[NANOG] Re: ISPs in Spain are blocking CDN IP ranges to tackle soccer piracy

["Constantine A. Murenin via NANOG" <nanog () lists nanog org>]

This is a good point about the benefits of IPv6.

But it's missing the fact that the all-or-nothing architecture is
somehow the preferred scenario by the likes of Cloudflare.

Before the widespread adoption of HTTPS, you could easily block any
website either through DNS, or by examining the "Host" and the "GET"
headers of each HTTP request, the extra advantage being that it was
even possible to block just the individual web-pages within a single
web-site (ad-blocking on a network level was trivial and
super-effective, too), without affecting the rest of the website
(think specific articles on Wikipedia that may be illegal in some
countries, without needing to block the rest of Wikipedia).

Then we got HTTPS, and blocking individual web-pages was no longer
possible.  (So now the entire websites had to be blocked in some
countries, since page-level blocks were no longer possible.)  But
because of SNI and also DNS, and before the CDNs, it was still
possible to block just the individual websites in full, not the entire
IP addresses or subnets.

But that still wasn't good enough for the privacy zealots, so they
plugged the SNI leaks with the Encrypted SNI and the Encrypted Client
Hello (ECH), and also DNS with DNS-over-HTTPS, conveniently breaking
many network-level ad-blockers in the process, and moving control over
the ad-blocking away from the network administrators.  (But we can
still block ads in the web-browser, right?  Well, guess what, they've
now nearly "fixed" that issue, too, so, now that's not an option,
either!)

So, basically, yes, IPv6 can come to the rescue here, but it's
actually not a problem that Cloudflare would be interested in solving,
since they'd rather take the all-or-nothing approach because
"privacy".

C.

On Mon, 14 Apr 2025 at 15:02, Mark Andrews via NANOG
<nanog () lists nanog org> wrote:
> Theoretically IPv6 should provide enough addresses that a CDN doesn’t need to share an address between customers .  
> Give each machine a /64 or longer and assign the customer a unique addresses within that prefix.  Use the ability of 
> modern kernels to bind to a range of addresses/interface and check the name to address mapping before returning 
> content in addition to checking that it is configured for the name.  You can share resources without sharing 
> addresses.
> --
> Mark Andrews
>
> > On 15 Apr 2025, at 03:00, Bryan Holloway via NANOG <nanog () lists nanog org> wrote:
> >
> > While we're at it, who needs L3. A flat L2 should suffice.
> >
> >
> > > On 4/14/25 18:00, Constantine A. Murenin via NANOG wrote:
> > > Here's an idea, why don't we centralise the entire internet behind a
> > > single network to "solve" the issue of connectivity and availability?
> > > Oh, wait!  Nevermind!  /s
> > > C.
> > > > On Mon, 14 Apr 2025 at 10:20, Raúl Martínez via NANOG
> > > > <nanog () lists nanog org> wrote:
> > > > Hello, Nanog,
> > > > This is an ongoing issue that might affect your spanish users if you use
> > > > services like Cloudflare, Vercel, BunnyCDN or GitHub pages.
> > > > A couple of weeks ago, the most important ISPs in Spain started
> > > > intercepting or nullrouting IP addresses from this CDN providers.
> > > > The reason is that a couple of local court orders allowed LA LIGA (sports
> > > > association responsible for administering the two professional football
> > > > leagues in Spain) to provide ISPs with a list of IP addresses that host
> > > > soccer piracy sites to be taken down in a short period of time, even when
> > > > the football match is taken place.
> > > > The issue is that most of this piracy sites use Cloudflare and others to
> > > > protect themselves, so ISPs are nullrouting or intercepting IP ranges that
> > > > serve thousands of websites, including all Cloudflare Free customers (but
> > > > not limited to). For example, they blocked one IP address that served
> > > > ChatGPT.
> > > > These blockages are applied when the soccer matches are played and they are
> > > > turned off hours later.
> > > > Cloudflare has already taken legal action against this, but the issue is
> > > > still ongoing.
> > > > You can find more information about this issue on TorrentFreak (LaLiga
> > > > Blocks Cloudflare Again, New Pirate IPTV Providers & Anything in The Way),
> > > > BandaanchaEU (bandaancha bloqueos del fútbol).
> > > > *Regards,*
> > > > *Raúl Martínez*
> > > > _______________________________________________
> > > > NANOG mailing list
> > > > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PCJ6SCDU43ZLK4U2FMKWBOE7SIRVPUYZ/
> > > _______________________________________________
> > > NANOG mailing list
> > > https://lists.nanog.org/archives/list/nanog () lists nanog org/message/TPJCY6RFNFK32XWJQI6TH2P4CKXMJP2F/
> >
> > _______________________________________________
> > NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog 
> > org/message/CQITXJSPX4XRXNCWBGJOHJDB3UEBTS6C/
>
> _______________________________________________
> NANOG mailing list
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/WBQIME26VFD2KH55HNP3GOFVDTMIG7IO/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/B624I2J5MUSJZ7XC3EJ7XLDT2N355ZNA/