Netflix and Hurricane Electric's IPv6 service

For a few years now, I've used Hurricane Electric to get a native IPv6 tunnel to the internet. I've also been using Netflix streaming since it was first introduced. Life was good.

Netflix, on behest of its content suppliers, has started to crack down on folks using VPNs or proxies, because they're often used to work around artificial geographical restrictions.

A day or two, that blocked proxy list grew to include Hurricane Electric's IPv6 service, which I make heavy use of. Despite a US billing address, being physically located in the US, and using a US tunnel endpoint, Netflix treats me as an eeeevil bad person.

Their only advice is "disable your proxy", which is not an option as I have IPv6-attached servers that need to remain online.

Netflix's applications don't provide a way to utilize IPv4 only, which basically means I had to figure out a way to force Netflix traffic to travel over IPv4. Ideally, I'd block the IPv6 AAAA DNS lookups, but there's no simple way to do that.

However, one can just null-route the entire Netflix IPv6 address range:

    ip -6 route add blackhole 2406:da00:ff00::/96 # AWS
    ip -6 route add blackhole 2607:FB10::/32
    ip -6 route add blackhole 2620:0:ef0::/48
    ip -6 route add blackhole 2a00:86c0::/32

This will, after a little delay, cause Netflix to fall back to using IPv4, and all is well.

Ironically, being able to avoid this sort of BS is one of the reasons why Netflix was such a compelling service, but the balance is tilting back towards piracy providing a better overall user experience. Part of me hopes that the stats show a nice correlation between making legal services less useful and piracy rates going back up.

Addendum: About a year ago, my ISP (Comcast Business) rolled out native IPv6 service which by all accounts works quite well. Unfortunately, they don't offer a static IPv6 allocation, which renders the whole thing useless for my needs.

UPDATE 2016/07/31 -- Added in additional IP ranges

Comments