Re: Netflix VPN detection - actual engineer needed

[Owen DeLong <owen () delong com>]

> On Jun 3, 2016, at 18:32 , Raymond Beaudoin <raymond.beaudoin () icarustech com> wrote:
>
> Fair point, Spencer! Only Netflix engineers could tell us how they're
> determining networks to be blocked, but I'm paranoid they're dynamically
> updating based  AS PATH. I figured HE's ASN may have made the naughty list.
> Admittedly, that would be pretty drastic. Time to do some testing. :>

I tend to doubt it:

route-views6.routeviews.org> sh bgp 2620:0:930::/48
BGP routing table entry for 2620:0:930::/48
Paths: (31 available, best #26, table Default-IP-Routing-Table)
  Not advertised to any peer
  3257 8121 1734, (aggregated by 1734 192.124.40.251)
    2001:668:0:4::2 from 2001:668:0:4::2 (213.200.87.91)
      Origin IGP, metric 770, localpref 100, valid, external
      Community: 3257:4560 3257:5010
      Last update: Fri Jun  3 09:07:40 2016

  47872 6939 1734, (aggregated by 1734 192.124.40.251)
    2a01:73e0::1 from 2a01:73e0::1 (185.44.116.227)
    (fe80::223:9c03:9b50:ffc0)
      Origin IGP, localpref 100, valid, external
      Community: 47872:1200
      Last update: Fri Jun  3 05:48:08 2016

  3741 6939 1734, (aggregated by 1734 192.124.40.251)
    2c0f:fc00::2 from 2c0f:fc00::2 (168.209.255.56)
      Origin IGP, localpref 100, valid, external
      Last update: Thu Jun  2 23:12:06 2016

  31019 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:67c:22dc:def1::1 from 2001:67c:22dc:def1::1 (91.228.151.1)
      Origin incomplete, localpref 100, valid, external
      Last update: Sat Jun  4 18:31:19 2016

  3277 3267 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:b08:2:280::4:100 from 2001:b08:2:280::4:100 (194.85.4.4)
      Origin IGP, localpref 100, valid, external
      Community: 3277:3267
      Last update: Wed Jun  1 12:54:09 2016

  7660 4635 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:200:901::5 from 2001:200:901::5 (203.181.248.168)
      Origin IGP, localpref 100, valid, external
      Community: 0:12989 0:13335 0:15169 0:20940 0:22822 4635:800 7660:4 7660:6
      Last update: Tue May 31 03:14:20 2016

  7018 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:1890:111d:1::63 from 2001:1890:111d:1::63 (12.0.1.63)
    (fe80::5254:ff:fe61:b8e6)
      Origin IGP, localpref 100, valid, external
      Community: 7018:5000 7018:37232
      Last update: Tue May 31 02:36:49 2016

  209 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:428::205:171:203:138 from 2001:428::205:171:203:138 (205.171.203.138)
      Origin IGP, metric 8000051, localpref 100, valid, external
      Community: 209:888
      Last update: Tue May 31 02:36:49 2016

  20912 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:40d0::126 from 2001:40d0::126 (212.66.96.126)
      Origin IGP, localpref 100, valid, external
      Community: 20912:65016
      Last update: Tue May 31 02:37:02 2016

  13030 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:1620:1::203 from 2001:1620:1::203 (213.144.128.203)
      Origin IGP, metric 1, localpref 100, valid, external
      Community: 13030:61 13030:1604 13030:51107
      Last update: Tue May 31 02:36:50 2016

  30071 8121 1734, (aggregated by 1734 192.124.40.251)
    2001:4830::e from 2001:4830::e (66.55.128.18)
      Origin IGP, metric 42, localpref 100, valid, external
      Community: 30071:57062
      Last update: Tue May 31 02:39:32 2016

  57463 6939 1734, (aggregated by 1734 192.124.40.251)
    2a00:1728::1f:4 from 2a00:1728::1f:4 (192.168.7.118)
      Origin IGP, localpref 100, valid, external
      Community: 64700:6939
      Last update: Tue May 31 02:37:03 2016

My NF is still working over IPv6.

Owen

> On Fri, Jun 3, 2016 at 8:27 PM, Spencer Ryan <sryan () arbor net> wrote:
>
> > Well if you have PI space just use HE's BGP tunnel offerings.
> >
> >
> > *Spencer Ryan* | Senior Systems Administrator | sryan () arbor net
> > *Arbor Networks*
> > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > www.arbornetworks.com
> >
> > On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
> > raymond.beaudoin () icarustech com> wrote:
> >
> > > As an alternative, there are multiple cloud service offerings that will
> > > advertise your IPv6 allocations on your behalf direct to a server in their
> > > data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
> > > up a *<insert
> > > favorite virtual router instance> *and then route through it. The Internet
> > >
> > > is such an amazing place.
> > >
> > > On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <cryptographrix () gmail com>
> > > wrote:
> > >
> > > > Yeah I RAWRed to them pretty hard whilst being as understanding to the
> > > CS
> > > > rep that it wasn't their fault.
> > > >
> > > > They thought I was weird as anything.
> > > >
> > > > If there are any Verizon FiOS network engineers on the thread, a fellow
> > > > Verizon employee would thank you kindly for an off-thread email
> > > regarding
> > > > BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
> > > > configure my account to listen for route advertisement).
> > > >
> > > > Strange that it has to come to this to get "legit" IPv6 service.
> > > >
> > > >
> > > >
> > > >
> > > > On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
> > > > raymond.beaudoin () icarustech com> wrote:
> > > >
> > > > > I wasn't originally affected on my he.net tunnel, but this evening it
> > > > > started blocking. The recommended ACLs are a functional temporary
> > > > > workaround, but I've also opened a request with Netflix.
> > > > >
> > > > > On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer () spawar navy mil
> > > >
> > > > > wrote:
> > > > >
> > > > > > So far I am not seeing a Netflix block on my he.net tunnel yet. I
> > > > > connect
> > > > > > to the Los Angeles node, so maybe not all of HE's address space is
> > > being
> > > > > > blocked.
> > > > > >
> > > > > > Not going to be disabling IPv6 here either. + HAD native IPv6 from
> > > Time
> > > > > > Warner, but they decided to in their wisdom to disable IPv6 service
> > > for
> > > > > > anyone that has an Arris SB6183 due to an Arris firmware bug.  And
> > > they
> > > > > are
> > > > > > taking their sweet time pushing out the fixed firmware update that
> > > > > Comcast
> > > > > > and Cox seemed to be able to push to their customers last fall.
> > > > > >
> > > > > > -Mark Ganzer
> > > > > >
> > > > > >
> > > > > > On 6/3/2016 4:49 PM, Cryptographrix wrote:
> > > > > >
> > > > > > > Depends - how many US users have native IPv6 through their ISPs?
> > > > > > >
> > > > > > > If I remember correctly (I can't find the source at the moment),
> > > HE.net
> > > > > > > represents something like 70% of IPv6 traffic in the US.
> > > > > > >
> > > > > > > And yeah, not doing that - actually in the middle of an IPv6
> > > project at
> > > > > > > work at the moment that's a bit important to me.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> > > > > baldur.norddahl () gmail com
> > > > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> > > > > cryptographrix () gmail com>:
> > > > > > > > > The information I'm getting from Netflix support now is explicitly
> > > > > > > > telling
> > > > > > > >
> > > > > > > > > me to turn off IPv6 - someone might want to stop them before they
> > > > > > > > > completely kill US IPv6 adoption.
> > > > > > > > Not allowing he.net tunnels is not killing ipv6. You just need
> > > need
> > > > > > > > native
> > > > > > > > ipv6.
> > > > > > > >
> > > > > > > > On the other hand it would be nice if Netflix would try the other
> > > > > > > > protocol
> > > > > > > > before blocking.