[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Netflix VPN detection - actual engineer needed



> On Jun 3, 2016, at 18:32 , Raymond Beaudoin <raymond.beaudoin at icarustech.com> wrote:
> 
> Fair point, Spencer! Only Netflix engineers could tell us how they're
> determining networks to be blocked, but I'm paranoid they're dynamically
> updating based  AS PATH. I figured HE's ASN may have made the naughty list.
> Admittedly, that would be pretty drastic. Time to do some testing. :>

I tend to doubt it:

route-views6.routeviews.org> sh bgp 2620:0:930::/48
BGP routing table entry for 2620:0:930::/48
Paths: (31 available, best #26, table Default-IP-Routing-Table)
  Not advertised to any peer
  3257 8121 1734, (aggregated by 1734 192.124.40.251)
    2001:668:0:4::2 from 2001:668:0:4::2 (213.200.87.91)
      Origin IGP, metric 770, localpref 100, valid, external
      Community: 3257:4560 3257:5010
      Last update: Fri Jun  3 09:07:40 2016

  47872 6939 1734, (aggregated by 1734 192.124.40.251)
    2a01:73e0::1 from 2a01:73e0::1 (185.44.116.227)
    (fe80::223:9c03:9b50:ffc0)
      Origin IGP, localpref 100, valid, external
      Community: 47872:1200
      Last update: Fri Jun  3 05:48:08 2016

  3741 6939 1734, (aggregated by 1734 192.124.40.251)
    2c0f:fc00::2 from 2c0f:fc00::2 (168.209.255.56)
      Origin IGP, localpref 100, valid, external
      Last update: Thu Jun  2 23:12:06 2016

  31019 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:67c:22dc:def1::1 from 2001:67c:22dc:def1::1 (91.228.151.1)
      Origin incomplete, localpref 100, valid, external
      Last update: Sat Jun  4 18:31:19 2016

  3277 3267 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:b08:2:280::4:100 from 2001:b08:2:280::4:100 (194.85.4.4)
      Origin IGP, localpref 100, valid, external
      Community: 3277:3267
      Last update: Wed Jun  1 12:54:09 2016

  7660 4635 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:200:901::5 from 2001:200:901::5 (203.181.248.168)
      Origin IGP, localpref 100, valid, external
      Community: 0:12989 0:13335 0:15169 0:20940 0:22822 4635:800 7660:4 7660:6
      Last update: Tue May 31 03:14:20 2016

  7018 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:1890:111d:1::63 from 2001:1890:111d:1::63 (12.0.1.63)
    (fe80::5254:ff:fe61:b8e6)
      Origin IGP, localpref 100, valid, external
      Community: 7018:5000 7018:37232
      Last update: Tue May 31 02:36:49 2016

  209 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:428::205:171:203:138 from 2001:428::205:171:203:138 (205.171.203.138)
      Origin IGP, metric 8000051, localpref 100, valid, external
      Community: 209:888
      Last update: Tue May 31 02:36:49 2016

  20912 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:40d0::126 from 2001:40d0::126 (212.66.96.126)
      Origin IGP, localpref 100, valid, external
      Community: 20912:65016
      Last update: Tue May 31 02:37:02 2016

  13030 6939 1734, (aggregated by 1734 192.124.40.251)
    2001:1620:1::203 from 2001:1620:1::203 (213.144.128.203)
      Origin IGP, metric 1, localpref 100, valid, external
      Community: 13030:61 13030:1604 13030:51107
      Last update: Tue May 31 02:36:50 2016

  30071 8121 1734, (aggregated by 1734 192.124.40.251)
    2001:4830::e from 2001:4830::e (66.55.128.18)
      Origin IGP, metric 42, localpref 100, valid, external
      Community: 30071:57062
      Last update: Tue May 31 02:39:32 2016

  57463 6939 1734, (aggregated by 1734 192.124.40.251)
    2a00:1728::1f:4 from 2a00:1728::1f:4 (192.168.7.118)
      Origin IGP, localpref 100, valid, external
      Community: 64700:6939
      Last update: Tue May 31 02:37:03 2016

My NF is still working over IPv6.

Owen

> 
> On Fri, Jun 3, 2016 at 8:27 PM, Spencer Ryan <sryan at arbor.net> wrote:
> 
>> Well if you have PI space just use HE's BGP tunnel offerings.
>> 
>> 
>> *Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net
>> *Arbor Networks*
>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
>> www.arbornetworks.com
>> 
>> On Fri, Jun 3, 2016 at 9:24 PM, Raymond Beaudoin <
>> raymond.beaudoin at icarustech.com> wrote:
>> 
>>> As an alternative, there are multiple cloud service offerings that will
>>> advertise your IPv6 allocations on your behalf direct to a server in their
>>> data centers. It seems pretty tongue-in-cheek, and satisfying, to turn
>>> up a *<insert
>>> favorite virtual router instance> *and then route through it. The Internet
>>> 
>>> is such an amazing place.
>>> 
>>> On Fri, Jun 3, 2016 at 8:15 PM, Cryptographrix <cryptographrix at gmail.com>
>>> wrote:
>>> 
>>>> Yeah I RAWRed to them pretty hard whilst being as understanding to the
>>> CS
>>>> rep that it wasn't their fault.
>>>> 
>>>> They thought I was weird as anything.
>>>> 
>>>> If there are any Verizon FiOS network engineers on the thread, a fellow
>>>> Verizon employee would thank you kindly for an off-thread email
>>> regarding
>>>> BGP advertisement (I'll buy the IPv6 block and the drink-of-choice, you
>>>> configure my account to listen for route advertisement).
>>>> 
>>>> Strange that it has to come to this to get "legit" IPv6 service.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Fri, Jun 3, 2016 at 9:08 PM Raymond Beaudoin <
>>>> raymond.beaudoin at icarustech.com> wrote:
>>>> 
>>>>> I wasn't originally affected on my he.net tunnel, but this evening it
>>>>> started blocking. The recommended ACLs are a functional temporary
>>>>> workaround, but I've also opened a request with Netflix.
>>>>> 
>>>>> On Fri, Jun 3, 2016 at 7:54 PM, Mark T. Ganzer <ganzer at spawar.navy.mil
>>>> 
>>>>> wrote:
>>>>> 
>>>>>> So far I am not seeing a Netflix block on my he.net tunnel yet. I
>>>>> connect
>>>>>> to the Los Angeles node, so maybe not all of HE's address space is
>>> being
>>>>>> blocked.
>>>>>> 
>>>>>> Not going to be disabling IPv6 here either. + HAD native IPv6 from
>>> Time
>>>>>> Warner, but they decided to in their wisdom to disable IPv6 service
>>> for
>>>>>> anyone that has an Arris SB6183 due to an Arris firmware bug.  And
>>> they
>>>>> are
>>>>>> taking their sweet time pushing out the fixed firmware update that
>>>>> Comcast
>>>>>> and Cox seemed to be able to push to their customers last fall.
>>>>>> 
>>>>>> -Mark Ganzer
>>>>>> 
>>>>>> 
>>>>>> On 6/3/2016 4:49 PM, Cryptographrix wrote:
>>>>>> 
>>>>>>> Depends - how many US users have native IPv6 through their ISPs?
>>>>>>> 
>>>>>>> If I remember correctly (I can't find the source at the moment),
>>> HE.net
>>>>>>> represents something like 70% of IPv6 traffic in the US.
>>>>>>> 
>>>>>>> And yeah, not doing that - actually in the middle of an IPv6
>>> project at
>>>>>>> work at the moment that's a bit important to me.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
>>>>> baldur.norddahl at gmail.com
>>>>>>>> 
>>>>>>> wrote:
>>>>>>> 
>>>>>>> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
>>>>> cryptographrix at gmail.com>:
>>>>>>>> 
>>>>>>>>> The information I'm getting from Netflix support now is explicitly
>>>>>>>>> 
>>>>>>>> telling
>>>>>>>> 
>>>>>>>>> me to turn off IPv6 - someone might want to stop them before they
>>>>>>>>> completely kill US IPv6 adoption.
>>>>>>>>> 
>>>>>>>> Not allowing he.net tunnels is not killing ipv6. You just need
>>> need
>>>>>>>> native
>>>>>>>> ipv6.
>>>>>>>> 
>>>>>>>> On the other hand it would be nice if Netflix would try the other
>>>>>>>> protocol
>>>>>>>> before blocking.
>>>>>>>> 
>>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
>>