larger fraction of the HE Tunnel using populace than of the general population, I’m not sure to what extent. Probably a lot less than you think based on the tone of your message.

I think that a provider that has specifically claimed to be an early adopter supporting IPv6 and is now having their support department tell customers to turn off IPv6 altogether is certainly noteworthy and not in a good way.

Further, if that provider is actively taking steps to damage previously working IPv6 network configurations, that is also worthy of substantial negative publicity.

I’m confused as to why you would think otherwise.

Owen

On Sun, Jun 5, 2016 at 2:59 PM, Owen DeLong <owen@delong.com> wrote:

...

On Jun 5, 2016, at 14:18 , Damian Menscher <menscher@gmail.com> wrote: On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl < baldur.norddahl@gmail.com> wrote:

...

Den 4. jun. 2016 01.26 skrev "Cryptographrix" <cryptographrix@gmail.com :

...

The information I'm getting from Netflix support now is explicitly

telling

...

me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.

Not allowing he.net tunnels is not killing ipv6. You just need need native ipv6.

This entire thread confuses me. Are there normal home users who are being blocked from Netflix because their ISP forces them through a HE VPN? Or is this massive thread just about a handful of geeks who think IPv6 is cool and insist they be allowed to use it despite not having it natively? I could certainly understand ISP concerns that they are receiving user complaints because they failed to provide native IPv6 (why not?), but whining that you've managed to create a non-standard network setup doesn't work with some providers seems a bit silly.

What is non-standard about an HE tunnel? It conforms to the relevant RFCs and is a very common configuration widely deployed to many thousands of locations around the internet.

What *is* standard about them? My earliest training as a sysadmin taught me that any time you switch away from a default setting, you're venturing into the unknown. Your config is no longer well-tested; you may experience strange errors; nobody else will have seen the same bugs. That's exactly what's happening here -- people are setting up IPv6 tunnel broker connections, then complaining that there are unexpected side effects. It’s not that Netflix happens to not work with these tunnels, the problem is

that they are taking deliberate active steps to specifically block them.

[Citation needed] ;) You're taking this as an attack on Hurricane Electric, and by extension on IPv6. But the reality is that Netflix has presumably identified HE tunnel broker as a frequent source of VPN connections that violate their ToS, and they are blocking it as they would any other widescale abuse. The impact to their userbase is miniscule -- as noted above, normal users won't be affected, and those who are have the trivial workaround of disabling tunnelbroker for Netflix-bound connections. (I agree Netflix could helpfully 302 such users to ipv4.netflix.com instead, but it's already such a small problem I doubt that's a priority for them. And it probably wouldn't reduce the hype here anyway.) As a side note, this is a common meme: recently Tor claimed CloudFlare is anti-privacy for requiring captchas for their users. The reality is much more mundane -- service providers need to protect their own networks, and Tor traffic is (according to CloudFlare [ https://blog.cloudflare.com/the-trouble-with-tor/]) 94% abuse. I suggest you focus your efforts on bringing native IPv6 to the masses, not criticizing service providers for defending themselves against abuse, just because that abuse happens to be over a network (HE tunnel broker; Tor; etc) you support. Netflix isn't hurting IPv6 adoption in any real way, but the (incorrect!) claim that IPv6 doesn't work with Netflix will (if this thread is picked up by the press). Damian

On 6/5/16, 7:11 PM, "NANOG on behalf of Christopher Morrow" <nanog-bounces@nanog.org on behalf of morrowc.lists@gmail.com> wrote:

I dislike the IP folks as much as anyone, but :( flix has to make a good-faith-effort or they'll lose content sources, I suspect.

Perhaps so. And now that they are an original content creator as well, and making large investments to do so, that may also be a factor as they work to maximize distribution revenues. Jason

On 2016-06-05 22:48, Damian Menscher wrote:

What *is* standard about them? My earliest training as a sysadmin taught me that any time you switch away from a default setting, you're venturing into the unknown. Your config is no longer well-tested; you may experience strange errors; nobody else will have seen the same bugs.

That's exactly what's happening here -- people are setting up IPv6 tunnel broker connections, then complaining that there are unexpected side effects.

Damian, If we were talking about some device that is outputting incorrect packets and they are failing to work with Netflix I would agree with you, but in this case the packets are standard and everything works fine. Netflix went out of their way to try to find a way to make it not work. The users and geeks aren't just breaking stuff and expecting others to work around their broken setup, but this is actually what Netflix is doing. All Netflix can look at is the content of the packet and so they're using the source address to discriminate. It is true that some users might be able to work around it if they can get on an ISP that gives them an allowed address, but that isn't a good solution for an open internet. There are a lot of non technical Netflix users who are being told to turn off IPv6, switch ISPs, get a new VPN, etc. because Netflix has a broken system. Those users don't care what IPv6 is, they just learn that it's bad because it breaks Netflix. Most users have no way to change these things and they just aren't going to be able to use Netflix anymore. That's a very selfish way to operate, a huge step backwards, and it's a kick in the balls to everyone who works to make technological progress on the internet. The simple truth is that Netflix is trying to figure out where people are located, but this is not possible to do reliably with current internet technology. Instead they did something that is unreliable, and many customers become collateral damage through no fault of their own. All the breakage is on the Netflix side. -Laszlo

In message <CA+HzidShNFqabKN9nnNBVzKakw-gMqY27UW5X6YSG4PDUZuzCQ@mail.gmail.com> , Spencer Ryan writes:

I'm unaware of any US based user who gets native dual stack from their ISP having issues. Netflix is blocking anonymous VPNs based on their content providers requests. HE'S tunnel broker is effectively that.

No. The addresses can be tied back to the individual that created the tunnel which is exactly like tying back the addresses to the person that ordered the cable or dsl service. The HE addresses are no more anonymous than that. The difference is that HE don't have large geo located pools of addresses covering lots of users. Instead each allocated prefix needs to be individually geopip located. My HE /48 is registered with at least one geoip service as they provided tools (a phone app) which allow me to update their database based on the GPS data. Additionally there is no requirement for any ISP to allocate addresses in geoip blocks. Mark

On Jun 5, 2016 7:34 PM, "Laszlo Hanyecz" <laszlo@heliacal.net> wrote:

...

On 2016-06-05 22:48, Damian Menscher wrote:

...

What *is* standard about them? My earliest training as a sysadmin taught me that any time you switch away from a default setting, you're venturing into the unknown. Your config is no longer well-tested; you may experience strange errors; nobody else will have seen the same bugs.

That's exactly what's happening here -- people are setting up IPv6 tunnel broker connections, then complaining that there are unexpected side effects.

Damian,

If we were talking about some device that is outputting incorrect packets and they are failing to work with Netflix I would agree with you, but in this case the packets are standard and everything works fine. Netflix went out of their way to try to find a way to make it not work. The users and geeks aren't just breaking stuff and expecting others to work around their broken setup, but this is actually what Netflix is doing. All Netflix can look at is the content of the packet and so they're using the source address to discriminate. It is true that some users might be able to work around it if they can get on an ISP that gives them an allowed address, but that isn't a good solution for an open internet.

There are a lot of non technical Netflix users who are being told to turn off IPv6, switch ISPs, get a new VPN, etc. because Netflix has a broken system. Those users don't care what IPv6 is, they just learn that it's bad because it breaks Netflix. Most users have no way to change these things and they just aren't going to be able to use Netflix anymore. That's a very selfish way to operate, a huge step backwards, and it's a kick in the balls to everyone who works to make technological progress on the internet. The simple truth is that Netflix is trying to figure out where people are located, but this is not possible to do reliably with current internet technology. Instead they did something that is unreliable, and many customers become collateral damage through no fault of their own. All the breakage is on the Netflix side.

-Laszlo

-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

On Sun, Jun 5, 2016, at 18:45, Damian Menscher wrote:

Another question: what benefit does one get from having a HE tunnel broker connection? Is it just geek points, or is there a practical benefit too?

I can access all my equipment at home remotely without having to resort to Port Address Translation. I only have one static IPv4 and I run a lot of services. -- Mark Felder feld@feld.me

In message <CAOZq8-joaUUnpQJJJzXLK=gFhRY6W9mQzw_WX9hwRAYmJtdeYw@mail.gmail.com> , Damian Menscher writes:

Another question: what benefit does one get from having a HE tunnel broker connection? Is it just geek points, or is there a practical benefit too?

I used it to provide a IPv6 connection at home because I develop network software from home and I need to know that it will work over both IPv4 and IPv6. Others use HE tunnels to be able to reach individual machines from outside as the IPv4 NAT prevents it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

On Sun, Jun 5, 2016 at 8:15 PM, Laszlo Hanyecz <laszlo@heliacal.net> wrote:

For P2P stuff it's a way to get around NAT - you can get inbound torrent connections or host a shooting game match on your desktop behind the NAT router.

​but to be fair, stun/ice/upnp has made all that work for 'years'...​

On 6/Jun/16 01:45, Damian Menscher wrote:

Who are these non-technical Netflix users who accidentally stumbled into having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only thing I can imagine is if ISPs are using HE as a form of CGN.

There are several networks around the world that rely on 6-in-4 because their local provider does not offer IPv6. Mark.

Netflix IS acting in their user's best interest. In order to provide content that the user's want, the content providers have mandated that they do their due diligence to block out of region users including VPN and open tunnel access. As Hulu and Amazon prime become more popular and their contracts with the content provides come due, they will have to also. You can argue about the content provides business model all you want, but Netflix has to do what they are doing. They aren't blocking IPv6 users, they are blocking users that are using VPNs and/or tunnels since their currently is no practical way of providing GEOIP information about that users that the content providers require. ---- Matthew Huff             | 1 Manhattanville Rd Director of Operations   | Purchase, NY 10577 OTA Management LLC       | Phone: 914-460-4039 aim: matthewbhuff        | Fax:   914-694-5669

-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Scott Morizot Sent: Monday, June 6, 2016 10:50 AM To: Mark Tinka <mark.tinka@seacom.mu> Cc: NANOG list <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed

I have Hulu Plus and Amazon Prime. The only thing I would miss from Netflix is their Marvel original series. And I can live with that. I can't live without my IPv6 enabled home network and Internet connection since that's an essential part of my job. (I'm the IPv6 transition technical lead for a large organization.) While I actually manage my home internet gateway through a linux server and have fine-grained control over the firewall rules, I'm still debating whether I care enough about a handful of series to continue paying a company that is deliberately acting against its users' interests. Right now I'm leaning toward no. But I'll discuss it with my wife before making a final decision.

Scott

On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:

...

On 6/Jun/16 01:45, Damian Menscher wrote:

...

Who are these non-technical Netflix users who accidentally stumbled

into

...

...

having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only thing I can imagine is if ISPs are using HE as a form of CGN.

There are several networks around the world that rely on 6-in-4 because their local provider does not offer IPv6.

Mark.

The whois information on the HE IPv6 address, does give the location. At least, it does on mine. On Mon, 6 Jun 2016 11:03:16 -0400 Spencer Ryan <sryan@arbor.net> wrote:

As an addendum to this and what someone said earlier about the tunnels not being anonymous: From Netflix's perspective they are. Yes HE knows who controls which tunnel, but if Netflix went to HE and said "Tell me what user has xxxxx/48" HE would say "No". Thus, making them an effective anonymous VPN service from Netflix's perspective.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Mon, Jun 6, 2016 at 10:59 AM, Matthew Huff <mhuff@ox.com> wrote:

...

Netflix IS acting in their user's best interest. In order to provide content that the user's want, the content providers have mandated that they do their due diligence to block out of region users including VPN and open tunnel access. As Hulu and Amazon prime become more popular and their contracts with the content provides come due, they will have to also.

You can argue about the content provides business model all you want, but Netflix has to do what they are doing. They aren't blocking IPv6 users, they are blocking users that are using VPNs and/or tunnels since their currently is no practical way of providing GEOIP information about that users that the content providers require.

---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669

...

-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Scott Morizot Sent: Monday, June 6, 2016 10:50 AM To: Mark Tinka <mark.tinka@seacom.mu> Cc: NANOG list <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed

I have Hulu Plus and Amazon Prime. The only thing I would miss from Netflix is their Marvel original series. And I can live with that. I can't live without my IPv6 enabled home network and Internet connection since that's an essential part of my job. (I'm the IPv6 transition technical lead for a large organization.) While I actually manage my home internet gateway through a linux server and have fine-grained control over the firewall rules, I'm still debating whether I care enough about a handful of series to continue paying a company that is deliberately acting against its users' interests. Right now I'm leaning toward no. But I'll discuss it with my wife before making a final decision.

Scott

On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:

...

On 6/Jun/16 01:45, Damian Menscher wrote:

...

Who are these non-technical Netflix users who accidentally stumbled

into

...

...

having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only thing I can imagine is if ISPs are using HE as a form of CGN.

There are several networks around the world that rely on 6-in-4 because their local provider does not offer IPv6.

Mark.

On Mon, 06 Jun 2016 11:08:13 -0400, John Peach <john-nanog@peachfamily.net> wrote:

The whois information on the HE IPv6 address, does give the location. At least, it does on mine.

It lists the location of the user's registration -- which could very well be a lie as they do nothing at all to verify it. AND that has zero correlation with where the tunnel actually goes. There in is the problem... your tunnel isn't nailed to a physical line ["T1"], or a physical device ["cablemodem"]; it's loosely pinned to an IPv4 address. An address that can change in an instance. An address that can literally be any where.

On 2016-06-06 15:21, Tore Anderson wrote:

But Netflix shouldn't have any need to ask in the first place. Their customers need to log in to their own personal accounts in order to access any content, when they do Netflix can discover their addresses.

Tore

Hey there's an idea, how about they ASK the users where they are located, instead of telling them where they are located. Presumably a user will have a new billing address when they move to a new place. That ought to be a lot more accurate than lookup based on a static map of number -> location. I don't think this is too crazy of an idea.. my car insurance company asks me what zip code I keep my cars in. Netflix could ask people what zip code they watch video from. -Laszlo

On 6 June 2016 at 19:40, Owen DeLong <owen@delong.com> wrote:

The problem is that some users travel and they try to watch Netflix using their home account in far away lands.

Interestingly, audible.com (the audio book people) actually warn you about this up front - they point out on their site that many titles may not be available in foreign countries and therefore you should download your audiobooks before you leave your home country. In other words, it's not just Netflix that has this problem... -- Harald

Holy fuck get on your meds. As someone who actually has to deal with 3 different (4 technically) content providers, their distribution agreements and requirements for distribution allll the way through the network are absolutely asinine, but required if you want your eyeballs to receive their content. Trying to work out an actual streaming deal with them was an absolute nightmare. I can't imagine the legal and contractual obligations to event get the content, let alone distribute it in the method they have. What they are doing with content is groundbreaking considering the sources of their content, and it is a huge thorn in the side of advertising companies to say the least. I know wild speculation is what the internet does best (and the less factual information the better), but this thread has gone way off the rails for what NANOG is supposed to discuss. This is a contractual and political issue, not so much a technical one. I'm going to "mute" this thread on my end, as it's gone beyond an actual useful technical discussion and has regressed into some emotional rantfest. I would suggest the rest of NANOG do the same. ... Does anyone have any scotch left? On Jun 6, 2016 8:55 PM, "Lyndon Nerenberg" <lyndon@orthanc.ca> wrote:

...

In other words, it's not just Netflix that has this problem...

No, it's Netflix that has the problem. Audible actually gives a fuck about their customers.

On Jun 6, 2016, at 6:44 PM, Harald Koch <chk@pobox.com> wrote:

On 6 June 2016 at 19:40, Owen DeLong <owen@delong.com> wrote:

...

The problem is that some users travel and they try to watch Netflix using their home account in far away lands.

Interestingly, audible.com (the audio book people) actually warn you about this up front - they point out on their site that many titles may not be available in foreign countries and therefore you should download your audiobooks before you leave your home country.

In other words, it's not just Netflix that has this problem…

Yes and no… Audible at least let’s you download them before you leave. Netflix, not so much… Owen

-- Harald

Nonsense. That is hardly their only option as many others have pointed out. It's a deliberate and technically lazy choice to block 6in4 tunnels. Those are not even vaguely the same thing as a VPN. They've decided to break normal IPv6 support and do so in a way that does not even fall back to IPv4. They deserve all the bad publicity that comes with such a anti-customer decision and the blame for their implementation choices cannot be passed back to the content providers. Scott On Mon, Jun 6, 2016 at 9:59 AM, Matthew Huff <mhuff@ox.com> wrote:

Netflix IS acting in their user's best interest. In order to provide content that the user's want, the content providers have mandated that they do their due diligence to block out of region users including VPN and open tunnel access. As Hulu and Amazon prime become more popular and their contracts with the content provides come due, they will have to also.

You can argue about the content provides business model all you want, but Netflix has to do what they are doing. They aren't blocking IPv6 users, they are blocking users that are using VPNs and/or tunnels since their currently is no practical way of providing GEOIP information about that users that the content providers require.

---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669

...

-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Scott Morizot Sent: Monday, June 6, 2016 10:50 AM To: Mark Tinka <mark.tinka@seacom.mu> Cc: NANOG list <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed

I have Hulu Plus and Amazon Prime. The only thing I would miss from Netflix is their Marvel original series. And I can live with that. I can't live without my IPv6 enabled home network and Internet connection since that's an essential part of my job. (I'm the IPv6 transition technical lead for a large organization.) While I actually manage my home internet gateway through a linux server and have fine-grained control over the firewall rules, I'm still debating whether I care enough about a handful of series to continue paying a company that is deliberately acting against its users' interests. Right now I'm leaning toward no. But I'll discuss it with my wife before making a final decision.

Scott

On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:

...

On 6/Jun/16 01:45, Damian Menscher wrote:

...

Who are these non-technical Netflix users who accidentally stumbled

into

...

...

having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only thing I can imagine is if ISPs are using HE as a form of CGN.

There are several networks around the world that rely on 6-in-4 because their local provider does not offer IPv6.

Mark.

They deserve all the bad publicity that comes with such a anti-customer decision and the blame for their implementation choices cannot be passed back to the content providers.

Content Providers: Block VPN and tunnel services. Netflix: That really isn't the best way of doing this Content Providers: I don't care, do it or we pull our content. Someone here from BBC effectively said the exact same thing. Netflix has no where near enough original content to have their providers all pull out. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Mon, Jun 6, 2016 at 11:03 AM, Scott Morizot <tmorizot@gmail.com> wrote:

Nonsense. That is hardly their only option as many others have pointed out. It's a deliberate and technically lazy choice to block 6in4 tunnels. Those are not even vaguely the same thing as a VPN. They've decided to break normal IPv6 support and do so in a way that does not even fall back to IPv4. They deserve all the bad publicity that comes with such a anti-customer decision and the blame for their implementation choices cannot be passed back to the content providers.

Scott

On Mon, Jun 6, 2016 at 9:59 AM, Matthew Huff <mhuff@ox.com> wrote:

...

Netflix IS acting in their user's best interest. In order to provide content that the user's want, the content providers have mandated that they do their due diligence to block out of region users including VPN and open tunnel access. As Hulu and Amazon prime become more popular and their contracts with the content provides come due, they will have to also.

You can argue about the content provides business model all you want, but Netflix has to do what they are doing. They aren't blocking IPv6 users, they are blocking users that are using VPNs and/or tunnels since their currently is no practical way of providing GEOIP information about that users that the content providers require.

---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669

...

-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Scott Morizot Sent: Monday, June 6, 2016 10:50 AM To: Mark Tinka <mark.tinka@seacom.mu> Cc: NANOG list <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed

I have Hulu Plus and Amazon Prime. The only thing I would miss from Netflix is their Marvel original series. And I can live with that. I can't live without my IPv6 enabled home network and Internet connection since that's an essential part of my job. (I'm the IPv6 transition technical lead for a large organization.) While I actually manage my home internet gateway through a linux server and have fine-grained control over the firewall rules, I'm still debating whether I care enough about a handful of series to continue paying a company that is deliberately acting against its users' interests. Right now I'm leaning toward no. But I'll discuss it with my wife before making a final decision.

Scott

On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:

...

On 6/Jun/16 01:45, Damian Menscher wrote:

...

Who are these non-technical Netflix users who accidentally stumbled

into

...

...

having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only thing I can imagine is if ISPs are using HE as a form of CGN.

There are several networks around the world that rely on 6-in-4 because their local provider does not offer IPv6.

Mark.

While I think this may well be the reason for Netflix’s actions, do you have any evidence to back up this claim? Actual evidence vs. just a very good educated guess and speculation could prove very useful in this circumstance. Owen

On Jun 6, 2016, at 7:59 AM, Matthew Huff <mhuff@ox.com> wrote:

Netflix IS acting in their user's best interest. In order to provide content that the user's want, the content providers have mandated that they do their due diligence to block out of region users including VPN and open tunnel access. As Hulu and Amazon prime become more popular and their contracts with the content provides come due, they will have to also.

You can argue about the content provides business model all you want, but Netflix has to do what they are doing. They aren't blocking IPv6 users, they are blocking users that are using VPNs and/or tunnels since their currently is no practical way of providing GEOIP information about that users that the content providers require.

---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669

...

-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Scott Morizot Sent: Monday, June 6, 2016 10:50 AM To: Mark Tinka <mark.tinka@seacom.mu> Cc: NANOG list <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed

I have Hulu Plus and Amazon Prime. The only thing I would miss from Netflix is their Marvel original series. And I can live with that. I can't live without my IPv6 enabled home network and Internet connection since that's an essential part of my job. (I'm the IPv6 transition technical lead for a large organization.) While I actually manage my home internet gateway through a linux server and have fine-grained control over the firewall rules, I'm still debating whether I care enough about a handful of series to continue paying a company that is deliberately acting against its users' interests. Right now I'm leaning toward no. But I'll discuss it with my wife before making a final decision.

Scott

On Mon, Jun 6, 2016 at 8:03 AM, Mark Tinka <mark.tinka@seacom.mu> wrote:

...

On 6/Jun/16 01:45, Damian Menscher wrote:

...

Who are these non-technical Netflix users who accidentally stumbled

into

...

...

having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only thing I can imagine is if ISPs are using HE as a form of CGN.

There are several networks around the world that rely on 6-in-4 because their local provider does not offer IPv6.

Mark.

On Jun 5, 2016, at 16:45 , Damian Menscher <menscher@gmail.com> wrote:

On Sun, Jun 5, 2016 at 4:33 PM, Laszlo Hanyecz <laszlo@heliacal.net <mailto:laszlo@heliacal.net>> wrote:

...

On 2016-06-05 22:48, Damian Menscher wrote:

...

What *is* standard about them? My earliest training as a sysadmin taught me that any time you switch away from a default setting, you're venturing into the unknown. Your config is no longer well-tested; you may experience strange errors; nobody else will have seen the same bugs.

That's exactly what's happening here -- people are setting up IPv6 tunnel broker connections, then complaining that there are unexpected side effects.

There are a lot of non technical Netflix users who are being told to turn off IPv6, switch ISPs, get a new VPN, etc. because Netflix has a broken system. Those users don't care what IPv6 is, they just learn that it's bad because it breaks Netflix. Most users have no way to change these things and they just aren't going to be able to use Netflix anymore.

Who are these non-technical Netflix users who accidentally stumbled into having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only thing I can imagine is if ISPs are using HE as a form of CGN.

I don’t know if it ever actually happened or not, but I do know that there were router vendors considering implementing automated Tunnel-broker IPv6 connectivity in instances where native IPv6 was unavailable. All of the API hooks necessary to do so are available in Tunnel Broker. So, it is quite possible that this has happened or will happen in the future.

Another question: what benefit does one get from having a HE tunnel broker connection? Is it just geek points, or is there a practical benefit too?

One can reach IPv6-only content which while a tiny fraction of content today will, by definition be a growing fraction of content in the future. Owen

On Sun, 05 Jun 2016 19:35:27 -0400, Mark Andrews <marka@isc.org> wrote:

It is a attack on HE. HE also provides stable user -> address mappings so you can do fine grained geo location based on HE IPv6 addresses.

They may be "fine grained", but they are still lies. One's tunnel can be terminated from *anywhere*, at *anytime*. HE doesn't publish the IPv4 address of the tunnel endpoint, nor do they update any public facing registry w.r.t. the "address" of that IPv4 address. (which is 99% voodoo as well.)

Also despite what the content cartel say using a VPN to bypass georestrictions to get movies is not illegal, nor is it "piracy". Individuals are allowed to import content from other countries. It is commercial importing that is banned.

While the end user may not be violating any law (other than their "contract" with Netflix), Netflix certainly is. They signed a contract that says they cannot send X to Romania / X is only allowed in the USA. In the end, they are allowing content to go where they agreed to not send it. They are legally required to do something about that. (or at least, *look* like they are.) Netflix (and their licensees) know people are using HE tunnels to get around region restrictions. Their hands are tied; they have to show they're doing something to limit this. All you can tell about a HE tunnel is the tunnel broker server that's hosting it. (it's in the hostname -- eg. ash1) Beyond that, you have absolutely no idea where in the universe the other end actually is. Plus, it can move in an instant... one DDNS update, and it's somewhere else. --Ricky

On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka@isc.org> wrote:

What lie? Truly who is lying here. Not the end user. Not HE. There is no requirement to report physical location.

The general lie that is IP Geolocation. HE only has what I tell them (100% unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They know my IPv4 endpoint address, but that doesn't give them a concrete street address -- they're guessing in exactly the same way everyone else does. And more to the point, HE doesn't share that information with anyone. (whois is populated with your account information. they don't ask where your tunnels are going.)

Are they legally required to go to this level?

Possibly, but Netflix isn't going to push this. Win or Lose, they still lose distribution rights.

...

Netflix (and their licensees) know people are using HE tunnels to get around region restrictions. Their hands are tied; they have to show they're doing something to limit this.

No, they do not know. The purpose of HE tunnels is to get IPv6 service. The fact that the endpoints are in different countries some of the time is incidental to that.

YES. THEY. DO. There have been entire COMPANIES doing this. (which is likely what sparked this level of response.) Neither HE nor Netflix are naming names, but a short walk through the more colorful parts of the internet should be enlightening.

Garbage. You have to establish the tunnel which requires registering a account. It also requires a machine at the other end. Virtual or physical they don't move around the world in a DDNS update. The addresses associated with a tunnel don't change for the life of that tunnel.

True. 'tho, you can list any nonsense address you want. They do nothing to validate it. (Use my favorite BS address: Independence MT -- pop: zero. It's a dirt road across a mountain in the middle of absolutely nowhere. Google it!) The tunnel endpoint (your IPv4 address) is known only to HE, and not exposed to ANYONE. That's not going to EVER change. Once your tunnel has been setup, that address ("Client IPv4 Address") is not set in stone. People have dynamic addresses, and HE recognizes this, so there are numerous methods to change the tunnel endpoint address. (tunnel configuration page, update through an http(s) request, etc.) THUS, a tunnel can move; it can be terminated anywhere, at anytime. Not only can one update the endpoint to a different address on the same box, but to a completely different box entirely. Furthermore, one account can have several tunnels through different servers that present addresses from different regions. Where I appear to be in the world, thus, depends on which tunnel I have enabled. (and in which countries HE has prefixes, which currently appears to be 4)

The tunnelbroker service acts exactly like a VPN. It allows you, from any arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper <blair.trosper@gmail.com> wrote:

It should be pointed out that -- the SPECIFIC accusation from Netflix -- is that people on TunnelBroker are on a VPN or proxy unblocker.

The data does not bear that out. Hash tag just saying.

</soapbox>

On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfbeam@gmail.com> wrote:

...

On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka@isc.org> wrote:

...

What lie? Truly who is lying here. Not the end user. Not HE. There is no requirement to report physical location.

The general lie that is IP Geolocation. HE only has what I tell them (100% unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They know my IPv4 endpoint address, but that doesn't give them a concrete street address -- they're guessing in exactly the same way everyone else does. And more to the point, HE doesn't share that information with anyone. (whois is populated with your account information. they don't ask where your tunnels are going.)

Are they legally required to go to this level?

...

Possibly, but Netflix isn't going to push this. Win or Lose, they still lose distribution rights.

Netflix (and their licensees) know people are using HE tunnels to get

...

...

around region restrictions. Their hands are tied; they have to show they're doing something to limit this.

No, they do not know. The purpose of HE tunnels is to get IPv6 service. The fact that the endpoints are in different countries some of the time is incidental to that.

YES. THEY. DO. There have been entire COMPANIES doing this. (which is likely what sparked this level of response.) Neither HE nor Netflix are naming names, but a short walk through the more colorful parts of the internet should be enlightening.

Garbage. You have to establish the tunnel which requires registering

...

a account. It also requires a machine at the other end. Virtual or physical they don't move around the world in a DDNS update. The addresses associated with a tunnel don't change for the life of that tunnel.

True. 'tho, you can list any nonsense address you want. They do nothing to validate it. (Use my favorite BS address: Independence MT -- pop: zero. It's a dirt road across a mountain in the middle of absolutely nowhere. Google it!)

The tunnel endpoint (your IPv4 address) is known only to HE, and not exposed to ANYONE. That's not going to EVER change. Once your tunnel has been setup, that address ("Client IPv4 Address") is not set in stone. People have dynamic addresses, and HE recognizes this, so there are numerous methods to change the tunnel endpoint address. (tunnel configuration page, update through an http(s) request, etc.) THUS, a tunnel can move; it can be terminated anywhere, at anytime. Not only can one update the endpoint to a different address on the same box, but to a completely different box entirely.

Furthermore, one account can have several tunnels through different servers that present addresses from different regions. Where I appear to be in the world, thus, depends on which tunnel I have enabled. (and in which countries HE has prefixes, which currently appears to be 4)

I’m sorry to say, Blair, that there are, in fact, many who do use HE tunnels for Geo Fence evasion. Sure, it doesn’t represent even a significant fraction of tunnel users, but they exist and they’ve been vocal, thus spoiling it for the rest of us. Owen

On Jun 6, 2016, at 8:27 PM, Blair Trosper <blair.trosper@gmail.com> wrote:

Right, but I think we know what Netflix is implying when they say "proxy unblocker" or "VPN" -- they mean people are deliberately going around GeoIP. In this case, I don't know anyone who uses TunnelBroker that way. They're using it for V6. That is to say, everyone I know with this issue could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning they're already in the US (or $region) -- and the IPv6 detection on the CDN/web is what's wrong.

I think I will go further here and say that the message sort if implies the user is acting in bad faith, which may raise some animosity towards Netflix.

On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan <sryan@arbor.net> wrote:

...

The tunnelbroker service acts exactly like a VPN. It allows you, from any arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper <blair.trosper@gmail.com> wrote:

...

It should be pointed out that -- the SPECIFIC accusation from Netflix -- is that people on TunnelBroker are on a VPN or proxy unblocker.

The data does not bear that out. Hash tag just saying.

</soapbox>

On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfbeam@gmail.com> wrote:

...

On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka@isc.org> wrote:

...

What lie? Truly who is lying here. Not the end user. Not HE. There is no requirement to report physical location.

The general lie that is IP Geolocation. HE only has what I tell them (100% unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They know my IPv4 endpoint address, but that doesn't give them a concrete street address -- they're guessing in exactly the same way everyone else does. And more to the point, HE doesn't share that information with anyone. (whois is populated with your account information. they don't ask where your tunnels are going.)

Are they legally required to go to this level?

...

Possibly, but Netflix isn't going to push this. Win or Lose, they still lose distribution rights.

Netflix (and their licensees) know people are using HE tunnels to get

...

...

around region restrictions. Their hands are tied; they have to show they're doing something to limit this.

No, they do not know. The purpose of HE tunnels is to get IPv6 service. The fact that the endpoints are in different countries some of the time is incidental to that.

YES. THEY. DO. There have been entire COMPANIES doing this. (which is likely what sparked this level of response.) Neither HE nor Netflix are naming names, but a short walk through the more colorful parts of the internet should be enlightening.

Garbage. You have to establish the tunnel which requires registering

...

a account. It also requires a machine at the other end. Virtual or physical they don't move around the world in a DDNS update. The addresses associated with a tunnel don't change for the life of that tunnel.

True. 'tho, you can list any nonsense address you want. They do nothing to validate it. (Use my favorite BS address: Independence MT -- pop: zero. It's a dirt road across a mountain in the middle of absolutely nowhere. Google it!)

The tunnel endpoint (your IPv4 address) is known only to HE, and not exposed to ANYONE. That's not going to EVER change. Once your tunnel has been setup, that address ("Client IPv4 Address") is not set in stone. People have dynamic addresses, and HE recognizes this, so there are numerous methods to change the tunnel endpoint address. (tunnel configuration page, update through an http(s) request, etc.) THUS, a tunnel can move; it can be terminated anywhere, at anytime. Not only can one update the endpoint to a different address on the same box, but to a completely different box entirely.

Furthermore, one account can have several tunnels through different servers that present addresses from different regions. Where I appear to be in the world, thus, depends on which tunnel I have enabled. (and in which countries HE has prefixes, which currently appears to be 4)

I believe there are a lot more than 4. Owen

On Jun 6, 2016, at 8:25 PM, Spencer Ryan <sryan@arbor.net> wrote:

The tunnelbroker service acts exactly like a VPN. It allows you, from any arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper <blair.trosper@gmail.com> wrote:

...

It should be pointed out that -- the SPECIFIC accusation from Netflix -- is that people on TunnelBroker are on a VPN or proxy unblocker.

The data does not bear that out. Hash tag just saying.

</soapbox>

On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfbeam@gmail.com> wrote:

...

On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <marka@isc.org> wrote:

...

What lie? Truly who is lying here. Not the end user. Not HE. There is no requirement to report physical location.

The general lie that is IP Geolocation. HE only has what I tell them (100% unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They know my IPv4 endpoint address, but that doesn't give them a concrete street address -- they're guessing in exactly the same way everyone else does. And more to the point, HE doesn't share that information with anyone. (whois is populated with your account information. they don't ask where your tunnels are going.)

Are they legally required to go to this level?

...

Possibly, but Netflix isn't going to push this. Win or Lose, they still lose distribution rights.

Netflix (and their licensees) know people are using HE tunnels to get

...

...

around region restrictions. Their hands are tied; they have to show they're doing something to limit this.

No, they do not know. The purpose of HE tunnels is to get IPv6 service. The fact that the endpoints are in different countries some of the time is incidental to that.

YES. THEY. DO. There have been entire COMPANIES doing this. (which is likely what sparked this level of response.) Neither HE nor Netflix are naming names, but a short walk through the more colorful parts of the internet should be enlightening.

Garbage. You have to establish the tunnel which requires registering

...

a account. It also requires a machine at the other end. Virtual or physical they don't move around the world in a DDNS update. The addresses associated with a tunnel don't change for the life of that tunnel.

True. 'tho, you can list any nonsense address you want. They do nothing to validate it. (Use my favorite BS address: Independence MT -- pop: zero. It's a dirt road across a mountain in the middle of absolutely nowhere. Google it!)

The tunnel endpoint (your IPv4 address) is known only to HE, and not exposed to ANYONE. That's not going to EVER change. Once your tunnel has been setup, that address ("Client IPv4 Address") is not set in stone. People have dynamic addresses, and HE recognizes this, so there are numerous methods to change the tunnel endpoint address. (tunnel configuration page, update through an http(s) request, etc.) THUS, a tunnel can move; it can be terminated anywhere, at anytime. Not only can one update the endpoint to a different address on the same box, but to a completely different box entirely.

Furthermore, one account can have several tunnels through different servers that present addresses from different regions. Where I appear to be in the world, thus, depends on which tunnel I have enabled. (and in which countries HE has prefixes, which currently appears to be 4)

As I said to Netflix's tech support - if they advocate for people to turn off IPv6 on their end, maybe Netflix should stop supporting it on their end. It's in the air whether it's just an HE tunnel issue or an IPv6 issue at the moment, and if their tech support is telling people to turn off IPv6, maybe they should just instead remove their AAAA records. (or fail back to ipv4 when v6 looks like a tunnel) On Tue, Jun 7, 2016 at 9:22 AM Mark Felder <feld@feld.me> wrote:

...

On Jun 6, 2016, at 22:25, Spencer Ryan <sryan@arbor.net> wrote:

The tunnelbroker service acts exactly like a VPN. It allows you, from any arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location.

Perhaps Netflix should automatically block any connection that's not from a known residential ISP or mobile ISP as anything else could be a server someone is proxying through. It's very easy to get these subnets -- the spam filtering folks have these subnets well documented. /s

-- Mark Felder feld@feld.me

On 6/7/16 6:55 AM, Cryptographrix wrote:

As I said to Netflix's tech support - if they advocate for people to turn off IPv6 on their end, maybe Netflix should stop supporting it on their end.

It's in the air whether it's just an HE tunnel issue or an IPv6 issue at the moment, and if their tech support is telling people to turn off IPv6, maybe they should just instead remove their AAAA records.

it clearly works with prefixes delegated from other isps. ... http://i.imgur.com/sJUM7tn.png

(or fail back to ipv4 when v6 looks like a tunnel)

On Tue, Jun 7, 2016 at 9:22 AM Mark Felder <feld@feld.me> wrote:

...

...

On Jun 6, 2016, at 22:25, Spencer Ryan <sryan@arbor.net> wrote:

The tunnelbroker service acts exactly like a VPN. It allows you, from any arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location.

Perhaps Netflix should automatically block any connection that's not from a known residential ISP or mobile ISP as anything else could be a server someone is proxying through. It's very easy to get these subnets -- the spam filtering folks have these subnets well documented. /s

-- Mark Felder feld@feld.me

Very true - I was being a bit extremist out of frustration, but I think you're spot on - he.net tunnels and even 6to4 are toys to provide IPv6 support, not actually IPv6 support. And I'm quite frustrated because there's so little actual v6 support, and I *do* actually need it on a daily basis for work. Because there's no actual ISP IPv6 support anywhere else (in parts of the US that *have* multiple ISPs), you can't even make the case to your ISP that it's a legitimate requirement for you because they know you're not really going to get v6 elsewhere. On Tue, Jun 7, 2016 at 10:22 AM Ca By <cb.list6@gmail.com> wrote:

On Tuesday, June 7, 2016, Cryptographrix <cryptographrix@gmail.com> wrote:

...

As I said to Netflix's tech support - if they advocate for people to turn off IPv6 on their end, maybe Netflix should stop supporting it on their end.

It's in the air whether it's just an HE tunnel issue or an IPv6 issue at the moment, and if their tech support is telling people to turn off IPv6, maybe they should just instead remove their AAAA records.

(or fail back to ipv4 when v6 looks like a tunnel)

I think you need to reset your expectations of a free tunnel service.

he.net tunnels are a toy for geeks looking to play with v6. In terms of Netflix subcriber base, it is amazing insignificant number of users.

At the end of the day, anonymous tunnels, just like linux, are not supported by Netflix. And, he.net tunnel users are hurting ipv6 overall just like 6to4 by injecting FUD and other nonesense complexity.... For a toy.

Move on to a real issue instead of beating this dead horse.

CB

...

On Tue, Jun 7, 2016 at 9:22 AM Mark Felder <feld@feld.me> wrote:

...

...

On Jun 6, 2016, at 22:25, Spencer Ryan <sryan@arbor.net> wrote:

The tunnelbroker service acts exactly like a VPN. It allows you, from

any

...

...

arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location.

Perhaps Netflix should automatically block any connection that's not from a known residential ISP or mobile ISP as anything else could be a server someone is proxying through. It's very easy to get these subnets -- the spam filtering folks have these subnets well documented. /s

-- Mark Felder feld@feld.me

On 07/06/2016 17:00, Ca By wrote:

fixed line: Comcast, AT&T, TWC, just to name the largest in the nation have meaningful deployments of ipv6. The only thing holding back greater deployment for those networks are legacy CPE that will age out slowly.

It is probably totally off topic as this is NANOG but the issue at end affects other continents too. Where I live good providers are few and expensive. The ones I use and I'm otherwise happy with give me no IPv6 connectivity, that's a shame, it's despicable and I don't lose any opportunity to remind them, but still, I have to use something else if I want to "play" with IPv6. This Netlix thing is just an annoyance, granted, I just wanted to point out that not everyone has a clear way out of this. Ciao, Davide Davini

On 6/8/16 9:13 AM, Owen DeLong wrote:

As of last week, I still wasn’t getting an IPv6 address by default on my iPhone 6S+ on T-Mobile.

turn off mobile hotspot...

Just saying.

Owen

...

On Jun 7, 2016, at 11:00 AM, Ca By <cb.list6@gmail.com> wrote:

On Tuesday, June 7, 2016, Cryptographrix <cryptographrix@gmail.com> wrote:

...

Very true - I was being a bit extremist out of frustration, but I think you're spot on - he.net tunnels and even 6to4 are toys to provide IPv6 support, not actually IPv6 support.

And I'm quite frustrated because there's so little actual v6 support, and I *do* actually need it on a daily basis for work.

Because there's no actual ISP IPv6 support anywhere else (in parts of the US that *have* multiple ISPs), you can't even make the case to your ISP that it's a legitimate requirement for you because they know you're not really going to get v6 elsewhere.

I think we have different definitions of "no actual isp ipv6 support"

Again, a helpful akamai blog https://blogs.akamai.com/2016/06/four-years-since-world-ipv6-launch-entering...

fixed line: Comcast, AT&T, TWC, just to name the largest in the nation have meaningful deployments of ipv6. The only thing holding back greater deployment for those networks are legacy CPE that will age out slowly.

All 4 of the national mobile operator have ipv6 default on for most new phone models.

Yes, many gaps to fill still. But, on "my network" with shy of 70 million users, everything has ipv6 except the iPhone, and that will change RSN. And for users with v6, the majority of their traffic is ipv6 e2e since the whales (google, fb, netflix, increasingly Akamai) are dual stack.

CB

...

On Tue, Jun 7, 2016 at 10:22 AM Ca By <cb.list6@gmail.com <javascript:_e(%7B%7D,'cvml','cb.list6@gmail.com');>> wrote:

...

On Tuesday, June 7, 2016, Cryptographrix <cryptographrix@gmail.com <javascript:_e(%7B%7D,'cvml','cryptographrix@gmail.com');>> wrote:

...

As I said to Netflix's tech support - if they advocate for people to turn off IPv6 on their end, maybe Netflix should stop supporting it on their end.

It's in the air whether it's just an HE tunnel issue or an IPv6 issue at the moment, and if their tech support is telling people to turn off IPv6, maybe they should just instead remove their AAAA records.

(or fail back to ipv4 when v6 looks like a tunnel)

I think you need to reset your expectations of a free tunnel service.

he.net tunnels are a toy for geeks looking to play with v6. In terms of Netflix subcriber base, it is amazing insignificant number of users.

At the end of the day, anonymous tunnels, just like linux, are not supported by Netflix. And, he.net tunnel users are hurting ipv6 overall just like 6to4 by injecting FUD and other nonesense complexity.... For a toy.

Move on to a real issue instead of beating this dead horse.

CB

...

On Tue, Jun 7, 2016 at 9:22 AM Mark Felder <feld@feld.me> wrote:

...

> On Jun 6, 2016, at 22:25, Spencer Ryan <sryan@arbor.net> wrote: > > The tunnelbroker service acts exactly like a VPN. It allows you,

...

> arbitrary location in the world with an IPv4 address, to bring

from any traffic

...

out > via one of HE's 4 POP's, while completely masking your actual location. >

Perhaps Netflix should automatically block any connection that's not from a known residential ISP or mobile ISP as anything else could be a server someone is proxying through. It's very easy to get these subnets -- the spam filtering folks have these subnets well documented. /s

-- Mark Felder feld@feld.me

On Jun 7, 2016, at 10:22 AM, Ca By <cb.list6@gmail.com> wrote:

On Tuesday, June 7, 2016, Cryptographrix <cryptographrix@gmail.com> wrote:

...

As I said to Netflix's tech support - if they advocate for people to turn off IPv6 on their end, maybe Netflix should stop supporting it on their end.

It's in the air whether it's just an HE tunnel issue or an IPv6 issue at the moment, and if their tech support is telling people to turn off IPv6, maybe they should just instead remove their AAAA records.

(or fail back to ipv4 when v6 looks like a tunnel)

I think you need to reset your expectations of a free tunnel service.

he.net tunnels are a toy for geeks looking to play with v6. In terms of Netflix subcriber base, it is amazing insignificant number of users.

If it’s so insignificant, why did Netflix go to the effort to implement blocking based on address ranges associated with those tunnels?

At the end of the day, anonymous tunnels, just like linux, are not supported by Netflix. And, he.net tunnel users are hurting ipv6 overall just like 6to4 by injecting FUD and other nonesense complexity.... For a toy.

I disagree. Calling he.net tunnels a toy is absurd. It’s a link, just like any other link, over which IPv6 can be transmitted. You can argue that it’s a lower quality link than some alternatives, but I have to tell you I’ve gotten much more reliable service at higher bandwidth from that link than from my T-Mobile LTE service, so I’d argue that it is a higher quality service than T-Mobile. It’s not the only link I have for my IPv6 packets, in fact, it is one of three links over which my IPv6 packets are able to travel.

Move on to a real issue instead of beating this dead horse.

So we should start beating on unreliable LTE services instead? ;-) Owen

CB

...

On Tue, Jun 7, 2016 at 9:22 AM Mark Felder <feld@feld.me <javascript:;>> wrote:

...

...

On Jun 6, 2016, at 22:25, Spencer Ryan <sryan@arbor.net <javascript:;>>

wrote:

...

...

The tunnelbroker service acts exactly like a VPN. It allows you, from

any

...

arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location.

Perhaps Netflix should automatically block any connection that's not from a known residential ISP or mobile ISP as anything else could be a server someone is proxying through. It's very easy to get these subnets -- the spam filtering folks have these subnets well documented. /s

-- Mark Felder feld@feld.me <javascript:;>

On 08/06/2016 18:23, Laszlo Hanyecz wrote:

Well there is one good thing that might come out of this if you're a tunnel user.. the tunnels can have even more bandwidth now, with all the Netflix traffic moving off them. I have no special visibility into how (over)loaded they are, just speculating.

I used HE tunnels since 2009, I don't recall having any bandwidth problem that wasn't related to my local link. I never used super fast physical links either though. 10 Mbit/s, 20Mbit/s, 50/Mbit/s. I hardly had any issue to be perfectly honest with you, of any kind. Ciao, Davide Davini.

On Wed, Jun 8, 2016, at 10:23, Owen DeLong wrote:

Mark,

That would be bad.

At least in my case.

The trailing /s at the end was the sarcasm tag :-) -- Mark Felder feld@feld.me

On 6/Jun/16 00:48, Damian Menscher wrote:

What *is* standard about them? My earliest training as a sysadmin taught me that any time you switch away from a default setting, you're venturing into the unknown. Your config is no longer well-tested; you may experience strange errors; nobody else will have seen the same bugs.

That's exactly what's happening here -- people are setting up IPv6 tunnel broker connections, then complaining that there are unexpected side effects.

In that case, let's shutdown the entire Internet and be done with it. If any network operator here is running their entire network in a "standard" way as described by Damian, then they are doing something wrong. Mark.

What is non-standard about an HE tunnel? It conforms to the relevant RFCs and is a very common configuration widely deployed to many thousands of locations around the internet.

Nothing whatsoever, but so what?

Most likely, these steps are being taken at the behest of their content providers, but to the best of my knowledge, that is merely speculation so far as I don’t believe Netflix themselves have confirmed this. (It’s not unlikely that they are unable to do so due to those same content providers likely insisting on these requirements being considered proprietary information subject to NDA.)

Of course they are. Movie licenses are invariably country specific. R's, John

In message <Pine.LNX.4.61.1606052240290.6833@soloth.lewis.org>, Jon Lewis write s:

On Sun, 5 Jun 2016, Owen DeLong wrote:

...

What is non-standard about an HE tunnel? It conforms to the relevant RFCs a nd is a very common configuration widely deployed to many thousands of locatio ns around the internet.

Itÿÿs not that Netflix happens to not work with these tunnels, the problem is that they are taking deliberate active steps to specifically block them.

It's not a question of standard vs non-standard. If Netflix is blocking HE IPv6 space (tunnel customers), I suspect they're doing so because this is effectively an IPv6 VPN service that masks the end-user's real IP making invalid any IP-based GEO assumptions Netflix would like to make about customer connections in order to satisfy their content licenses.

What's not "real" about the HE allocated IPv6 address? They are more stable that most IPv4 addresses you get from residential ISP's. I've had the oldest of my addresses for 13 years. The /48 is slightly newer but it is stable across IPv4 renumberings. They don't change on power cycle of the modem / router. My IPv4 address changes periodically with no notice with the ISP not even honouring the DHCP lease requiring me to take corrective measures. Just because they are not in a big geoip friendly IP block doesn't make them not "real". They are stable addresses and if Netflix or any other geoip based service did their homework they could workout where the addresses are located. The only reason they don't work is that Netflix is lazy and would rather annoy their customers rather than deliver a paid for service.

...

Soÿÿ I donÿÿt know how many ÿÿnormal usersÿÿ use HE tunnels vs. ÿÿgeeksÿÿ or how one would go about defining the difference. I can tell you that there are an aw ful lot of people using HE tunnels, and based on what I saw while working at HE , I donÿÿt believe they are all geeks. While I would say that geeks are a large r

You have to be at least somewhat of a geek to even care about IPv6 and know that HE provides free IPv6 tunnels for those who can't get it natively from their own ISP. Ideally, HE's v6 tunnel service should become more or less redundant as more service provider networks dual-stack their customers.

---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

On 2016-06-05 21:18, Damian Menscher wrote:

This entire thread confuses me. Are there normal home users who are being blocked from Netflix because their ISP forces them through a HE VPN? Or is this massive thread just about a handful of geeks who think IPv6 is cool and insist they be allowed to use it despite not having it natively? I could certainly understand ISP concerns that they are receiving user complaints because they failed to provide native IPv6 (why not?), but whining that you've managed to create a non-standard network setup doesn't work with some providers seems a bit silly.

Damian

I think this thread is specifically about bashing Netflix for blocking HE, but the root of the problem is in trying to use the apparent source address of a packet to determine where a person might be located. In this case Netflix is deliberately trying to fight VPNs and the users understand what's going on. Usually a blocked user can't even load the website they are blocked from, so they can't even complain, unless they happen to notice that works from some other ISP (at home/work perhaps). In these situations people blame the network/ISP and that's the part that ticks off the admins of those networks. Try explaining to a complaining user that it's the website's fault while it works from their friend's connection. For another example, some CDN hosts offer their customers the ability to block requests based on GeoIP country - this is a terrible idea for obvious reasons but that doesn't stop CDNs from offering it, and of course website owners fall for it and enable it. Then what happens is there are a bunch of users who can't access the site at all. It makes no sense because they are not 'bad guys' and they're not from the wrong country, so what gives? Well it's just collateral damage, they can move to a major city and use a major national ISP that's in the database. Maybe they're on a HE tunnel, maybe they're on a new ISP who just got their netblocks.. in the end they are blacklisted and to those users it just looks like the website operator went out of business. How widespread is this problem? For me, the websites of the local public school system and a major local grocery store block based on GeoIP and I can't access them because my numbers aren't in their db. There are city services sites that I can't access without jumping through hoops with proxies or VPNs. I've personally tried to complain to several of these website operators and even after escalations the best I can get is "did you try clearing your cookies". It's not good. -Laszlo