"there is no reliable geo-location method for Netflix to use" Any microprocessor that is connected to the Internet is subject to being hacked - let's just turn off all of our computers, since we're talking in absolutes.
>From the perspective of the "lawyers and MBA types that negotiate agreements with Netflix and similar services" (to quote Eric), there *are* reliable methods within a specific risk profile, and those include (thanks to Google and Apple, whom most of the content providers *also* have agreements with) AGPS based on Wifi and other industry now-standard methods. I don't think there _is_ a contractual requirement to attempt to block VPN traffic. I think there's a contractual requirement to provide geographic controls for content, which is a completely different discussion, and is what those same cable and satellite TV providers (many of which _are_ the ISPs for Netflix's customer base) provide. As has been pointed out, Slingbox is an excellent proxy for over-the-air and cable-tv video, but you don't see content providers pressuring regulation on them because they limit their risk with the station or cable TV provider. On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <snasl...@medline.com> wrote: > That is true. The problem is that traditionally the ISPs have to deal > with customers that can’t get to the content they want. Netflix ridiculous > detection schemes do nothing but create tons of work for the service > provider which in turn creates stupid work-arounds and network > configurations that are ill conceived. Myself, I had to shut off IPv6 at > home to get things to work reliably several times for dumb reasons. Kind > of hard to preach the v6 message when I had to shut it off myself several > time to get my own stuff to work Ok. Netflix just decided that creating > issues for a subset of their customers was better than having the real > fight with the content providers. > > My point is that there is no reliable geo-location method for Netflix to > use, at least there never has been yet. Good luck ever getting that to > work behind the great firewall of China. > > Steven Naslund > Chicago IL > > From: Cryptographrix [mailto:cryptograph...@gmail.com] > Sent: Friday, June 03, 2016 4:56 PM > To: Naslund, Steve; nanog@nanog.org > Subject: Re: Netflix VPN detection - actual engineer needed > > Oh I'm not suggesting for a microsecond that any provenance of location > can not be hacked, but I totally think that - until the content providers > change their business model to not rely on regional controls - they could > at least use a more accurate source for that information than my IP(4 or 6) > address. > > I just don't think that this is an appropriate venue to discuss the value > of their business model as that's something their business needs to work on > changing internally, and fighting it (at least for the moment) will only > land Netflix in court. > > In short, I'm pointing the finger at Netflix's developers for coming up > with such a lazy control for geolocation. > > On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <snasl...@medline.com > <mailto:snasl...@medline.com>> wrote: > Wifi location depends on a bunch of problematic things. First, your SSID > needs to get collected and put in a database somewhere. That itself is a > crap shoot. Next, you can stop google (and some other wifi databases) from > collecting the data by putting _nomap at the end of your SSID. Lastly, not > everyone has wifi or iOS or GPS or whatever location method you can think > of. BTW, my apple TV is on a wired Ethernet, not wifi. > > Point is, for whatever location technology you want to use be it IP, GPS, > WiFi location, sextant…..they can be inaccurate and they can be faked and > there are privacy concerns with all of them. What the content producers > need to figure out is that regionalization DOES NOT WORK ANYMORE! The > original point was that they could have different release dates in > different areas at different prices and availability. They are going to > have to get over it because they will lose the technological arms race. > > There is no reason you could not beat all of the location systems with a > simple proxy. A proxy makes a Netflix connection from an allowed IP, > location or whatever and then builds a new video/audio stream out the back > end to the client anywhere in the world. Simple to implement and damn near > impossible to beat. Ever hear of Slingbox? > > Steven Naslund > Chicago IL > > From: Cryptographrix [mailto:cryptograph...@gmail.com<mailto: > cryptograph...@gmail.com>] > Sent: Friday, June 03, 2016 3:42 PM > To: Naslund, Steve; nanog@nanog.org<mailto:nanog@nanog.org> > Subject: Re: Netflix VPN detection - actual engineer needed > > Apple TVs get their location indoors using the same method they use for > other iOS devices when indoors - wifi ssid/Mac scanning. > > Non-iOS devices are often capable of this as well. > > (As someone that spends >67% of his time underground and whose Apple TV > requests my location from my underground bedroom and is very accurate) > > On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <snasl...@medline.com > <mailto:snasl...@medline.com><mailto:snasl...@medline.com<mailto: > snasl...@medline.com>>> wrote: > Their app could request your devices location. Problem is a lot of > devices (like TVs, Apple TVs, most DVD player, i.e. device with built in > Netflix) don't know where they are and it cannot easily be added (indoor > GPS is still difficult/expensive) and even if they could should they be > believed. I think the bigger issue is whether any kind of regional > controls are enforceable or effective any more. > > Steven Naslund > Chicago IL > > -----Original Message----- > From: NANOG [mailto:nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org > ><mailto:nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org>>] On > Behalf Of Cryptographrix > Sent: Friday, June 03, 2016 3:21 PM > To: Spencer Ryan > Cc: North American Network Operators' Group > Subject: Re: Netflix VPN detection - actual engineer needed > > Come now, content providers really just care that they have access to > regional controls more so than their ability to blanket-deny access (ok, > minus the MLB who are just insane). > > And part of those regional controls deal with the accuracy of the location > information. > > If their app can request my device's precise location, it doesn't need to > infer my location from my IP any more. > > As a matter of fact, it's only detrimental to them for it to do so, > because of the lack of accuracy from geo databases and the various reasons > that people use VPNs nowadays (i.e. for some devices that you can't even > turn VPN connections off for - OR in the case of IPv6, when you can't reach > a segment of the Internet without it). > > > On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sr...@arbor.net<mailto: > sr...@arbor.net><mailto:sr...@arbor.net<mailto:sr...@arbor.net>>> wrote: > > > There is a large difference between "the VPN run at your house" and > > "Arguably the most popular, free, mostly anonymous tunnel broker service" > > > > If it were up to the content providers, they probably would block any > > IP they saw a VPN server listening on. > > > > > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net<mailto: > sr...@arbor.net><mailto:sr...@arbor.net<mailto:sr...@arbor.net>> *Arbor > > Networks* > > +1.734.794.5033 (d) | +1.734.846.2053 (m) > > www.arbornetworks.com<http://www.arbornetworks.com>< > http://www.arbornetworks.com> > > > > On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix > > <cryptograph...@gmail.com<mailto:cryptograph...@gmail.com><mailto: > cryptograph...@gmail.com<mailto:cryptograph...@gmail.com>>> > > wrote: > > > >> I have a VPN connection at my house. There's no way for them to know > >> the difference between me using my home network connection from Hong > >> Kong or my home network connection from my house. > >> > >> Are they going to disable connectivity from everywhere they can > >> detect an open VPN port to, also? > >> > >> If they trust my v4 address, they can use that to establish > >> historical reference. Additionally, they can fail over to v4 if they > >> do not trust the > >> v6 address. > >> > >> > >> > >> > >> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sr...@arbor.net<mailto: > sr...@arbor.net><mailto:sr...@arbor.net<mailto:sr...@arbor.net>>> wrote: > >> > >>> There is no way for Netflix to know the difference between you being > >>> in NY and using the tunnel, and you living in Hong Kong and using the > tunnel. > >>> > >>> > >>> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net > <mailto:sr...@arbor.net><mailto:sr...@arbor.net<mailto:sr...@arbor.net>> > >>> *Arbor Networks* > >>> +1.734.794.5033 (d) | +1.734.846.2053 (m) > >>> www.arbornetworks.com<http://www.arbornetworks.com>< > http://www.arbornetworks.com> > >>> > >>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix > >>> <cryptograph...@gmail.com<mailto:cryptograph...@gmail.com><mailto: > cryptograph...@gmail.com<mailto:cryptograph...@gmail.com>> > >>> > wrote: > >>> > >>>> Same, but until there's a real IPv6 presence in the US, it's really > >>>> annoying that they haven't come up with some fix for this. > >>>> > >>>> I have no plans to turn off IPv6 at home - I actually have many > >>>> uses for it, and as much as I dislike the controversy around it, > >>>> think that adoption needs to be prioritized, not penalized. > >>>> > >>>> Additionally, I think that discussing content provider control over > >>>> regional decisions isn't productive to the conversation, as they > >>>> didn't build the banhammer (wouldn't you want to control your own > >>>> content if you had made content specific to regional laws etc?). > >>>> > >>>> I.e. - not all shows need to have regional restrictions between New > >>>> York (where I live) and California (where my IPv6 /64 says I live). > >>>> > >>>> I'm able to watch House in the any state in the U.S.? Great - > >>>> ignore my intra-US proxy connection. > >>>> > >>>> My Netflix account randomly tries to connect from Tokyo because I > >>>> forgot to shut off my work VPN? Fine....let me know and I'll turn > >>>> *that* off. > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sr...@arbor.net<mailto: > sr...@arbor.net><mailto:sr...@arbor.net<mailto:sr...@arbor.net>>> wrote: > >>>> > >>>>> I don't blame them for blocking a (effectively) anonymous tunnel > >>>>> broker. I'm sure their content providers are forcing their hand. > >>>>> On Jun 3, 2016 3:46 PM, "Cryptographrix" > >>>>> <cryptograph...@gmail.com<mailto:cryptograph...@gmail.com><mailto: > cryptograph...@gmail.com<mailto:cryptograph...@gmail.com>>> > >>>>> wrote: > >>>>> > >>>>>> Netflix needs to figure out a fix for this until ISPs actually > >>>>>> provide IPv6 natively. > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper > >>>>>> <blair.tros...@gmail.com<mailto:blair.tros...@gmail.com><mailto: > blair.tros...@gmail.com<mailto:blair.tros...@gmail.com>> > >>>>>> > > >>>>>> wrote: > >>>>>> > >>>>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked > >>>>>> > by Netflix. Anyone nice people from Netflix perhaps want to > >>>>>> > take a > >>>>>> crack at > >>>>>> > this? > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hy...@gmail.com<mailto: > mike.hy...@gmail.com><mailto:mike.hy...@gmail.com<mailto: > mike.hy...@gmail.com>>> wrote: > >>>>>> > > >>>>>> > > Had the same problem at my house, but it was caused by the > >>>>>> > > IPv6 > >>>>>> > connection > >>>>>> > > to HE. Turned of V6 and the device worked. > >>>>>> > > > >>>>>> > > > >>>>>> > > -- > >>>>>> > > > >>>>>> > > Sent with Airmail > >>>>>> > > > >>>>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( > >>>>>> matt...@matthew.at<mailto:matt...@matthew.at><mailto: > matt...@matthew.at<mailto:matt...@matthew.at>>) > >>>>>> > > wrote: > >>>>>> > > > >>>>>> > > Every device in my house is blocked from Netflix this evening > >>>>>> > > due > >>>>>> to > >>>>>> > > their new "VPN blocker". My house is on my own IP space, and > >>>>>> > > the > >>>>>> outside > >>>>>> > > of the NAT that the family devices are on is 198.202.199.254, > >>>>>> announced > >>>>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my > >>>>>> house > >>>>>> > > should show that I'm no farther away than Santa Cruz, CA as > >>>>>> microwaves > >>>>>> > > fly. > >>>>>> > > > >>>>>> > > Unfortunately, when one calls Netflix support to talk about > >>>>>> > > this, > >>>>>> the > >>>>>> > > only response is to say "call your ISP and have them turn off > >>>>>> > > the > >>>>>> VPN > >>>>>> > > software they've added to your account". And they absolutely > >>>>>> refuse to > >>>>>> > > escalate. Even if you tell them that you are essentially your > >>>>>> > > own > >>>>>> ISP. > >>>>>> > > > >>>>>> > > So... where's the Netflix network engineer on the list who > >>>>>> > > all of > >>>>>> us can > >>>>>> > > send these issues to directly? > >>>>>> > > > >>>>>> > > Matthew Kaufman > >>>>>> > > > >>>>>> > > >>>>>> > >>>>> > >>> > > >
