RE: Netflix VPN detection - actual engineer needed

["Naslund, Steve" <SNaslund () medline com>]

Well, that's the rub of the whole issue with Netflix VPN detection.  They don't actually detect the VPN, they detect a 
bunch of people coming from the same IP address which they assume to be done via a VPN or proxy.  Any large networks 
sitting behind a single NAT are going to get looked at that way.  If everyone was using a VPN to their home and jumping 
through that to get to Netflix it would be nearly impossible to detect reliably (I know you could play games with MTU 
detection and stuff like that but those will give even more false positives).  The big fight is coming when Netflix is 
going to have to get real with the content providers and admit that there is no reliable way to regionalize.


Steven Naslund
Chicago IL





-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Blair Trosper
Sent: Friday, June 03, 2016 4:00 PM
To: Spencer Ryan
Cc: North American Network Operators' Group
Subject: Re: Netflix VPN detection - actual engineer needed

I dunno.  I could argue that I could -- to extend that idea -- let literally ANYONE tunnel through my Comcast Business 
connection to appear to be in the Bay Area.  How's that fundamentally different than a service like TunnelBroker apart 
from economies of scale?

More than a few people I know are ready to dump Netflix for this.
Fortunately, where I live, Comcast Business has native dual stack...

On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan <sryan () arbor net> wrote:

> There is no way for Netflix to know the difference between you being 
> in NY and using the tunnel, and you living in Hong Kong and using the tunnel.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sryan () arbor net *Arbor 
> Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix 
> <cryptographrix () gmail com>
> wrote:
>
> > Same, but until there's a real IPv6 presence in the US, it's really 
> > annoying that they haven't come up with some fix for this.
> >
> > I have no plans to turn off IPv6 at home - I actually have many uses 
> > for it, and as much as I dislike the controversy around it, think 
> > that adoption needs to be prioritized, not penalized.
> >
> > Additionally, I think that discussing content provider control over 
> > regional decisions isn't productive to the conversation, as they 
> > didn't build the banhammer (wouldn't you want to control your own 
> > content if you had made content specific to regional laws etc?).
> >
> > I.e. - not all shows need to have regional restrictions between New 
> > York (where I live) and California (where my IPv6 /64 says I live).
> >
> > I'm able to watch House in the any state in the U.S.? Great - ignore 
> > my intra-US proxy connection.
> >
> > My Netflix account randomly tries to connect from Tokyo because I 
> > forgot to shut off my work VPN? Fine....let me know and I'll turn *that* off.
> >
> >
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan () arbor net> wrote:
> >
> > > I don't blame them for blocking a (effectively) anonymous tunnel broker.
> > > I'm sure their content providers are forcing their hand.
> > > On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptographrix () gmail com>
> > > wrote:
> > >
> > > > Netflix needs to figure out a fix for this until ISPs actually 
> > > > provide
> > > > IPv6
> > > > natively.
> > > >
> > > >
> > > >
> > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper 
> > > > <blair.trosper () gmail com>
> > > > wrote:
> > > >
> > > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked 
> > > > > by Netflix.  Anyone nice people from Netflix perhaps want to take 
> > > > > a
> > > > crack at
> > > > > this?
> > > > >
> > > > >
> > > > >
> > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1 () gmail com> wrote:
> > > > >
> > > > > > Had the same problem at my house, but it was caused by the IPv6
> > > > > connection
> > > > > > to HE.  Turned of V6 and the device worked.
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > > Sent with Airmail
> > > > > >
> > > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman 
> > > > > > (matthew () matthew at
> > > > )
> > > > > > wrote:
> > > > > >
> > > > > > Every device in my house is blocked from Netflix this evening 
> > > > > > due to their new "VPN blocker". My house is on my own IP space, 
> > > > > > and the
> > > > outside
> > > > > > of the NAT that the family devices are on is 198.202.199.254,
> > > > announced
> > > > > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my 
> > > > > > house should show that I'm no farther away than Santa Cruz, CA 
> > > > > > as
> > > > microwaves
> > > > > > fly.
> > > > > >
> > > > > > Unfortunately, when one calls Netflix support to talk about 
> > > > > > this,
> > > > the
> > > > > > only response is to say "call your ISP and have them turn off 
> > > > > > the
> > > > VPN
> > > > > > software they've added to your account". And they absolutely 
> > > > > > refuse
> > > > to
> > > > > > escalate. Even if you tell them that you are essentially your 
> > > > > > own
> > > > ISP.
> > > > > > So... where's the Netflix network engineer on the list who all 
> > > > > > of
> > > > us can
> > > > > > send these issues to directly?
> > > > > >
> > > > > > Matthew Kaufman