Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly. Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP. So... where's the Netflix network engineer on the list who all of us can send these issues to directly? Matthew Kaufman
Maybe it's time to use some reverse-psychology and try connecting through a VPN provider? ;-) Pete Ps, I hope you succeed in getting an answer from an actual engineer. But if I were a betting man...
On 2/06/2016, at 3:27 pm, Matthew Kaufman <matthew@matthew.at> wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
Turns out it has nothing to do with my IPv4 connectivity. Neither of my ISPs has native IPv6 connectivity, so both require tunnels (one of them to HE.net, one to the ISPs own tunnel broker), and both appear to be detected as a non-permitted VPN. As an early IPv6 adopter, I've had IPv6 on all my household devices for years now. So after having to temporarily turn off IPv6 at my desktop to fix issues with pay.gov (FCC license payments), and issues with various other things, and then remember to turn it back on again... I now have the reason I've been waiting for to turn it off globally for the whole house. Thanks Netflix for helping move us forward here. Matthew Kaufman ps. Would still be helpful if the support techs could tell from the error codes that the denied VPN is an IPv6 tunnel ------ Original Message ------ From: "Matthew Kaufman" <matthew@matthew.at> To: "NANOG" <nanog@nanog.org> Sent: 6/1/2016 8:27:00 PM Subject: Netflix VPN detection - actual engineer needed
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 There is an epic lesson here. I'm just not sure what it is. :-) - - ferg On 6/1/2016 8:41 PM, Matthew Kaufman wrote:
Turns out it has nothing to do with my IPv4 connectivity. Neither of my ISPs has native IPv6 connectivity, so both require tunnels (one of them to HE.net, one to the ISPs own tunnel broker), and both appear to be detected as a non-permitted VPN. As an early IPv6 adopter, I've had IPv6 on all my household devices for years now.
So after having to temporarily turn off IPv6 at my desktop to fix issues with pay.gov (FCC license payments), and issues with various other things, and then remember to turn it back on again... I now have the reason I've been waiting for to turn it off globally for the whole house.
Thanks Netflix for helping move us forward here.
Matthew Kaufman
ps. Would still be helpful if the support techs could tell from the error codes that the denied VPN is an IPv6 tunnel
------ Original Message ------ From: "Matthew Kaufman" <matthew@matthew.at> To: "NANOG" <nanog@nanog.org> Sent: 6/1/2016 8:27:00 PM Subject: Netflix VPN detection - actual engineer needed
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
- -- Paul Ferguson ICEBRG.io PGP Public Key ID: 0x54DC85B2 Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAldPrG8ACgkQKJasdVTchbJ8lQEAgJrSwiKkyUcvoIoVp5gIBmkV Dp1JqLdUtNphHTx4n2QA/jILspE24/BuY71211CSNqb3d5l9PH/udxyF2rN79ddL =DLns -----END PGP SIGNATURE-----
On 2 Jun 2016, at 10:47, Paul Ferguson wrote:
There is an epic lesson here. I'm just not sure what it is. :-)
That Netflix offering free streaming to everyone over IPv6 (after fixing their VPN detection) would be the most effective way to convince end-users to demand IPv6 service from their ISPs? ;> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On 6/1/16 9:23 PM, Roland Dobbins wrote:
On 2 Jun 2016, at 10:47, Paul Ferguson wrote:
There is an epic lesson here. I'm just not sure what it is. :-)
That Netflix offering free streaming to everyone over IPv6 (after fixing their VPN detection) would be the most effective way to convince end-users to demand IPv6 service from their ISPs?
Something (somewhat) similar was tried in 2007. TTBOMK it never got fully implemented. "The Great IPv6 Experiment" https://www.nanog.org/mailinglist/mailarchives/old_archive/2007-09/msg00008.... -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
On Wed, 01 Jun 2016 23:47:59 -0400, Paul Ferguson <fergdawgster@mykolab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
There is an epic lesson here. I'm just not sure what it is. :-)
- - ferg
On 2016-06-01 11:41 PM, Matthew Kaufman wrote:
Turns out it has nothing to do with my IPv4 connectivity. Neither of my ISPs has native IPv6 connectivity, so both require tunnels (one of them to HE.net, one to the ISPs own tunnel broker), and both appear to be detected as a non-permitted VPN. As an early IPv6 adopter, I've had IPv6 on all my household devices for years now.
So after having to temporarily turn off IPv6 at my desktop to fix issues with pay.gov (FCC license payments), and issues with various other things, and then remember to turn it back on again... I now have the reason I've been waiting for to turn it off globally for the whole house. Wish I read this thread earlier. Damn. I just went through the whole useless process myself with an ineffectual support rep…
But if the system is telling you that error code, it is a setting on
« the local network, call your ISP, they can assist you on that issue. Oh right. RIGHT. I'm SURE they'll be able to help. » …and I came to the same conclusion and similar resolution (adding an outbound rule rejecting traffic to 2620:108:700f::/48, causing fallback to IPv4 worked for me). At least I got the support rep to SAY he opened a ticket. Wow! It's my chance to be the noisy minority! M. -- Michael Brown | The true sysadmin does not adjust his behaviour Systems Administrator | to fit the machine. He adjusts the machine michael@supermathie.net | until it behaves properly. With a hammer, | if necessary. - Brian
On Jun 2, 2016, at 6:27 AM, Matthew Kaufman <matthew@matthew.at> wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
Matthew, haven’t you told your ISP to stop using the dreaded 198 space? Everyone knows those are magic addresses that belong to NetGear! :-) -Bill
Have you tried cdnetops@netflix.com ? Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Jun 1, 2016 11:56 PM, "Bill Woodcock" <woody@pch.net> wrote: > > > On Jun 2, 2016, at 6:27 AM, Matthew Kaufman <matthew@matthew.at> wrote: > > > > Every device in my house is blocked from Netflix this evening due to > their new "VPN blocker". My house is on my own IP space, and the outside of > the NAT that the family devices are on is 198.202.199.254, announced by AS > 11994. A simple ping from Netflix HQ in Los Gatos to my house should show > that I'm no farther away than Santa Cruz, CA as microwaves fly. > > > > Unfortunately, when one calls Netflix support to talk about this, the > only response is to say "call your ISP and have them turn off the VPN > software they've added to your account". And they absolutely refuse to > escalate. Even if you tell them that you are essentially your own ISP. > > > > So... where's the Netflix network engineer on the list who all of us can > send these issues to directly? > > > > Matthew Kaufman > > Matthew, haven’t you told your ISP to stop using the dreaded 198 space? > Everyone knows those are magic addresses that belong to NetGear! :-) > > -Bill > > > > >
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked. -- Sent with Airmail On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote: Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly. Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP. So... where's the Netflix network engineer on the list who all of us can send these issues to directly? Matthew Kaufman
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this? On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
I would imagine it was done on purpose. The purpose of the Netflix VPN detection was to block users from outside of different regions due to content providers requests. Since HE provides free ipv6 tunnels, it's an easy way to get around the blockage, hence the restriction. ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Blair Trosper Sent: Friday, June 3, 2016 3:11 PM To: mike.hyde1@gmail.com Cc: NANOG <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
On 2016-06-03 19:37, Matthew Huff wrote:
I would imagine it was done on purpose. The purpose of the Netflix VPN detection was to block users from outside of different regions due to content providers requests. Since HE provides free ipv6 tunnels, it's an easy way to get around the blockage, hence the restriction.
I know this isn't news to anyone on the list but I want to point out that the root of this problem is in trying to attach an Earth location to a network packet. The only good solution we have for this is to ASK the user where they are located. Netflix has a broken system that is causing a lot of collateral damage because the whole thing is based on the premise that they can determine where the users are by guessing. If you just got your netblock it's probably going to be banned because it's not in their GeoIP database. Maybe if you jump through all the right hoops, in a few months time they will update the database. Working around it just sends the message that this is an acceptable practice and you will own the problems they caused. This a widespread problem and not specific to Netflix. There's also another angle to this in that old IP addresses (that work with Netflix/youtube/whatever) become more valuable and newly registered netblocks (like the ones everyone should be getting for IPv6) are not useful. This might be a good way to keep new ISPs out too, unless they can pay for a well aged IPv4 block so their subscribers can access Netflix and friends. -Laszlo
It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Actually it's time for Netflix to get out of the network transport business and tell the content providers to get over it or not get carried on Netflix. It used to be that Netflix needed content providers, now I am starting to believe it might be the other way around. Netflix might have to take a page from the satellite guys and start calling them out publicly. i.e. "Netflix will no longer be able to provide you with Warner Bros. content because they are dinosaurs that are worried that someone might be watching in the wrong country. We are pleased to offer you content from producers that are not complete morons...." As the content producers lose more and more control over the distribution channel they are going to take whatever terms are necessary to get them on Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on any or all of those platforms, you are going to be dead meat. Who would be hurt worse, Netflix or the movie producer that got seen nowhere on their latest film. To me, this is the last gasp of an industry that lost control of its distribution channel years ago and is still trying to impose that control. Steven Naslund -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews Sent: Friday, June 03, 2016 4:28 PM To: Laszlo Hanyecz Cc: nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
It might be a few years yet before the new channels have that much power. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Steve Naslund" <SNaslund@medline.com> To: nanog@nanog.org Sent: Friday, June 3, 2016 4:51:38 PM Subject: RE: Netflix VPN detection - actual engineer needed Actually it's time for Netflix to get out of the network transport business and tell the content providers to get over it or not get carried on Netflix. It used to be that Netflix needed content providers, now I am starting to believe it might be the other way around. Netflix might have to take a page from the satellite guys and start calling them out publicly. i.e. "Netflix will no longer be able to provide you with Warner Bros. content because they are dinosaurs that are worried that someone might be watching in the wrong country. We are pleased to offer you content from producers that are not complete morons...." As the content producers lose more and more control over the distribution channel they are going to take whatever terms are necessary to get them on Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on any or all of those platforms, you are going to be dead meat. Who would be hurt worse, Netflix or the movie producer that got seen nowhere on their latest film. To me, this is the last gasp of an industry that lost control of its distribution channel years ago and is still trying to impose that control. Steven Naslund -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews Sent: Friday, June 03, 2016 4:28 PM To: Laszlo Hanyecz Cc: nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
I kind of doubt it. If any major studio knew that their movie would not be on one of those platforms I think it would be a major problem for them right now. One theater out of thousands is not a problem. iTunes or Netflix has to be what....50% of online distribution today. That's gotta hurt. iTunes already changed the music game and was able to impose their will concerning producer side DRM and other policies. I'm sure Apple and Netflix have at least that much power in the movie space already. Steven Naslund -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mike Hammett Sent: Friday, June 03, 2016 5:00 PM Cc: nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed It might be a few years yet before the new channels have that much power. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Steve Naslund" <SNaslund@medline.com> To: nanog@nanog.org Sent: Friday, June 3, 2016 4:51:38 PM Subject: RE: Netflix VPN detection - actual engineer needed Actually it's time for Netflix to get out of the network transport business and tell the content providers to get over it or not get carried on Netflix. It used to be that Netflix needed content providers, now I am starting to believe it might be the other way around. Netflix might have to take a page from the satellite guys and start calling them out publicly. i.e. "Netflix will no longer be able to provide you with Warner Bros. content because they are dinosaurs that are worried that someone might be watching in the wrong country. We are pleased to offer you content from producers that are not complete morons...." As the content producers lose more and more control over the distribution channel they are going to take whatever terms are necessary to get them on Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on any or all of those platforms, you are going to be dead meat. Who would be hurt worse, Netflix or the movie producer that got seen nowhere on their latest film. To me, this is the last gasp of an industry that lost control of its distribution channel years ago and is still trying to impose that control. Steven Naslund -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews Sent: Friday, June 03, 2016 4:28 PM To: Laszlo Hanyecz Cc: nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
There's really no point in whining about content providers and regionalization as long as TV channels are still a thing. I get that the internet totally annihilated borders of all kind (including the book store), but some businesses change slower than others, and content production is still back in the black-and-white TV days because even new content producers don't have that new of a business model. But nor are ISPs coming up with novel ways for distributors to offer more reliable regionalization services (and most of them were in the content regionalization business long before the Internet came around). Pick one of those two problems and make a business to solve them. Until then, Netflix's developers could at least use the "novel" solution of tiering the most accurate forms of location before hitting IP geolocation. On Fri, Jun 3, 2016 at 5:52 PM Naslund, Steve <SNaslund@medline.com> wrote:
Actually it's time for Netflix to get out of the network transport business and tell the content providers to get over it or not get carried on Netflix. It used to be that Netflix needed content providers, now I am starting to believe it might be the other way around. Netflix might have to take a page from the satellite guys and start calling them out publicly. i.e. "Netflix will no longer be able to provide you with Warner Bros. content because they are dinosaurs that are worried that someone might be watching in the wrong country. We are pleased to offer you content from producers that are not complete morons...."
As the content producers lose more and more control over the distribution channel they are going to take whatever terms are necessary to get them on Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on any or all of those platforms, you are going to be dead meat. Who would be hurt worse, Netflix or the movie producer that got seen nowhere on their latest film. To me, this is the last gasp of an industry that lost control of its distribution channel years ago and is still trying to impose that control.
Steven Naslund
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mark Andrews Sent: Friday, June 03, 2016 4:28 PM To: Laszlo Hanyecz Cc: nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
ISPs should not be in the business of helping distributors come up with “novel ways” to help them regionalize. It’s counterproductive to the ISPs main purpose which is to get their customers “the whole Internet”, from anywhere to anywhere no matter where you are. As far as TV channels, that is an unrelated issue because they have their own distribution network, they can freely choose what cable systems and what satellite systems they want to license to. What you are NOT allowed to do is impose new requirements on our Internet to support your business licensing models and make it our problem. This is no different than someone like Microsoft saying “hey service providers, we don’t want you to carry any network traffic from illegal copies of Outlook” and expecting us to figure it out. I know as service providers we have to be sensitive to our customers but Netflix is also a service provider and should be taking the heat from their own customers. Netflix authored a broken process and now we should be expected to re-engineer the network to eliminate V6 tunnel brokers?!?!?! I don’t think so Netflix. If I was still an ISP today, I would be sending all of my customers a memo explaining how badly Netflix VPN detection works and why it is so hard for us to help with it and why they should be complaining to Netflix. Steven Naslund From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 5:06 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed There's really no point in whining about content providers and regionalization as long as TV channels are still a thing. I get that the internet totally annihilated borders of all kind (including the book store), but some businesses change slower than others, and content production is still back in the black-and-white TV days because even new content producers don't have that new of a business model. But nor are ISPs coming up with novel ways for distributors to offer more reliable regionalization services (and most of them were in the content regionalization business long before the Internet came around). Pick one of those two problems and make a business to solve them. Until then, Netflix's developers could at least use the "novel" solution of tiering the most accurate forms of location before hitting IP geolocation. On Fri, Jun 3, 2016 at 5:52 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com>> wrote: Actually it's time for Netflix to get out of the network transport business and tell the content providers to get over it or not get carried on Netflix. It used to be that Netflix needed content providers, now I am starting to believe it might be the other way around. Netflix might have to take a page from the satellite guys and start calling them out publicly. i.e. "Netflix will no longer be able to provide you with Warner Bros. content because they are dinosaurs that are worried that someone might be watching in the wrong country. We are pleased to offer you content from producers that are not complete morons...." As the content producers lose more and more control over the distribution channel they are going to take whatever terms are necessary to get them on Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on any or all of those platforms, you are going to be dead meat. Who would be hurt worse, Netflix or the movie producer that got seen nowhere on their latest film. To me, this is the last gasp of an industry that lost control of its distribution channel years ago and is still trying to impose that control. Steven Naslund -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Mark Andrews Sent: Friday, June 03, 2016 4:28 PM To: Laszlo Hanyecz Cc: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org<mailto:marka@isc.org>
"What you are NOT allowed to do is impose new requirements on our Internet to support your business licensing models and make it our problem" They're not imposing *new* regulation on *your* internet to support their business licensing models - they're imposing *existing* (and international) regulations on someone else's business that *existing* distributors provide controls for. And that many *existing* online distributors provide controls for - hence why they should be using the *most local* method of locating a person - ask for permission to get the location from their *device first* (as is possible nowadays), then try to get the location from any one of other fallback methods (namely, IP geolocation). On Fri, Jun 3, 2016 at 6:22 PM Naslund, Steve <SNaslund@medline.com> wrote:
ISPs should not be in the business of helping distributors come up with “novel ways” to help them regionalize. It’s counterproductive to the ISPs main purpose which is to get their customers “the whole Internet”, from anywhere to anywhere no matter where you are.
As far as TV channels, that is an unrelated issue because they have their own distribution network, they can freely choose what cable systems and what satellite systems they want to license to. What you are NOT allowed to do is impose new requirements on our Internet to support your business licensing models and make it our problem. This is no different than someone like Microsoft saying “hey service providers, we don’t want you to carry any network traffic from illegal copies of Outlook” and expecting us to figure it out. I know as service providers we have to be sensitive to our customers but Netflix is also a service provider and should be taking the heat from their own customers. Netflix authored a broken process and now we should be expected to re-engineer the network to eliminate V6 tunnel brokers?!?!?! I don’t think so Netflix.
If I was still an ISP today, I would be sending all of my customers a memo explaining how badly Netflix VPN detection works and why it is so hard for us to help with it and why they should be complaining to Netflix.
Steven Naslund
From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 5:06 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
There's really no point in whining about content providers and regionalization as long as TV channels are still a thing.
I get that the internet totally annihilated borders of all kind (including the book store), but some businesses change slower than others, and content production is still back in the black-and-white TV days because even new content producers don't have that new of a business model.
But nor are ISPs coming up with novel ways for distributors to offer more reliable regionalization services (and most of them were in the content regionalization business long before the Internet came around).
Pick one of those two problems and make a business to solve them.
Until then, Netflix's developers could at least use the "novel" solution of tiering the most accurate forms of location before hitting IP geolocation.
On Fri, Jun 3, 2016 at 5:52 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com>> wrote: Actually it's time for Netflix to get out of the network transport business and tell the content providers to get over it or not get carried on Netflix. It used to be that Netflix needed content providers, now I am starting to believe it might be the other way around. Netflix might have to take a page from the satellite guys and start calling them out publicly. i.e. "Netflix will no longer be able to provide you with Warner Bros. content because they are dinosaurs that are worried that someone might be watching in the wrong country. We are pleased to offer you content from producers that are not complete morons...."
As the content producers lose more and more control over the distribution channel they are going to take whatever terms are necessary to get them on Netflix, Apple TV, Comcast, Time Warner, DirecTV and Dish. If you are not on any or all of those platforms, you are going to be dead meat. Who would be hurt worse, Netflix or the movie producer that got seen nowhere on their latest film. To me, this is the last gasp of an industry that lost control of its distribution channel years ago and is still trying to impose that control.
Steven Naslund
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Mark Andrews Sent: Friday, June 03, 2016 4:28 PM To: Laszlo Hanyecz Cc: nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org<mailto: marka@isc.org>
"What you are NOT allowed to do is impose new requirements on our Internet to support your business licensing models and make it our problem"
They're not imposing new regulation on your internet to support their business licensing models - they're imposing existing (and international) regulations on someone else's business that existing distributors provide controls for. And that many existing online distributors provide controls for - hence why they should be using the most local method of locating a person - ask for permission to get the location from their device first (as is possible nowadays), then try to get the location from any one of other fallback methods (namely, IP geolocation).
The information I'm getting from Netflix support now is explicitly telling me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption. On Fri, Jun 3, 2016 at 7:15 PM Cryptographrix <cryptographrix@gmail.com> wrote:
"What you are NOT allowed to do is impose new requirements on our Internet to support your business licensing models and make it our problem"
They're not imposing new regulation on your internet to support their business licensing models - they're imposing existing (and international) regulations on someone else's business that existing distributors provide controls for.
And that many existing online distributors provide controls for - hence why they should be using the most local method of locating a person - ask for permission to get the location from their device first (as is possible nowadays), then try to get the location from any one of other fallback methods (namely, IP geolocation).
Good for them. For things like Apple TV you need to turn it off at the router of course. Matthew Kaufman (Sent from my iPhone)
On Jun 3, 2016, at 4:25 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
The information I'm getting from Netflix support now is explicitly telling me to turn off IPv6 - someone might want to stop them before they completely kill US IPv6 adoption.
On Fri, Jun 3, 2016 at 7:15 PM Cryptographrix <cryptographrix@gmail.com> wrote:
"What you are NOT allowed to do is impose new requirements on our Internet to support your business licensing models and make it our problem"
They're not imposing new regulation on your internet to support their business licensing models - they're imposing existing (and international) regulations on someone else's business that existing distributors provide controls for.
And that many existing online distributors provide controls for - hence why they should be using the most local method of locating a person - ask for permission to get the location from their device first (as is possible nowadays), then try to get the location from any one of other fallback methods (namely, IP geolocation).
+1 to this idea. On Fri, Jun 3, 2016 at 5:29 PM Mark Andrews <marka@isc.org> wrote:
It's time for Netflix to offer IPv6 tunnels. That way they can correlate IPv4 and IPv6 addresses. Longest match will result is the correct source address being selected if they do the job correctly.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively. On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
Seems everyone continues to forget the content providers are not Netflix...They are the Disney, Discovery, NBC, Turner ect... These are the ones that put clauses and restrictions in their licensing and re-broadcast agreements forcing things like Netflix is doing.. Robert Jacobs | Network Director/Architect Direct: 832-615-7742 Main: 832-615-8000 Fax: 713-510-1650 5959 Corporate Dr. Suite 3300; Houston, TX 77036 A Certified Woman-Owned Business 24x7x365 Customer Support: 832-615-8000 | support@pslightwave.com This electronic message contains information from Phonoscope Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Spencer Ryan Sent: Friday, June 3, 2016 2:49 PM To: Cryptographrix <cryptographrix@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
To be honest, I don't care about content providers having control over regional access controls - it's completely technologically backwards, but they're all about time zones so they can do what they want. BUT there are more reliable ways than using an IP to get geographic location in an era where any website can request your GPS location. They have an iOS team that can provide them with *the most authoritatively precise location of my device* for their Apple TV app. My IP should be the last thing they check to determine my location. I can do a million things to tweak that, including things that their proxy detection will never ever find out about. On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs <rjacobs@pslightwave.com> wrote:
Seems everyone continues to forget the content providers are not Netflix...They are the Disney, Discovery, NBC, Turner ect... These are the ones that put clauses and restrictions in their licensing and re-broadcast agreements forcing things like Netflix is doing..
Robert Jacobs | Network Director/Architect
Direct: 832-615-7742 Main: 832-615-8000 Fax: 713-510-1650
5959 Corporate Dr. Suite 3300; Houston, TX 77036
A Certified Woman-Owned Business
24x7x365 Customer Support: 832-615-8000 | support@pslightwave.com This electronic message contains information from Phonoscope Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Spencer Ryan Sent: Friday, June 3, 2016 2:49 PM To: Cryptographrix <cryptographrix@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
Two problem I see with that. 1. My TV is going to have a hard time figuring out its GPS location inside my living room. 2. It's not hard to make a device lie about a GPS position. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:18 PM To: Robert Jacobs; Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed To be honest, I don't care about content providers having control over regional access controls - it's completely technologically backwards, but they're all about time zones so they can do what they want. BUT there are more reliable ways than using an IP to get geographic location in an era where any website can request your GPS location. They have an iOS team that can provide them with *the most authoritatively precise location of my device* for their Apple TV app. My IP should be the last thing they check to determine my location. I can do a million things to tweak that, including things that their proxy detection will never ever find out about. On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs <rjacobs@pslightwave.com> wrote:
Seems everyone continues to forget the content providers are not Netflix...They are the Disney, Discovery, NBC, Turner ect... These are the ones that put clauses and restrictions in their licensing and re-broadcast agreements forcing things like Netflix is doing..
Robert Jacobs | Network Director/Architect
Direct: 832-615-7742 Main: 832-615-8000 Fax: 713-510-1650
5959 Corporate Dr. Suite 3300; Houston, TX 77036
A Certified Woman-Owned Business
24x7x365 Customer Support: 832-615-8000 | support@pslightwave.com This electronic message contains information from Phonoscope Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Spencer Ryan Sent: Friday, June 3, 2016 2:49 PM To: Cryptographrix <cryptographrix@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
It's much less hard to make an IP connection lie about it's location than it is to make a non-rooted (which is easy to detect) iOS device lie about it's AGPS-derived location. In all cases. On Fri, Jun 3, 2016 at 4:28 PM Naslund, Steve <SNaslund@medline.com> wrote:
Two problem I see with that.
1. My TV is going to have a hard time figuring out its GPS location inside my living room. 2. It's not hard to make a device lie about a GPS position.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:18 PM To: Robert Jacobs; Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
To be honest, I don't care about content providers having control over regional access controls - it's completely technologically backwards, but they're all about time zones so they can do what they want.
BUT there are more reliable ways than using an IP to get geographic location in an era where any website can request your GPS location.
They have an iOS team that can provide them with *the most authoritatively precise location of my device* for their Apple TV app.
My IP should be the last thing they check to determine my location. I can do a million things to tweak that, including things that their proxy detection will never ever find out about.
On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs <rjacobs@pslightwave.com> wrote:
Seems everyone continues to forget the content providers are not Netflix...They are the Disney, Discovery, NBC, Turner ect... These are the ones that put clauses and restrictions in their licensing and re-broadcast agreements forcing things like Netflix is doing..
Robert Jacobs | Network Director/Architect
Direct: 832-615-7742 Main: 832-615-8000 Fax: 713-510-1650
5959 Corporate Dr. Suite 3300; Houston, TX 77036
A Certified Woman-Owned Business
24x7x365 Customer Support: 832-615-8000 | support@pslightwave.com This electronic message contains information from Phonoscope Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Spencer Ryan Sent: Friday, June 3, 2016 2:49 PM To: Cryptographrix <cryptographrix@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
And what about the millions of TVs, DVD players and all the other embedded devices that don't/can't support any kind of location services? On Jun 3, 2016 4:38 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
It's much less hard to make an IP connection lie about it's location than it is to make a non-rooted (which is easy to detect) iOS device lie about it's AGPS-derived location.
In all cases. On Fri, Jun 3, 2016 at 4:28 PM Naslund, Steve <SNaslund@medline.com> wrote:
Two problem I see with that.
1. My TV is going to have a hard time figuring out its GPS location inside my living room. 2. It's not hard to make a device lie about a GPS position.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:18 PM To: Robert Jacobs; Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
To be honest, I don't care about content providers having control over regional access controls - it's completely technologically backwards, but they're all about time zones so they can do what they want.
BUT there are more reliable ways than using an IP to get geographic location in an era where any website can request your GPS location.
They have an iOS team that can provide them with *the most authoritatively precise location of my device* for their Apple TV app.
My IP should be the last thing they check to determine my location. I can do a million things to tweak that, including things that their proxy detection will never ever find out about.
On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs <rjacobs@pslightwave.com> wrote:
Seems everyone continues to forget the content providers are not Netflix...They are the Disney, Discovery, NBC, Turner ect... These are the ones that put clauses and restrictions in their licensing and re-broadcast agreements forcing things like Netflix is doing..
Robert Jacobs | Network Director/Architect
Direct: 832-615-7742 Main: 832-615-8000 Fax: 713-510-1650
5959 Corporate Dr. Suite 3300; Houston, TX 77036
A Certified Woman-Owned Business
24x7x365 Customer Support: 832-615-8000 | support@pslightwave.com This electronic message contains information from Phonoscope Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Spencer Ryan Sent: Friday, June 3, 2016 2:49 PM To: Cryptographrix <cryptographrix@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
This is not a zero sum solution. Fallback to IP geolocation if more precise location detection is not available, but if it is, use that. You could even have a "location score" composite index composed of all the different locale and historical session data you've accumulated. (cf things like cloudflare bad-actor detection which uses many heuristics to determine if you are who you say you are and whether to serve content to you) On Fri, Jun 3, 2016 at 4:43 PM, Spencer Ryan <sryan@arbor.net> wrote:
And what about the millions of TVs, DVD players and all the other embedded devices that don't/can't support any kind of location services? On Jun 3, 2016 4:38 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
It's much less hard to make an IP connection lie about it's location than it is to make a non-rooted (which is easy to detect) iOS device lie about it's AGPS-derived location.
In all cases. On Fri, Jun 3, 2016 at 4:28 PM Naslund, Steve <SNaslund@medline.com> wrote:
Two problem I see with that.
1. My TV is going to have a hard time figuring out its GPS location inside my living room. 2. It's not hard to make a device lie about a GPS position.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:18 PM To: Robert Jacobs; Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
To be honest, I don't care about content providers having control over regional access controls - it's completely technologically backwards, but they're all about time zones so they can do what they want.
BUT there are more reliable ways than using an IP to get geographic location in an era where any website can request your GPS location.
They have an iOS team that can provide them with *the most authoritatively precise location of my device* for their Apple TV app.
My IP should be the last thing they check to determine my location. I can do a million things to tweak that, including things that their proxy detection will never ever find out about.
On Fri, Jun 3, 2016 at 3:55 PM Robert Jacobs <rjacobs@pslightwave.com> wrote:
Seems everyone continues to forget the content providers are not Netflix...They are the Disney, Discovery, NBC, Turner ect... These are the ones that put clauses and restrictions in their licensing and re-broadcast agreements forcing things like Netflix is doing..
Robert Jacobs | Network Director/Architect
Direct: 832-615-7742 Main: 832-615-8000 Fax: 713-510-1650
5959 Corporate Dr. Suite 3300; Houston, TX 77036
A Certified Woman-Owned Business
24x7x365 Customer Support: 832-615-8000 | support@pslightwave.com This electronic message contains information from Phonoscope Lightwave which may be privileged and confidential. The information is intended to be for the use of individual(s) or entity named above. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify me by telephone or e-mail immediately.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Spencer Ryan Sent: Friday, June 3, 2016 2:49 PM To: Cryptographrix <cryptographrix@gmail.com> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
> Had the same problem at my house, but it was caused by the IPv6 connection > to HE. Turned of V6 and the device worked. > > > -- > > Sent with Airmail > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman > (matthew@matthew.at) > wrote: > > Every device in my house is blocked from Netflix this evening > due to their new "VPN blocker". My house is on my own IP space, > and the outside > of the NAT that the family devices are on is 198.202.199.254, > announced by AS 11994. A simple ping from Netflix HQ in Los > Gatos to my house should show that I'm no farther away than > Santa Cruz, CA as microwaves fly. > > Unfortunately, when one calls Netflix support to talk about > this, the only response is to say "call your ISP and have them > turn off the VPN software they've added to your account". And > they absolutely refuse to escalate. Even if you tell them that > you are essentially your own ISP. > > So... where's the Netflix network engineer on the list who all > of us can > send these issues to directly? > > Matthew Kaufman >
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this. I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized. Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?). I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live). I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection. My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off. On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house. Are they going to disable connectivity from everywhere they can detect an open VPN port to, also? If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address. On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at ) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
(since we must dual-stack still here in the US) On Fri, Jun 3, 2016 at 4:09 PM Cryptographrix <cryptographrix@gmail.com> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
> Had the same problem at my house, but it was caused by the IPv6 connection > to HE. Turned of V6 and the device worked. > > > -- > > Sent with Airmail > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at) > wrote: > > Every device in my house is blocked from Netflix this evening due to > their new "VPN blocker". My house is on my own IP space, and the outside > of the NAT that the family devices are on is 198.202.199.254, announced > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > should show that I'm no farther away than Santa Cruz, CA as microwaves > fly. > > Unfortunately, when one calls Netflix support to talk about this, the > only response is to say "call your ISP and have them turn off the VPN > software they've added to your account". And they absolutely refuse to > escalate. Even if you tell them that you are essentially your own ISP. > > So... where's the Netflix network engineer on the list who all of us can > send these issues to directly? > > Matthew Kaufman >
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service" If it were up to the content providers, they probably would block any IP they saw a VPN server listening on. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
> Had the same problem at my house, but it was caused by the IPv6 connection > to HE. Turned of V6 and the device worked. > > > -- > > Sent with Airmail > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at) > wrote: > > Every device in my house is blocked from Netflix this evening due to > their new "VPN blocker". My house is on my own IP space, and the outside > of the NAT that the family devices are on is 198.202.199.254, announced > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > should show that I'm no farther away than Santa Cruz, CA as microwaves > fly. > > Unfortunately, when one calls Netflix support to talk about this, the > only response is to say "call your ISP and have them turn off the VPN > software they've added to your account". And they absolutely refuse to > escalate. Even if you tell them that you are essentially your own ISP. > > So... where's the Netflix network engineer on the list who all of us can > send these issues to directly? > > Matthew Kaufman >
Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane). And part of those regional controls deal with the accuracy of the location information. If their app can request my device's precise location, it doesn't need to infer my location from my IP any more. As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it). On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com > wrote:
> Confirmed that Hurricane Electric's TunnelBroker is now blocked by > Netflix. Anyone nice people from Netflix perhaps want to take a crack at > this? > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote: > > > Had the same problem at my house, but it was caused by the IPv6 > connection > > to HE. Turned of V6 and the device worked. > > > > > > -- > > > > Sent with Airmail > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at) > > wrote: > > > > Every device in my house is blocked from Netflix this evening due to > > their new "VPN blocker". My house is on my own IP space, and the outside > > of the NAT that the family devices are on is 198.202.199.254, announced > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > > should show that I'm no farther away than Santa Cruz, CA as microwaves > > fly. > > > > Unfortunately, when one calls Netflix support to talk about this, the > > only response is to say "call your ISP and have them turn off the VPN > > software they've added to your account". And they absolutely refuse to > > escalate. Even if you tell them that you are essentially your own ISP. > > > > So... where's the Netflix network engineer on the list who all of us can > > send these issues to directly? > > > > Matthew Kaufman > > >
Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane). And part of those regional controls deal with the accuracy of the location information. If their app can request my device's precise location, it doesn't need to infer my location from my IP any more. As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it). On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com > wrote:
> Confirmed that Hurricane Electric's TunnelBroker is now blocked > by Netflix. Anyone nice people from Netflix perhaps want to > take a crack at > this? > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote: > > > Had the same problem at my house, but it was caused by the > > IPv6 > connection > > to HE. Turned of V6 and the device worked. > > > > > > -- > > > > Sent with Airmail > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at) > > wrote: > > > > Every device in my house is blocked from Netflix this evening > > due to > > their new "VPN blocker". My house is on my own IP space, and > > the outside > > of the NAT that the family devices are on is 198.202.199.254, announced > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > > should show that I'm no farther away than Santa Cruz, CA as microwaves > > fly. > > > > Unfortunately, when one calls Netflix support to talk about > > this, the > > only response is to say "call your ISP and have them turn off > > the VPN > > software they've added to your account". And they absolutely refuse to > > escalate. Even if you tell them that you are essentially your > > own ISP. > > > > So... where's the Netflix network engineer on the list who > > all of us can > > send these issues to directly? > > > > Matthew Kaufman > > >
Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning. Non-iOS devices are often capable of this as well. (As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate) On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com> wrote:
Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane).
And part of those regional controls deal with the accuracy of the location information.
If their app can request my device's precise location, it doesn't need to infer my location from my IP any more.
As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it).
On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
> Netflix needs to figure out a fix for this until ISPs actually > provide IPv6 natively. > > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper > <blair.trosper@gmail.com > > > wrote: > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked > > by Netflix. Anyone nice people from Netflix perhaps want to > > take a > crack at > > this? > > > > > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote: > > > > > Had the same problem at my house, but it was caused by the > > > IPv6 > > connection > > > to HE. Turned of V6 and the device worked. > > > > > > > > > -- > > > > > > Sent with Airmail > > > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( > matthew@matthew.at) > > > wrote: > > > > > > Every device in my house is blocked from Netflix this evening > > > due > to > > > their new "VPN blocker". My house is on my own IP space, and > > > the > outside > > > of the NAT that the family devices are on is 198.202.199.254, > announced > > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my > house > > > should show that I'm no farther away than Santa Cruz, CA as > microwaves > > > fly. > > > > > > Unfortunately, when one calls Netflix support to talk about > > > this, > the > > > only response is to say "call your ISP and have them turn off > > > the > VPN > > > software they've added to your account". And they absolutely > refuse to > > > escalate. Even if you tell them that you are essentially your > > > own > ISP. > > > > > > So... where's the Netflix network engineer on the list who > > > all of > us can > > > send these issues to directly? > > > > > > Matthew Kaufman > > > > > >
Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi. Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race. There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox? Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning. Non-iOS devices are often capable of this as well. (As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate) On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane). And part of those regional controls deal with the accuracy of the location information. If their app can request my device's precise location, it doesn't need to infer my location from my IP any more. As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it). On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com> > wrote:
> Confirmed that Hurricane Electric's TunnelBroker is now blocked > by Netflix. Anyone nice people from Netflix perhaps want to > take a crack at > this? > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com>> wrote: > > > Had the same problem at my house, but it was caused by the > > IPv6 > connection > > to HE. Turned of V6 and the device worked. > > > > > > -- > > > > Sent with Airmail > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at<mailto:matthew@matthew.at>) > > wrote: > > > > Every device in my house is blocked from Netflix this evening > > due to > > their new "VPN blocker". My house is on my own IP space, and > > the outside > > of the NAT that the family devices are on is 198.202.199.254, announced > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > > should show that I'm no farther away than Santa Cruz, CA as microwaves > > fly. > > > > Unfortunately, when one calls Netflix support to talk about > > this, the > > only response is to say "call your ISP and have them turn off > > the VPN > > software they've added to your account". And they absolutely refuse to > > escalate. Even if you tell them that you are essentially your > > own ISP. > > > > So... where's the Netflix network engineer on the list who > > all of us can > > send these issues to directly? > > > > Matthew Kaufman > > >
As bad as some are in the telecom industry, they don't hold a candle to those in the content industry. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Steve Naslund" <SNaslund@medline.com> To: nanog@nanog.org Sent: Friday, June 3, 2016 3:55:43 PM Subject: RE: Netflix VPN detection - actual engineer needed Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi. Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race. There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox? Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning. Non-iOS devices are often capable of this as well. (As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate) On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane). And part of those regional controls deal with the accuracy of the location information. If their app can request my device's precise location, it doesn't need to infer my location from my IP any more. As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it). On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com> > wrote:
> Confirmed that Hurricane Electric's TunnelBroker is now blocked > by Netflix. Anyone nice people from Netflix perhaps want to > take a crack at > this? > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com>> wrote: > > > Had the same problem at my house, but it was caused by the > > IPv6 > connection > > to HE. Turned of V6 and the device worked. > > > > > > -- > > > > Sent with Airmail > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at<mailto:matthew@matthew.at>) > > wrote: > > > > Every device in my house is blocked from Netflix this evening > > due to > > their new "VPN blocker". My house is on my own IP space, and > > the outside > > of the NAT that the family devices are on is 198.202.199.254, announced > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > > should show that I'm no farther away than Santa Cruz, CA as microwaves > > fly. > > > > Unfortunately, when one calls Netflix support to talk about > > this, the > > only response is to say "call your ISP and have them turn off > > the VPN > > software they've added to your account". And they absolutely refuse to > > escalate. Even if you tell them that you are essentially your > > own ISP. > > > > So... where's the Netflix network engineer on the list who > > all of us can > > send these issues to directly? > > > > Matthew Kaufman > > >
True, I thought digital distribution almost killed them. Then they started to understand that Netflix and iTunes are the new normal and got on board (kicking and screaming). Now, they get all torn up over the completely outdated concept of regionalization that should have died along with physical media distribution. Do they honestly believe that they can prevent some guy in Pakistan from seeing a movie they want? Don't they know that in most third world areas you can find PRE-RELEASE DVDs before stuff hits the theaters in the U.S.? You would think that they would welcome someone actually using a legitimate distribution medium rather than the traditional black market method. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mike Hammett Sent: Friday, June 03, 2016 4:17 PM Cc: nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed As bad as some are in the telecom industry, they don't hold a candle to those in the content industry. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Steve Naslund" <SNaslund@medline.com> To: nanog@nanog.org Sent: Friday, June 3, 2016 3:55:43 PM Subject: RE: Netflix VPN detection - actual engineer needed Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi. Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race. There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox? Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning. Non-iOS devices are often capable of this as well. (As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate) On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane). And part of those regional controls deal with the accuracy of the location information. If their app can request my device's precise location, it doesn't need to infer my location from my IP any more. As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it). On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com> > wrote:
> Confirmed that Hurricane Electric's TunnelBroker is now blocked > by Netflix. Anyone nice people from Netflix perhaps want to > take a crack at > this? > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com>> wrote: > > > Had the same problem at my house, but it was caused by the > > IPv6 > connection > > to HE. Turned of V6 and the device worked. > > > > > > -- > > > > Sent with Airmail > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at<mailto:matthew@matthew.at>) > > wrote: > > > > Every device in my house is blocked from Netflix this evening > > due to > > their new "VPN blocker". My house is on my own IP space, and > > the outside > > of the NAT that the family devices are on is 198.202.199.254, announced > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > > should show that I'm no farther away than Santa Cruz, CA as microwaves > > fly. > > > > Unfortunately, when one calls Netflix support to talk about > > this, the > > only response is to say "call your ISP and have them turn off > > the VPN > > software they've added to your account". And they absolutely refuse to > > escalate. Even if you tell them that you are essentially your > > own ISP. > > > > So... where's the Netflix network engineer on the list who > > all of us can > > send these issues to directly? > > > > Matthew Kaufman > > >
Do they honestly believe that they can prevent some guy in Pakistan from seeing a movie they want?
The content providers do. And given the choice between "Try and stop vpn users" and "We are pulling all our content" I know which most people would rather. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Fri, Jun 3, 2016 at 5:40 PM, Naslund, Steve <SNaslund@medline.com> wrote:
True, I thought digital distribution almost killed them. Then they started to understand that Netflix and iTunes are the new normal and got on board (kicking and screaming). Now, they get all torn up over the completely outdated concept of regionalization that should have died along with physical media distribution. Do they honestly believe that they can prevent some guy in Pakistan from seeing a movie they want? Don't they know that in most third world areas you can find PRE-RELEASE DVDs before stuff hits the theaters in the U.S.? You would think that they would welcome someone actually using a legitimate distribution medium rather than the traditional black market method.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mike Hammett Sent: Friday, June 03, 2016 4:17 PM Cc: nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
As bad as some are in the telecom industry, they don't hold a candle to those in the content industry.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message -----
From: "Steve Naslund" <SNaslund@medline.com> To: nanog@nanog.org Sent: Friday, June 3, 2016 3:55:43 PM Subject: RE: Netflix VPN detection - actual engineer needed
Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi.
Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race.
There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox?
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning.
Non-iOS devices are often capable of this as well.
(As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate)
On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane).
And part of those regional controls deal with the accuracy of the location information.
If their app can request my device's precise location, it doesn't need to infer my location from my IP any more.
As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it).
On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
> Netflix needs to figure out a fix for this until ISPs actually > provide IPv6 natively. > > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper > <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com> > > > wrote: > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked > > by Netflix. Anyone nice people from Netflix perhaps want to > > take a > crack at > > this? > > > > > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com>> wrote: > > > > > Had the same problem at my house, but it was caused by the > > > IPv6 > > connection > > > to HE. Turned of V6 and the device worked. > > > > > > > > > -- > > > > > > Sent with Airmail > > > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( > matthew@matthew.at<mailto:matthew@matthew.at>) > > > wrote: > > > > > > Every device in my house is blocked from Netflix this evening > > > due > to > > > their new "VPN blocker". My house is on my own IP space, and > > > the > outside > > > of the NAT that the family devices are on is 198.202.199.254, > announced > > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my > house > > > should show that I'm no farther away than Santa Cruz, CA as > microwaves > > > fly. > > > > > > Unfortunately, when one calls Netflix support to talk about > > > this, > the > > > only response is to say "call your ISP and have them turn off > > > the > VPN > > > software they've added to your account". And they absolutely > refuse to > > > escalate. Even if you tell them that you are essentially your > > > own > ISP. > > > > > > So... where's the Netflix network engineer on the list who > > > all of > us can > > > send these issues to directly? > > > > > > Matthew Kaufman > > > > > >
Oh I'm not suggesting for a microsecond that any provenance of location can not be hacked, but I totally think that - until the content providers change their business model to not rely on regional controls - they could at least use a more accurate source for that information than my IP(4 or 6) address. I just don't think that this is an appropriate venue to discuss the value of their business model as that's something their business needs to work on changing internally, and fighting it (at least for the moment) will only land Netflix in court. In short, I'm pointing the finger at Netflix's developers for coming up with such a lazy control for geolocation. On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund@medline.com> wrote:
Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi.
Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race.
There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox?
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning.
Non-iOS devices are often capable of this as well.
(As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate)
On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane).
And part of those regional controls deal with the accuracy of the location information.
If their app can request my device's precise location, it doesn't need to infer my location from my IP any more.
As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it).
On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto: sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net <mailto:sryan@arbor.net> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> wrote:
> Netflix needs to figure out a fix for this until ISPs actually > provide IPv6 natively. > > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper > <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com> > > > wrote: > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked > > by Netflix. Anyone nice people from Netflix perhaps want to > > take a > crack at > > this? > > > > > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com>> wrote: > > > > > Had the same problem at my house, but it was caused by the > > > IPv6 > > connection > > > to HE. Turned of V6 and the device worked. > > > > > > > > > -- > > > > > > Sent with Airmail > > > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( > matthew@matthew.at<mailto:matthew@matthew.at>) > > > wrote: > > > > > > Every device in my house is blocked from Netflix this evening > > > due > to > > > their new "VPN blocker". My house is on my own IP space, and > > > the > outside > > > of the NAT that the family devices are on is 198.202.199.254, > announced > > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my > house > > > should show that I'm no farther away than Santa Cruz, CA as > microwaves > > > fly. > > > > > > Unfortunately, when one calls Netflix support to talk about > > > this, > the > > > only response is to say "call your ISP and have them turn off > > > the > VPN > > > software they've added to your account". And they absolutely > refuse to > > > escalate. Even if you tell them that you are essentially your > > > own > ISP. > > > > > > So... where's the Netflix network engineer on the list who > > > all of > us can > > > send these issues to directly? > > > > > > Matthew Kaufman > > > > > >
That is true. The problem is that traditionally the ISPs have to deal with customers that can’t get to the content they want. Netflix ridiculous detection schemes do nothing but create tons of work for the service provider which in turn creates stupid work-arounds and network configurations that are ill conceived. Myself, I had to shut off IPv6 at home to get things to work reliably several times for dumb reasons. Kind of hard to preach the v6 message when I had to shut it off myself several time to get my own stuff to work Ok. Netflix just decided that creating issues for a subset of their customers was better than having the real fight with the content providers. My point is that there is no reliable geo-location method for Netflix to use, at least there never has been yet. Good luck ever getting that to work behind the great firewall of China. Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 4:56 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed Oh I'm not suggesting for a microsecond that any provenance of location can not be hacked, but I totally think that - until the content providers change their business model to not rely on regional controls - they could at least use a more accurate source for that information than my IP(4 or 6) address. I just don't think that this is an appropriate venue to discuss the value of their business model as that's something their business needs to work on changing internally, and fighting it (at least for the moment) will only land Netflix in court. In short, I'm pointing the finger at Netflix's developers for coming up with such a lazy control for geolocation. On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com>> wrote: Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi. Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race. There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox? Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning. Non-iOS devices are often capable of this as well. (As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate) On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com><mailto:SNaslund@medline.com<mailto:SNaslund@medline.com>>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org><mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane). And part of those regional controls deal with the accuracy of the location information. If their app can request my device's precise location, it doesn't need to infer my location from my IP any more. As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it). On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com><http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com><http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com><mailto:blair.trosper@gmail.com<mailto:blair.trosper@gmail.com>> > wrote:
> Confirmed that Hurricane Electric's TunnelBroker is now blocked > by Netflix. Anyone nice people from Netflix perhaps want to > take a crack at > this? > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com><mailto:mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com>>> wrote: > > > Had the same problem at my house, but it was caused by the > > IPv6 > connection > > to HE. Turned of V6 and the device worked. > > > > > > -- > > > > Sent with Airmail > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at<mailto:matthew@matthew.at><mailto:matthew@matthew.at<mailto:matthew@matthew.at>>) > > wrote: > > > > Every device in my house is blocked from Netflix this evening > > due to > > their new "VPN blocker". My house is on my own IP space, and > > the outside > > of the NAT that the family devices are on is 198.202.199.254, announced > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > > should show that I'm no farther away than Santa Cruz, CA as microwaves > > fly. > > > > Unfortunately, when one calls Netflix support to talk about > > this, the > > only response is to say "call your ISP and have them turn off > > the VPN > > software they've added to your account". And they absolutely refuse to > > escalate. Even if you tell them that you are essentially your > > own ISP. > > > > So... where's the Netflix network engineer on the list who > > all of us can > > send these issues to directly? > > > > Matthew Kaufman > > >
"there is no reliable geo-location method for Netflix to use" Any microprocessor that is connected to the Internet is subject to being hacked - let's just turn off all of our computers, since we're talking in absolutes.
From the perspective of the "lawyers and MBA types that negotiate agreements with Netflix and similar services" (to quote Eric), there *are* reliable methods within a specific risk profile, and those include (thanks to Google and Apple, whom most of the content providers *also* have agreements with) AGPS based on Wifi and other industry now-standard methods.
I don't think there _is_ a contractual requirement to attempt to block VPN traffic. I think there's a contractual requirement to provide geographic controls for content, which is a completely different discussion, and is what those same cable and satellite TV providers (many of which _are_ the ISPs for Netflix's customer base) provide. As has been pointed out, Slingbox is an excellent proxy for over-the-air and cable-tv video, but you don't see content providers pressuring regulation on them because they limit their risk with the station or cable TV provider. On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <SNaslund@medline.com> wrote:
That is true. The problem is that traditionally the ISPs have to deal with customers that can’t get to the content they want. Netflix ridiculous detection schemes do nothing but create tons of work for the service provider which in turn creates stupid work-arounds and network configurations that are ill conceived. Myself, I had to shut off IPv6 at home to get things to work reliably several times for dumb reasons. Kind of hard to preach the v6 message when I had to shut it off myself several time to get my own stuff to work Ok. Netflix just decided that creating issues for a subset of their customers was better than having the real fight with the content providers.
My point is that there is no reliable geo-location method for Netflix to use, at least there never has been yet. Good luck ever getting that to work behind the great firewall of China.
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 4:56 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
Oh I'm not suggesting for a microsecond that any provenance of location can not be hacked, but I totally think that - until the content providers change their business model to not rely on regional controls - they could at least use a more accurate source for that information than my IP(4 or 6) address.
I just don't think that this is an appropriate venue to discuss the value of their business model as that's something their business needs to work on changing internally, and fighting it (at least for the moment) will only land Netflix in court.
In short, I'm pointing the finger at Netflix's developers for coming up with such a lazy control for geolocation.
On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com>> wrote: Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi.
Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race.
There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox?
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com<mailto: cryptographrix@gmail.com>] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning.
Non-iOS devices are often capable of this as well.
(As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate)
On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com><mailto:SNaslund@medline.com<mailto: SNaslund@medline.com>>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org
<mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane).
And part of those regional controls deal with the accuracy of the location information.
If their app can request my device's precise location, it doesn't need to infer my location from my IP any more.
As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it).
On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>< http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net <mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>< http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> wrote:
> Netflix needs to figure out a fix for this until ISPs actually > provide IPv6 natively. > > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper > <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com><mailto: blair.trosper@gmail.com<mailto:blair.trosper@gmail.com>> > > > wrote: > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked > > by Netflix. Anyone nice people from Netflix perhaps want to > > take a > crack at > > this? > > > > > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com><mailto:mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com>>> wrote: > > > > > Had the same problem at my house, but it was caused by the > > > IPv6 > > connection > > > to HE. Turned of V6 and the device worked. > > > > > > > > > -- > > > > > > Sent with Airmail > > > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( > matthew@matthew.at<mailto:matthew@matthew.at><mailto: matthew@matthew.at<mailto:matthew@matthew.at>>) > > > wrote: > > > > > > Every device in my house is blocked from Netflix this evening > > > due > to > > > their new "VPN blocker". My house is on my own IP space, and > > > the > outside > > > of the NAT that the family devices are on is 198.202.199.254, > announced > > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my > house > > > should show that I'm no farther away than Santa Cruz, CA as > microwaves > > > fly. > > > > > > Unfortunately, when one calls Netflix support to talk about > > > this, > the > > > only response is to say "call your ISP and have them turn off > > > the > VPN > > > software they've added to your account". And they absolutely > refuse to > > > escalate. Even if you tell them that you are essentially your > > > own > ISP. > > > > > > So... where's the Netflix network engineer on the list who > > > all of > us can > > > send these issues to directly? > > > > > > Matthew Kaufman > > > > > >
Fine, tell the lawyers and MBA types that if their reliable methods become unreliable they are not the ISPs problem and that their “risk profile” is the number of customer they lose. I would like to see some sort of statistic that says AGPS is more reliable than IP location. I really doubt it for the following reasons. 1. Device needs to have GPS, WiFi, or both. A lot don’t. 2. SSID needs to be in a database. What is the ratio of SSIDs in the databases vs total SSIDs worldwide. Bet a large percentage are not there. 3. People can change an SSID or WiFi AP at any time. How long exactly until I get my database entry updated. 4. Any indoor area that does not have WiFi coverage cannot be located, period, end of story. I guarantee you that Apple does not know where my Apple TV units or any of my Sony TVs are because they are on hard Ethernet cables with WiFi disabled so if they told the lawyers that, they lied. Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 5:18 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed "there is no reliable geo-location method for Netflix to use" Any microprocessor that is connected to the Internet is subject to being hacked - let's just turn off all of our computers, since we're talking in absolutes. From the perspective of the "lawyers and MBA types that negotiate agreements with Netflix and similar services" (to quote Eric), there are reliable methods within a specific risk profile, and those include (thanks to Google and Apple, whom most of the content providers also have agreements with) AGPS based on Wifi and other industry now-standard methods. I don't think there _is_ a contractual requirement to attempt to block VPN traffic. I think there's a contractual requirement to provide geographic controls for content, which is a completely different discussion, and is what those same cable and satellite TV providers (many of which _are_ the ISPs for Netflix's customer base) provide. As has been pointed out, Slingbox is an excellent proxy for over-the-air and cable-tv video, but you don't see content providers pressuring regulation on them because they limit their risk with the station or cable TV provider. On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com>> wrote: That is true. The problem is that traditionally the ISPs have to deal with customers that can’t get to the content they want. Netflix ridiculous detection schemes do nothing but create tons of work for the service provider which in turn creates stupid work-arounds and network configurations that are ill conceived. Myself, I had to shut off IPv6 at home to get things to work reliably several times for dumb reasons. Kind of hard to preach the v6 message when I had to shut it off myself several time to get my own stuff to work Ok. Netflix just decided that creating issues for a subset of their customers was better than having the real fight with the content providers. My point is that there is no reliable geo-location method for Netflix to use, at least there never has been yet. Good luck ever getting that to work behind the great firewall of China. Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>] Sent: Friday, June 03, 2016 4:56 PM To: Naslund, Steve; nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed Oh I'm not suggesting for a microsecond that any provenance of location can not be hacked, but I totally think that - until the content providers change their business model to not rely on regional controls - they could at least use a more accurate source for that information than my IP(4 or 6) address. I just don't think that this is an appropriate venue to discuss the value of their business model as that's something their business needs to work on changing internally, and fighting it (at least for the moment) will only land Netflix in court. In short, I'm pointing the finger at Netflix's developers for coming up with such a lazy control for geolocation. On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com><mailto:SNaslund@medline.com<mailto:SNaslund@medline.com>>> wrote: Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi. Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race. There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox? Steven Naslund Chicago IL From: Cryptographrix [mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Re: Netflix VPN detection - actual engineer needed Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning. Non-iOS devices are often capable of this as well. (As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate) On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com<mailto:SNaslund@medline.com><mailto:SNaslund@medline.com<mailto:SNaslund@medline.com>><mailto:SNaslund@medline.com<mailto:SNaslund@medline.com><mailto:SNaslund@medline.com<mailto:SNaslund@medline.com>>>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org><mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>><mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org><mailto:nanog-bounces@nanog.org<mailto:nanog-bounces@nanog.org>>>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane). And part of those regional controls deal with the accuracy of the location information. If their app can request my device's precise location, it doesn't need to infer my location from my IP any more. As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it). On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>><mailto:sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>><mailto:sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com><http://www.arbornetworks.com><http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>><mailto:sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>><mailto:sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com><http://www.arbornetworks.com><http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>><mailto:sryan@arbor.net<mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>>> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto:cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>>> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com><mailto:blair.trosper@gmail.com<mailto:blair.trosper@gmail.com>><mailto:blair.trosper@gmail.com<mailto:blair.trosper@gmail.com><mailto:blair.trosper@gmail.com<mailto:blair.trosper@gmail.com>>> > wrote:
> Confirmed that Hurricane Electric's TunnelBroker is now blocked > by Netflix. Anyone nice people from Netflix perhaps want to > take a crack at > this? > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com><mailto:mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com>><mailto:mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com><mailto:mike.hyde1@gmail.com<mailto:mike.hyde1@gmail.com>>>> wrote: > > > Had the same problem at my house, but it was caused by the > > IPv6 > connection > > to HE. Turned of V6 and the device worked. > > > > > > -- > > > > Sent with Airmail > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at<mailto:matthew@matthew.at><mailto:matthew@matthew.at<mailto:matthew@matthew.at>><mailto:matthew@matthew.at<mailto:matthew@matthew.at><mailto:matthew@matthew.at<mailto:matthew@matthew.at>>>) > > wrote: > > > > Every device in my house is blocked from Netflix this evening > > due to > > their new "VPN blocker". My house is on my own IP space, and > > the outside > > of the NAT that the family devices are on is 198.202.199.254, announced > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > > should show that I'm no farther away than Santa Cruz, CA as microwaves > > fly. > > > > Unfortunately, when one calls Netflix support to talk about > > this, the > > only response is to say "call your ISP and have them turn off > > the VPN > > software they've added to your account". And they absolutely refuse to > > escalate. Even if you tell them that you are essentially your > > own ISP. > > > > So... where's the Netflix network engineer on the list who > > all of us can > > send these issues to directly? > > > > Matthew Kaufman > > >
On Fri, Jun 3, 2016, at 17:30, Naslund, Steve wrote:
I guarantee you that Apple does not know where my Apple TV units or any of my Sony TVs are because they are on hard Ethernet cables with WiFi disabled so if they told the lawyers that, they lied.
I woud not be surprised if Apple wakes up the wifi occasionally to listen/scan for SSIDs on non-iPhone devices where there's no worry of impacting battery usage. Just because you don't intend to pass traffic on it does not mean the OS doesn't have a valid use for it. -- Mark Felder feld@feld.me
But wait, content providers *do that.* *Microsoft too...for illegal copies of Outlook, even...* How do we know they do that? Because your ISP can be held liable if they are contacted by a content provider and do not follow graduated response guidelines either issued by the nation the ISP resides in or governed by industry agreements and *do not* shut off your service if you are found to be pirating content. But all of this is moot against the point you mentioned: Netflix authored a broken process. There are at least 3 much more accurate ways to establish regional provenance for any packet - and of course all of them can be hacked - but those same content providers have established in their audit requirements that they're perfectly willing to accept the risks involved. On Fri, Jun 3, 2016 at 6:18 PM Cryptographrix <cryptographrix@gmail.com> wrote:
" there is no reliable geo-location method for Netflix to use"
Any microprocessor that is connected to the Internet is subject to being hacked - let's just turn off all of our computers, since we're talking in absolutes.
From the perspective of the "lawyers and MBA types that negotiate agreements with Netflix and similar services" (to quote Eric), there *are* reliable methods within a specific risk profile, and those include (thanks to Google and Apple, whom most of the content providers *also* have agreements with) AGPS based on Wifi and other industry now-standard methods.
I don't think there _is_ a contractual requirement to attempt to block VPN traffic. I think there's a contractual requirement to provide geographic controls for content, which is a completely different discussion, and is what those same cable and satellite TV providers (many of which _are_ the ISPs for Netflix's customer base) provide.
As has been pointed out, Slingbox is an excellent proxy for over-the-air and cable-tv video, but you don't see content providers pressuring regulation on them because they limit their risk with the station or cable TV provider.
On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <SNaslund@medline.com> wrote:
That is true. The problem is that traditionally the ISPs have to deal with customers that can’t get to the content they want. Netflix ridiculous detection schemes do nothing but create tons of work for the service provider which in turn creates stupid work-arounds and network configurations that are ill conceived. Myself, I had to shut off IPv6 at home to get things to work reliably several times for dumb reasons. Kind of hard to preach the v6 message when I had to shut it off myself several time to get my own stuff to work Ok. Netflix just decided that creating issues for a subset of their customers was better than having the real fight with the content providers.
My point is that there is no reliable geo-location method for Netflix to use, at least there never has been yet. Good luck ever getting that to work behind the great firewall of China.
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 4:56 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
Oh I'm not suggesting for a microsecond that any provenance of location can not be hacked, but I totally think that - until the content providers change their business model to not rely on regional controls - they could at least use a more accurate source for that information than my IP(4 or 6) address.
I just don't think that this is an appropriate venue to discuss the value of their business model as that's something their business needs to work on changing internally, and fighting it (at least for the moment) will only land Netflix in court.
In short, I'm pointing the finger at Netflix's developers for coming up with such a lazy control for geolocation.
On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com>> wrote: Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi.
Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race.
There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox?
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com<mailto: cryptographrix@gmail.com>] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning.
Non-iOS devices are often capable of this as well.
(As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate)
On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com><mailto:SNaslund@medline.com<mailto: SNaslund@medline.com>>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto: nanog-bounces@nanog.org><mailto:nanog-bounces@nanog.org<mailto: nanog-bounces@nanog.org>>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane).
And part of those regional controls deal with the accuracy of the location information.
If their app can request my device's precise location, it doesn't need to infer my location from my IP any more.
As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it).
On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>< http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net <mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>< http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
> I don't blame them for blocking a (effectively) anonymous tunnel > broker. I'm sure their content providers are forcing their hand. > On Jun 3, 2016 3:46 PM, "Cryptographrix" > <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> > wrote: > >> Netflix needs to figure out a fix for this until ISPs actually >> provide IPv6 natively. >> >> >> >> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper >> <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com><mailto: blair.trosper@gmail.com<mailto:blair.trosper@gmail.com>> >> > >> wrote: >> >> > Confirmed that Hurricane Electric's TunnelBroker is now blocked >> > by Netflix. Anyone nice people from Netflix perhaps want to >> > take a >> crack at >> > this? >> > >> > >> > >> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com><mailto:mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com>>> wrote: >> > >> > > Had the same problem at my house, but it was caused by the >> > > IPv6 >> > connection >> > > to HE. Turned of V6 and the device worked. >> > > >> > > >> > > -- >> > > >> > > Sent with Airmail >> > > >> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( >> matthew@matthew.at<mailto:matthew@matthew.at><mailto: matthew@matthew.at<mailto:matthew@matthew.at>>) >> > > wrote: >> > > >> > > Every device in my house is blocked from Netflix this evening >> > > due >> to >> > > their new "VPN blocker". My house is on my own IP space, and >> > > the >> outside >> > > of the NAT that the family devices are on is 198.202.199.254, >> announced >> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my >> house >> > > should show that I'm no farther away than Santa Cruz, CA as >> microwaves >> > > fly. >> > > >> > > Unfortunately, when one calls Netflix support to talk about >> > > this, >> the >> > > only response is to say "call your ISP and have them turn off >> > > the >> VPN >> > > software they've added to your account". And they absolutely >> refuse to >> > > escalate. Even if you tell them that you are essentially your >> > > own >> ISP. >> > > >> > > So... where's the Netflix network engineer on the list who >> > > all of >> us can >> > > send these issues to directly? >> > > >> > > Matthew Kaufman >> > > >> > >> >
1. Device needs to have GPS, WiFi, or both. A lot don’t.
2. SSID needs to be in a database. What is the ratio of SSIDs in
Doesn't need to be mandatory, but it's elective to use and yes - AGPS/Wifi is much more accurate than IP geolocation where available, by a long shot https://gigaom.com/2012/08/17/how-much-better-is-gps-over-wi-fi-positioning-... IP Geolocation is accurate to the city, at best, and is often completely off if you live in a metropolitan area the databases vs total SSIDs worldwide. Bet a large percentage are not there. This isn't even an issue in the US - what do you think those Google cars collect besides pictures?: https://www.wired.com/2014/04/threatlevel_0401_streetview/
3. People can change an SSID or WiFi AP at any time. How long exactly until I get my database entry updated.
Yes they can change SSIDs, which is why Wifi-based geolocation doesn't profile a location based on individual SSIDs or *just* SSIDs (many also include MAC addresses to - see the aforementioned court case).
4. Any indoor area that does not have WiFi coverage cannot be located, period, end of story.
Wireless-ISPs are now a thing. You can be in the mountains of Colorado and have your location established better with Wifi than your IP geolocation will provide. You'd be surprised how many wireless SSIDs you'll receive in the most remote places. Then again, there are places in metropolitan areas where there is absolutely no wifi. Sure, fall back to IP geolocation there. You're trying to find edge cases - I get it - but in most places your edge cases don't exist. If you have a device with wifi on it and it is connected to the internet even with Ethernet, in the US you have no assurance that it can not use Wifi to determine your location much more precisely than IP geolocation. Period. On Fri, Jun 3, 2016 at 6:35 PM Cryptographrix <cryptographrix@gmail.com> wrote:
But wait, content providers *do that.*
*Microsoft too...for illegal copies of Outlook, even...*
How do we know they do that?
Because your ISP can be held liable if they are contacted by a content provider and do not follow graduated response guidelines either issued by the nation the ISP resides in or governed by industry agreements and *do not* shut off your service if you are found to be pirating content.
But all of this is moot against the point you mentioned: Netflix authored a broken process.
There are at least 3 much more accurate ways to establish regional provenance for any packet - and of course all of them can be hacked - but those same content providers have established in their audit requirements that they're perfectly willing to accept the risks involved.
On Fri, Jun 3, 2016 at 6:18 PM Cryptographrix <cryptographrix@gmail.com> wrote:
" there is no reliable geo-location method for Netflix to use"
Any microprocessor that is connected to the Internet is subject to being hacked - let's just turn off all of our computers, since we're talking in absolutes.
From the perspective of the "lawyers and MBA types that negotiate agreements with Netflix and similar services" (to quote Eric), there *are* reliable methods within a specific risk profile, and those include (thanks to Google and Apple, whom most of the content providers *also* have agreements with) AGPS based on Wifi and other industry now-standard methods.
I don't think there _is_ a contractual requirement to attempt to block VPN traffic. I think there's a contractual requirement to provide geographic controls for content, which is a completely different discussion, and is what those same cable and satellite TV providers (many of which _are_ the ISPs for Netflix's customer base) provide.
As has been pointed out, Slingbox is an excellent proxy for over-the-air and cable-tv video, but you don't see content providers pressuring regulation on them because they limit their risk with the station or cable TV provider.
On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <SNaslund@medline.com> wrote:
That is true. The problem is that traditionally the ISPs have to deal with customers that can’t get to the content they want. Netflix ridiculous detection schemes do nothing but create tons of work for the service provider which in turn creates stupid work-arounds and network configurations that are ill conceived. Myself, I had to shut off IPv6 at home to get things to work reliably several times for dumb reasons. Kind of hard to preach the v6 message when I had to shut it off myself several time to get my own stuff to work Ok. Netflix just decided that creating issues for a subset of their customers was better than having the real fight with the content providers.
My point is that there is no reliable geo-location method for Netflix to use, at least there never has been yet. Good luck ever getting that to work behind the great firewall of China.
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com] Sent: Friday, June 03, 2016 4:56 PM To: Naslund, Steve; nanog@nanog.org Subject: Re: Netflix VPN detection - actual engineer needed
Oh I'm not suggesting for a microsecond that any provenance of location can not be hacked, but I totally think that - until the content providers change their business model to not rely on regional controls - they could at least use a more accurate source for that information than my IP(4 or 6) address.
I just don't think that this is an appropriate venue to discuss the value of their business model as that's something their business needs to work on changing internally, and fighting it (at least for the moment) will only land Netflix in court.
In short, I'm pointing the finger at Netflix's developers for coming up with such a lazy control for geolocation.
On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com>> wrote: Wifi location depends on a bunch of problematic things. First, your SSID needs to get collected and put in a database somewhere. That itself is a crap shoot. Next, you can stop google (and some other wifi databases) from collecting the data by putting _nomap at the end of your SSID. Lastly, not everyone has wifi or iOS or GPS or whatever location method you can think of. BTW, my apple TV is on a wired Ethernet, not wifi.
Point is, for whatever location technology you want to use be it IP, GPS, WiFi location, sextant…..they can be inaccurate and they can be faked and there are privacy concerns with all of them. What the content producers need to figure out is that regionalization DOES NOT WORK ANYMORE! The original point was that they could have different release dates in different areas at different prices and availability. They are going to have to get over it because they will lose the technological arms race.
There is no reason you could not beat all of the location systems with a simple proxy. A proxy makes a Netflix connection from an allowed IP, location or whatever and then builds a new video/audio stream out the back end to the client anywhere in the world. Simple to implement and damn near impossible to beat. Ever hear of Slingbox?
Steven Naslund Chicago IL
From: Cryptographrix [mailto:cryptographrix@gmail.com<mailto: cryptographrix@gmail.com>] Sent: Friday, June 03, 2016 3:42 PM To: Naslund, Steve; nanog@nanog.org<mailto:nanog@nanog.org> Subject: Re: Netflix VPN detection - actual engineer needed
Apple TVs get their location indoors using the same method they use for other iOS devices when indoors - wifi ssid/Mac scanning.
Non-iOS devices are often capable of this as well.
(As someone that spends >67% of his time underground and whose Apple TV requests my location from my underground bedroom and is very accurate)
On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund@medline.com <mailto:SNaslund@medline.com><mailto:SNaslund@medline.com<mailto: SNaslund@medline.com>>> wrote: Their app could request your devices location. Problem is a lot of devices (like TVs, Apple TVs, most DVD player, i.e. device with built in Netflix) don't know where they are and it cannot easily be added (indoor GPS is still difficult/expensive) and even if they could should they be believed. I think the bigger issue is whether any kind of regional controls are enforceable or effective any more.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org<mailto: nanog-bounces@nanog.org><mailto:nanog-bounces@nanog.org<mailto: nanog-bounces@nanog.org>>] On Behalf Of Cryptographrix Sent: Friday, June 03, 2016 3:21 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed
Come now, content providers really just care that they have access to regional controls more so than their ability to blanket-deny access (ok, minus the MLB who are just insane).
And part of those regional controls deal with the accuracy of the location information.
If their app can request my device's precise location, it doesn't need to infer my location from my IP any more.
As a matter of fact, it's only detrimental to them for it to do so, because of the lack of accuracy from geo databases and the various reasons that people use VPNs nowadays (i.e. for some devices that you can't even turn VPN connections off for - OR in the case of IPv6, when you can't reach a segment of the Internet without it).
On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is a large difference between "the VPN run at your house" and "Arguably the most popular, free, mostly anonymous tunnel broker service"
If it were up to the content providers, they probably would block any IP they saw a VPN server listening on.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net <mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>< http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net<mailto: sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net <mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>> *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com>< http://www.arbornetworks.com>
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>> > wrote:
> Same, but until there's a real IPv6 presence in the US, it's really > annoying that they haven't come up with some fix for this. > > I have no plans to turn off IPv6 at home - I actually have many > uses for it, and as much as I dislike the controversy around it, > think that adoption needs to be prioritized, not penalized. > > Additionally, I think that discussing content provider control over > regional decisions isn't productive to the conversation, as they > didn't build the banhammer (wouldn't you want to control your own > content if you had made content specific to regional laws etc?). > > I.e. - not all shows need to have regional restrictions between New > York (where I live) and California (where my IPv6 /64 says I live). > > I'm able to watch House in the any state in the U.S.? Great - > ignore my intra-US proxy connection. > > My Netflix account randomly tries to connect from Tokyo because I > forgot to shut off my work VPN? Fine....let me know and I'll turn > *that* off. > > > > > > > On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net <mailto:sryan@arbor.net><mailto:sryan@arbor.net<mailto:sryan@arbor.net>>> wrote: > >> I don't blame them for blocking a (effectively) anonymous tunnel >> broker. I'm sure their content providers are forcing their hand. >> On Jun 3, 2016 3:46 PM, "Cryptographrix" >> <cryptographrix@gmail.com<mailto:cryptographrix@gmail.com><mailto: cryptographrix@gmail.com<mailto:cryptographrix@gmail.com>>> >> wrote: >> >>> Netflix needs to figure out a fix for this until ISPs actually >>> provide IPv6 natively. >>> >>> >>> >>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper >>> <blair.trosper@gmail.com<mailto:blair.trosper@gmail.com><mailto: blair.trosper@gmail.com<mailto:blair.trosper@gmail.com>> >>> > >>> wrote: >>> >>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked >>> > by Netflix. Anyone nice people from Netflix perhaps want to >>> > take a >>> crack at >>> > this? >>> > >>> > >>> > >>> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com><mailto:mike.hyde1@gmail.com<mailto: mike.hyde1@gmail.com>>> wrote: >>> > >>> > > Had the same problem at my house, but it was caused by the >>> > > IPv6 >>> > connection >>> > > to HE. Turned of V6 and the device worked. >>> > > >>> > > >>> > > -- >>> > > >>> > > Sent with Airmail >>> > > >>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( >>> matthew@matthew.at<mailto:matthew@matthew.at><mailto: matthew@matthew.at<mailto:matthew@matthew.at>>) >>> > > wrote: >>> > > >>> > > Every device in my house is blocked from Netflix this evening >>> > > due >>> to >>> > > their new "VPN blocker". My house is on my own IP space, and >>> > > the >>> outside >>> > > of the NAT that the family devices are on is 198.202.199.254, >>> announced >>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my >>> house >>> > > should show that I'm no farther away than Santa Cruz, CA as >>> microwaves >>> > > fly. >>> > > >>> > > Unfortunately, when one calls Netflix support to talk about >>> > > this, >>> the >>> > > only response is to say "call your ISP and have them turn off >>> > > the >>> VPN >>> > > software they've added to your account". And they absolutely >>> refuse to >>> > > escalate. Even if you tell them that you are essentially your >>> > > own >>> ISP. >>> > > >>> > > So... where's the Netflix network engineer on the list who >>> > > all of >>> us can >>> > > send these issues to directly? >>> > > >>> > > Matthew Kaufman >>> > > >>> > >>> >>
From a network operational perspective we are only seeing the tip of the iceberg. There are vast hordes of lawyers and MBA types employed by the largest content creators (TV channels, movie studios) which negotiate agreements with Netflix and similar services.
Unless you happen to be a sysadmin inside one of these entities with access to the contracts and documents, all of this is totally opaque from a network engineering viewpoint. I do not think the contractual requirement to *attempt* to block VPN traffic will change until a significantly larger percentage of US customers abandon paying for their cable TV & satellite TV monthly packages. On Fri, Jun 3, 2016 at 2:56 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
I just don't think that this is an appropriate venue to discuss the value of their business model as that's something their business needs to work on changing internally, and fighting it (at least for the moment) will only land Netflix in court.
Agreed. I find it silly that as a US citizen on my US-bank-paid-for Netflix account with US physical address information suddenly cannot watch things when travelling I legally could if I were standing in another place. On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
Are they going to disable connectivity from everywhere they can detect an open VPN port to, also?
If they trust my v4 address, they can use that to establish historical reference. Additionally, they can fail over to v4 if they do not trust the v6 address.
On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com
wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com
wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
> Had the same problem at my house, but it was caused by the IPv6 connection > to HE. Turned of V6 and the device worked. > > > -- > > Sent with Airmail > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at ) > wrote: > > Every device in my house is blocked from Netflix this evening due to > their new "VPN blocker". My house is on my own IP space, and the outside > of the NAT that the family devices are on is 198.202.199.254, announced > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > should show that I'm no farther away than Santa Cruz, CA as microwaves > fly. > > Unfortunately, when one calls Netflix support to talk about this, the > only response is to say "call your ISP and have them turn off the VPN > software they've added to your account". And they absolutely refuse to > escalate. Even if you tell them that you are essentially your own ISP. > > So... where's the Netflix network engineer on the list who all of us can > send these issues to directly? > > Matthew Kaufman >
On Fri, 3 Jun 2016, Cryptographrix wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
In my case I have a he.net tunnel from their tunnel servers in Stockholm. This is properly GEOIP:ed to Sweden (I had to get that done by another content provider that seems to use the same GEOIP as Netflix, because after this was done a year ago or something, Netflix stopped thinking I was in the US when I accessed it over IPv6.) My regular IPv4 address also GEOIPs to same place. So the fact I am using IPv6 through a tunnel provider seems to be what triggers Netflix to block me. The fact that my IPv4 connectivity is NOT through a tunnel, is something they could check. I really wish their tunnel connectivity checker was a bit more sofisticated so it would correlate the following: My billing address is in Sweden. My IPv4 GEOIP says I am in Sweden. My IPv6 GEOIP says I am in Sweden. Ok, so fine, I am not trying to circumvent anything so just let me watch the bloody content ok to show to people in Sweden. BLOODY HELL! -- Mikael Abrahamsson email: swmike@swm.pp.se
On Jun 3, 2016, at 23:48 , Mikael Abrahamsson <swmike@swm.pp.se> wrote:
On Fri, 3 Jun 2016, Cryptographrix wrote:
I have a VPN connection at my house. There's no way for them to know the difference between me using my home network connection from Hong Kong or my home network connection from my house.
In my case I have a he.net tunnel from their tunnel servers in Stockholm. This is properly GEOIP:ed to Sweden (I had to get that done by another content provider that seems to use the same GEOIP as Netflix, because after this was done a year ago or something, Netflix stopped thinking I was in the US when I accessed it over IPv6.)
My regular IPv4 address also GEOIPs to same place.
So the fact I am using IPv6 through a tunnel provider seems to be what triggers Netflix to block me. The fact that my IPv4 connectivity is NOT through a tunnel, is something they could check.
I really wish their tunnel connectivity checker was a bit more sofisticated so it would correlate the following:
My billing address is in Sweden. My IPv4 GEOIP says I am in Sweden. My IPv6 GEOIP says I am in Sweden.
Ok, so fine, I am not trying to circumvent anything so just let me watch the bloody content ok to show to people in Sweden.
BLOODY HELL!
-- Mikael Abrahamsson email: swmike@swm.pp.se
Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.
On Sat, 4 Jun 2016, Owen DeLong wrote:
Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.
I am now instead mooching off of someone elses PI /48 and set up another tunnel, so not using HE at all anymore. Let's see if that works better. Still waiting to be able to test because when I deconfigured IPv6 on my Apple Airport Extreme and moved my IPv6 to an UBNT ER5, the Airport didn't send zero lifetime RAs so now everything is chaos for a while. Family acceptance factor is helped by Happy Eyeballs I guess though... -- Mikael Abrahamsson email: swmike@swm.pp.se
On 04/06/2016 20:46, Owen DeLong wrote:
Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.
Even though that sounds like an awesome idea it does not seem trivial to me to obtain your own /48. I mean: "You can only request IPv6 assignments and Autonomous System Numbers through a Sponsoring LIR (a RIPE NCC member)" https://www.ripe.net/manage-ips-and-asns/resource-management/number-resource... But you know, my knowledge on the matter is half an hour old, I might be dead wrong. Ciao, Davide Davini.
* Davide Davini <diotonante@gmail.com>
On 04/06/2016 20:46, Owen DeLong wrote:
Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.
Even though that sounds like an awesome idea it does not seem trivial to me to obtain your own /48.
Which is a good thing, as every new PI /48 advertised to the DFZ will bloat the routing tables of thousands upon thousands of routers world wide. It might solve the Netflix problem, but what has actually happened is that you've split the original problem into a thousand small bits and thrown one piece into each of your neighbours' gardens. I'd encourage everyone to try to fix their Netflix problem a more proper way before deciding to litter everyone else's routing tables with another PI prefix. Blocking access to Netflix via the tunnel seems like an obvious solution to me, for what it's worth. I wonder if anyone has attempted to estimate approx. how much RIB/FIB space a single DFZ route requires in total across the entire internet... Tore
In message <20160608070525.06fd5995@echo.ms.redpill-linpro.com>, Tore Anderson writes:
* Davide Davini <diotonante@gmail.com>
On 04/06/2016 20:46, Owen DeLong wrote:
Get your own /48 and advertise to HE Tunnel via BGP. Problem solved.
Even though that sounds like an awesome idea it does not seem trivial to me to obtain your own /48.
Which is a good thing, as every new PI /48 advertised to the DFZ will bloat the routing tables of thousands upon thousands of routers world wide. It might solve the Netflix problem, but what has actually happened is that you've split the original problem into a thousand small bits and thrown one piece into each of your neighbours' gardens.
I'd encourage everyone to try to fix their Netflix problem a more proper way before deciding to litter everyone else's routing tables with another PI prefix.
Blocking access to Netflix via the tunnel seems like an obvious solution to me, for what it's worth.
And which set of prefixes is that? How often do they change? etc. When Netfix turned on IPv6 support HE's tunnels existed. They should be dealing with the existing environment rather than making others work around their short comings. Tunnels, as much as some people may not like them, will continue to be a part of the IPv6 landscape for many years to come. Mark
I wonder if anyone has attempted to estimate approx. how much RIB/FIB space a single DFZ route requires in total across the entire internet...
Tore -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, 8 Jun 2016, Mark Andrews wrote:
And which set of prefixes is that? How often do they change? etc.
Apparently there's only 2620:108:7000::/44 and I doubt it'll change often. An associate actually reported this problem to me today. I ended up just installing a host firewall rule on his Netflix viewer and made the problem go away. Antonio Querubin e-mail: tony@lavanauts.org xmpp: antonioquerubin@gmail.com
On 2016-06-08 07:27, Mark Andrews wrote:
In message <20160608070525.06fd5995@echo.ms.redpill-linpro.com>, Tore Anderson writes:
* Davide Davini <diotonante@gmail.com>
Blocking access to Netflix via the tunnel seems like an obvious solution to me, for what it's worth. And which set of prefixes is that? How often do they change? etc.
A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS lookup on netflix.com. I am not running a HE tunnel (I got native IPv6) and I am not blocked from accessing Netflix over IPv6 so can't really try it. I am curious however that none of the vocal HE tunnel users here appears to have tried even simple counter measures such as a simple firewall rule to drop traffic to that one /64 prefix. It might be that more needs to be blocked, but in that case it will be trivial to find the required prefixes by launching Wireshark and observe the IPv6 traffic generated when accessing netflix.com. Maybe someone could do that and post the results, as it is apparent that many people are in need of a solution. Regards, Baldur
On Wed, 8 Jun 2016, Baldur Norddahl wrote:
A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS lookup on netflix.com. I am not running a HE tunnel (I got native IPv6) and I am not blocked from accessing Netflix over IPv6 so can't really try it. I am
I sent some email earlier that that does work using a host firewall on an affected client. For some reason my email is in hold state - not sure what's up with that. Antonio Querubin e-mail: tony@lavanauts.org xmpp: antonioquerubin@gmail.com
On Jun 8, 2016, at 8:13 AM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 2016-06-08 07:27, Mark Andrews wrote:
In message <20160608070525.06fd5995@echo.ms.redpill-linpro.com>, Tore Anderson writes:
* Davide Davini <diotonante@gmail.com>
Blocking access to Netflix via the tunnel seems like an obvious solution to me, for what it's worth. And which set of prefixes is that? How often do they change? etc.
A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS lookup on netflix.com. I am not running a HE tunnel (I got native IPv6) and I am not blocked from accessing Netflix over IPv6 so can't really try it. I am curious however that none of the vocal HE tunnel users here appears to have tried even simple counter measures such as a simple firewall rule to drop traffic to that one /64 prefix.
It might be that more needs to be blocked, but in that case it will be trivial to find the required prefixes by launching Wireshark and observe the IPv6 traffic generated when accessing netflix.com. Maybe someone could do that and post the results, as it is apparent that many people are in need of a solution.
I don't think that "getting to Netflix over an HE tunnel" is something that people here need a solution to, rather it's "stopping Netflix from discouraging IPv6 usage" or perhaps "encouraging Netflix to stop breaking service to IPv6 users, including their lack of support for IPv4 fallback". The connection to NANOG isn't that NANOG users want to reach Netflix, it's that NANOG users have an interest in the broader health of the IPv6 ecosystem. Given the number of pieces of off-the-shelf packaged software that are designed to allow the end-user, with no technical expertise required, to proxy through an HE tunnel so as to avoid Netflix geolocation[1] I don't blame Netflix for blocking HE tunnels, but I do blame them for doing so badly. Cheers, Steve [1] e.g. https://github.com/ab77/netflix-proxy
On Wednesday, June 8, 2016, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 2016-06-08 07:27, Mark Andrews wrote:
In message <20160608070525.06fd5995@echo.ms.redpill-linpro.com>, Tore Anderson writes:
* Davide Davini <diotonante@gmail.com>
Blocking access to Netflix via the tunnel seems like an obvious solution to me, for what it's worth.
And which set of prefixes is that? How often do they change? etc.
A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS lookup on netflix.com. I am not running a HE tunnel (I got native IPv6) and I am not blocked from accessing Netflix over IPv6 so can't really try it. I am curious however that none of the vocal HE tunnel users here appears to have tried even simple counter measures such as a simple firewall rule to drop traffic to that one /64 prefix.
That's a start but Netflix has a few more prefixes than that: http://bgp.he.net/AS2906#_prefixes6
On 2016-06-08 17:58, Nicholas Suan wrote:
On Wednesday, June 8, 2016, Baldur Norddahl <baldur.norddahl@gmail.com <mailto:baldur.norddahl@gmail.com>> wrote:
A start would be blocking 2620:108:700f::/64 as discovered by a simple DNS lookup on netflix.com <http://netflix.com>. I am not running a HE tunnel (I got native IPv6) and I am not blocked from accessing Netflix over IPv6 so can't really try it. I am curious however that none of the vocal HE tunnel users here appears to have tried even simple counter measures such as a simple firewall rule to drop traffic to that one /64 prefix.
That's a start but Netflix has a few more prefixes than that: http://bgp.he.net/AS2906#_prefixes6
They do but that is irrelevant. Blocking just that one /64 prefix works because that is where their tunnel detector apparently lives. I think we are at the point where we can say it would be nice if Netflix could just redirect users from IPv6 to IPv4 when a tunnel is suspected. They do deserve flames for being bad guys here when they have such an easy out. But you can also just fix the issue yourself with a simple firewall rule. Regards, Baldur
On Wed, 8 Jun 2016, Tore Anderson wrote:
I wonder if anyone has attempted to estimate approx. how much RIB/FIB space a single DFZ route requires in total across the entire internet...
You mean in money? A lot. The problem is that we have so far no feasible way to make "polluter pay". So people de-aggreggate left/right, because there is no marginal cost to them, because that cost is instead shared by everybody. I'd imagine the cost to us all is thousands of USD per DFZ slot, if not more. Per month this might not be huge though... Let's say we have 100k routers with all DFZ routes (should be correct magnitude, right?), let's say a router that can take full DFZ instead of smaller number of routes differ 10kUSD? (right magnitude on average?). That's a billion dollars in CAPEX then. Divide that by 5 year lifetime of router, that's 200MUSD per year. Divide that by 100k extra routes that are in the DFZ because nobody is paying for it and you get 2kUSD per year per route. I hope I got the math right... But even 2kUSD per year per route isn't significant amount of money, I still think quite a lot of these routes would get advertised even if each DFZ-prefix came with a cost. So I also think that is part of the reason we don't have a charging system for DFZ slots, because getting that charging infrastructure to work isn't worth it, the benefit of this complication isn't enough. -- Mikael Abrahamsson email: swmike@swm.pp.se
I dunno. I could argue that I could -- to extend that idea -- let literally ANYONE tunnel through my Comcast Business connection to appear to be in the Bay Area. How's that fundamentally different than a service like TunnelBroker apart from economies of scale? More than a few people I know are ready to dump Netflix for this. Fortunately, where I live, Comcast Business has native dual stack... On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at ) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
It's not. But if you start pumping 10s of gigabits to Netflix with thousands of user IDs Netflix will blacklist your /56 as well. On Jun 3, 2016 5:00 PM, "Blair Trosper" <blair.trosper@gmail.com> wrote:
I dunno. I could argue that I could -- to extend that idea -- let literally ANYONE tunnel through my Comcast Business connection to appear to be in the Bay Area. How's that fundamentally different than a service like TunnelBroker apart from economies of scale?
More than a few people I know are ready to dump Netflix for this. Fortunately, where I live, Comcast Business has native dual stack...
On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
> Had the same problem at my house, but it was caused by the IPv6 connection > to HE. Turned of V6 and the device worked. > > > -- > > Sent with Airmail > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( matthew@matthew.at) > wrote: > > Every device in my house is blocked from Netflix this evening due to > their new "VPN blocker". My house is on my own IP space, and the outside > of the NAT that the family devices are on is 198.202.199.254, announced > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > should show that I'm no farther away than Santa Cruz, CA as microwaves > fly. > > Unfortunately, when one calls Netflix support to talk about this, the > only response is to say "call your ISP and have them turn off the VPN > software they've added to your account". And they absolutely refuse to > escalate. Even if you tell them that you are essentially your own ISP. > > So... where's the Netflix network engineer on the list who all of us can > send these issues to directly? > > Matthew Kaufman >
Well, that's the rub of the whole issue with Netflix VPN detection. They don't actually detect the VPN, they detect a bunch of people coming from the same IP address which they assume to be done via a VPN or proxy. Any large networks sitting behind a single NAT are going to get looked at that way. If everyone was using a VPN to their home and jumping through that to get to Netflix it would be nearly impossible to detect reliably (I know you could play games with MTU detection and stuff like that but those will give even more false positives). The big fight is coming when Netflix is going to have to get real with the content providers and admit that there is no reliable way to regionalize. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Blair Trosper Sent: Friday, June 03, 2016 4:00 PM To: Spencer Ryan Cc: North American Network Operators' Group Subject: Re: Netflix VPN detection - actual engineer needed I dunno. I could argue that I could -- to extend that idea -- let literally ANYONE tunnel through my Comcast Business connection to appear to be in the Bay Area. How's that fundamentally different than a service like TunnelBroker apart from economies of scale? More than a few people I know are ready to dump Netflix for this. Fortunately, where I live, Comcast Business has native dual stack... On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptographrix@gmail.com> wrote:
Same, but until there's a real IPv6 presence in the US, it's really annoying that they haven't come up with some fix for this.
I have no plans to turn off IPv6 at home - I actually have many uses for it, and as much as I dislike the controversy around it, think that adoption needs to be prioritized, not penalized.
Additionally, I think that discussing content provider control over regional decisions isn't productive to the conversation, as they didn't build the banhammer (wouldn't you want to control your own content if you had made content specific to regional laws etc?).
I.e. - not all shows need to have regional restrictions between New York (where I live) and California (where my IPv6 /64 says I live).
I'm able to watch House in the any state in the U.S.? Great - ignore my intra-US proxy connection.
My Netflix account randomly tries to connect from Tokyo because I forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan@arbor.net> wrote:
I don't blame them for blocking a (effectively) anonymous tunnel broker. I'm sure their content providers are forcing their hand. On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix@gmail.com> wrote:
Netflix needs to figure out a fix for this until ISPs actually provide IPv6 natively.
On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.trosper@gmail.com> wrote:
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this?
On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1@gmail.com> wrote:
Had the same problem at my house, but it was caused by the IPv6 connection to HE. Turned of V6 and the device worked.
--
Sent with Airmail
On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matthew@matthew.at ) wrote:
Every device in my house is blocked from Netflix this evening due to their new "VPN blocker". My house is on my own IP space, and the outside of the NAT that the family devices are on is 198.202.199.254, announced by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house should show that I'm no farther away than Santa Cruz, CA as microwaves fly.
Unfortunately, when one calls Netflix support to talk about this, the only response is to say "call your ISP and have them turn off the VPN software they've added to your account". And they absolutely refuse to escalate. Even if you tell them that you are essentially your own ISP.
So... where's the Netflix network engineer on the list who all of us can send these issues to directly?
Matthew Kaufman
On Fri, Jun 3, 2016 at 3:05 PM, Spencer Ryan <sryan@arbor.net> wrote:
There is no way for Netflix to know the difference between you being in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
No way, really? Come now. The latency difference between New York and Hong Kong are very different. If your minimum/bottomed-out RTT is less than 100ms away from a Netflix server, which can be measured using TCP protocol-based metrics, then you are not using a VPN. This could be used as a filter to reduce false positives. Also, if you are using a tunnel service, then it is Unlikely your only connectivity is IPv6, therefore, when they suspect an IPv6 VPN, they could use methods of figuring out your IPv4 address.... it could be an option simply do something along the lines of a background HTTP request along the lines of $.ajax({type: "GET", url: "http://ipv4onlyhostname.netflix.example.com/x.cgi"}, data: { timestamp:blah, action: 'get_proof_of_IPv4_address', blahblah_sessionid: blah } ) Then analyze the IPv4 connection before returning a proof of IP address as a signed token. Within the main page or system, allow the connection. This method proves your device is not merely circumventing region controls through a simple VPN. You at least have access to a computer in the allowed region a few seconds before initiating the connection. Or you know.... just redirect the IPV6 tunnel-provider connections at Netflix' end to an IPv4-only hostname period, so V6 is not used for these users. Furthermore, they could make a USB dongle with a GPS receiver on it that will answer a location-based challenge request, that you're expected to hook up to your computer feed from an outside antenna. I don't let them off the hook, too easily.
*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com -- -JH
participants (31)
-
Alex Buie
-
Antonio Querubin
-
Baldur Norddahl
-
Bill Woodcock
-
Blair Trosper
-
Cryptographrix
-
Davide Davini
-
Eric Kuhnke
-
Jay Hennigan
-
Jimmy Hess
-
Josh Luthman
-
Laszlo Hanyecz
-
Mark Andrews
-
Mark Felder
-
Matthew Huff
-
Matthew Kaufman
-
Michael Brown
-
Mikael Abrahamsson
-
Mike Hammett
-
mike.hyde1@gmail.com
-
Naslund, Steve
-
Nicholas Suan
-
Owen DeLong
-
Paul Ferguson
-
Pete Mundy
-
Ricky Beam
-
Robert Jacobs
-
Roland Dobbins
-
Spencer Ryan
-
Steve Atkins
-
Tore Anderson