• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Netflix blocking

Started by kc9jud, June 05, 2016, 09:44:32 PM

Previous topic - Next topic

kc9jud

Hello, I was sent here by Netflix "support" since they claim that there must be some problem with HE.net making me look like I'm coming through a proxy. I know this is absurd and that it's their blocking causing it, but can someone from HE back me up so I can go back and complain to them again? Has anything changed in the last week with Tunnelbroker which would have caused a problem with routing to Netflix?

see: https://forums.he.net/index.php?topic=3564.0 and https://forums.he.net/index.php?topic=3566.0

kcochran

Nothing has changed on our side.  The tunnels work as they always have: RFC 6in4.  IP assignment information, including basic user geographical location (city, state, country), is updated periodically throughout the day on the public rWHOIS server, as it has been for many years, and as we're required to do by ARIN for end-user assignments.

troz

Of course, you are using a proxy, of sorts. Netflix has no way to know where any tunnel actually goes. That's what they require to keep the content nazis happy. It doesn't matter where you live, only where you're watching.

HE only reports the (unverified) account holder address via whois. That's not necessarily where the tunnel goes. And those using the service to get around region locks can easily make up an address within the region they wish to appear.

It's unfortunate, but it's not a problem that can be easily solved. (read: not going to be solved) Either your IPv4 endpoint address would have to be published, or each tunnel would have to be permanently attached to an IPv4 address. The former would require a new API which would have to be queried on nearly every connection, given the speed with which a tunnel endpoint can be changed. The later means no more dynamic updates, when your address changes, a new tunnel must be created. (even that assumes IPv4 subnets don't get reassigned, which they do.)


truedesign

One way they could fix it is have their client to retry over ipv4 if they see a connection from an ipv6 addr that they think is a tunnel, rather than just serving an error msg.

They could at least throw us a bone and stop publishing AAAA responses for DNS queries that come from the HE tunnel range...

broquea

small flaw in that idea...Who queries their auth NS directly for lookups from the tunnel? :)

Quote from: truedesign on June 08, 2016, 09:36:46 PM
They could at least throw us a bone and stop publishing AAAA responses for DNS queries that come from the HE tunnel range...

Tornevall

Quote from: truedesign on June 08, 2016, 09:36:46 PM
One way they could fix it is have their client to retry over ipv4 if they see a connection from an ipv6 addr that they think is a tunnel, rather than just serving an error msg.

They could at least throw us a bone and stop publishing AAAA responses for DNS queries that come from the HE tunnel range...

When I got problems yesterday, I added an extra zone for netflix.com in my own master-DNS (yesterday). The zone added was of the type forward and all dns queries to it, goes to another DNS which filters out all AAAA-responses if the query comes from a ipv4-address. So, from yesterday I acatuallt managed to make Netflix work "as normal" again :)

Since this is a little bit of a special solution, I also wrote it down, just in case if this happens again (http://tornevalls.se/blog/2016/06/10/netflix-and-the-blocking-of-tunneled-ipv6-routes/) I refuse to shut down all my tunneling because of only one service ...

Napsterbater

Quote from: broquea on June 08, 2016, 09:42:15 PM
small flaw in that idea...Who queries their auth NS directly for lookups from the tunnel? :)

Quote from: truedesign on June 08, 2016, 09:36:46 PM
They could at least throw us a bone and stop publishing AAAA responses for DNS queries that come from the HE tunnel range...

At least a few :-)... i get your [point though.

frinnst6

I'd be very interested in knowing if HE has detected any changes in bandwidth usage since the netflix ban. Percentages welcomed!

snarked

It seems that YouTube is now blocking HE's IPv6 routes (or at least it was yesterday).  Turning off IPv6 on the device I tried to access YT with then permitted the connection.

I also note that my Yahoo webmail also fails over IPv6.  Do other organizations have something against HE and IPv6?

AquilaTech

I just wanted to share my fix to this problem with Netflix.
I went to my Netflix account properties and clicked on CANCEL.

Problem solved.  I'll sleep better knowing my money is not going to the MPAA.

If more of us resisted this tyranny, then companies like Netflix would be forced to change.
Please consider it.