Hi Marvin,
Thanks for your thoughts! I had to look up the current situation. My idea worked up to 2011, before that date Netflix used two or three cdns with distinguishable DNS names (I found one list of 3 cdn DNS names in a scientific paper, discussing Netflix's caching and cdn architecture), before that (around 2007) they even used anycast (easy to catch with class maps). But this is all obsolete now.
Netflix changed it's cdn architecture in 2011 and is now offering caching servers to IPSs free of charge. According to technical details I have found (link to PDF) it means that ISPs can set aside one small prefix from their own address space (netflix allows even /31s) for Netflix caching and install the completely preconfigured server, called "OCA" in their network.
The OCA learns through a BGP-session from the ISP which prefixes from the ISPs address pool are allowed to connect to this specific OCA. The learned routes are only used to filter access to the streaming content, not for routing (routing is done with a preconfigured 0.0.0.0/0). The OCA connects to the Netflix cloud control plane and sends the list of allowed prefixes.
Clients (Netflix customers) are directed through this cloud control plane to the IP address of the most appropriate OCA.
Which means, today there's is little chance to catch Netflix traffic with high confidence as ISPs can add additional OCAs with new addresses and most likely no distinguishable DNS domain names.
I think it will be difficult for content filters to catch up with the constantly changing list of OCA IP-addresses unless Netflix publishes it on a regular basis.
So much for policing Netflix...
Best regards, MiKa
