LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

Youtube video flaw with an IPv6/IPv4 dual-stack client

Posted by ltlnetworker on February 3, 2014


I wrote four years ago:

I am very happy with my HE IPv6 tunnel. Szívesen lennék natív IPv6 felhasználó is, de az UPC nem ad információt, hogy milyen IPv6 tervei vannak. )-:

UPC Hungary has shown no progress since then so I still have to use the Hurricane Electric tunnel. There are some changes though. Google, Youtube, Facebook, Cisco and other big portals have switched to IPv6/IPv4 dual stack (at least the public facing services) so the amount of my IPv6 traffic has increased. On the other hand, I am unable to watch some Youtube videos due to a Youtube bug.

Some videos cannot be played, I get the error message
An error occurred, please try again later.

y01

If I remove the 6in4 tunnel interface from Windows the video is served normally.

The cause can be identified with packet capture. This is the relevant HTTP flow among the several HTTPS threads (of those I could not decode the payload):

y02

The HTTP header content gives the possible explanation. The GET request contains my IP address which happens to be IPv6. The server is not ready to handle it and replies with 403 Forbidden. (Colon character, the IPv6 address separator is coded as %3A)

GET /videoplayback?algorithm=throttle-factor&burst=40&clen=325650529&cpn=f_B-PHDnsJWimK8e&dur=9811.033&expire=1391285969&factor=1.25&fexp=935643%2C907720%2C906949%2C945000%2C927856%2C929305%2C930901%2C911928%2C936910%2C936913&fr=yes&gcr=de&gir=yes&id=8e9e6c79e1d002f8&ip=2001%3A470%3A1f0a%3Axxxx%3A%3A2&ipbits=0&itag=134&keepalive=yes&key=yt5&lmt=1390793773252930&ms=au&mt=1391261894&mv=m&range=0-1126399&ratebypass=yes&signature=4493BF18BDFB5BCA2B8E405F0A8B2D7FEE5B923A.7461BD2A9303C71943F65CCEDEEF9F79E204E6F4&source=youtube&sparams=algorithm%2Cburst%2Cclen%2Cdur%2Cfactor%2Cgcr%2Cgir%2Cid%2Cip%2Cipbits%2Citag%2Clmt%2Csource%2Cupn%2Cexpire&sver=3&upn=gGsgjAHDgSA HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,7,700,224
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: r6---sn-2apm-f5f6.googlevideo.com
DNT: 1
Connection: Keep-Alive

HTTP/1.1 403 Forbidden
Last-Modified: Wed, 02 May 2007 10:26:10 GMT
Content-Type: text/plain
Connection: close
X-Content-Type-Options: nosniff
Date: Sat, 01 Feb 2014 13:39:45 GMT
Server: gvs 1.0

The r6---sn-2apm-f5f6.googlevideo.com video server is apparently IPv4-only, it has no AAAA record.

C:\>nslookup r6---sn-2apm-f5f6.googlevideo.com
...
Name:    r6.sn-2apm-f5f6.googlevideo.com
Address:  46.28.246.17
Aliases:  r6---sn-2apm-f5f6.googlevideo.com

What is the cause of the error? We can guess if we compare the HTTP messages to those of a working IPv6 stream as not all the videos fail on IPv6. This video server reacts differently: it redirects the client to an IPv6-capable server:

y05

Request and reply on IPv4:

GET /videoplayback?algorithm=throttle-factor&burst=40&clen=159556413&cpn=mSQM1Ep6jssC3tKp&dur=5224.000&expire=1391377361&factor=1.25&fexp=935643%2C907720%2C906949%2C945000%2C927856%2C929305%2C936910%2C936913&fr=yes&gir=yes&id=f253eb1786a8b4f1&ip=2001%3A470%3A1f0a%3Axxxx%3A%3A2&ipbits=0&itag=133&keepalive=yes&key=yt5&lmt=1386308727209579&ms=au&mt=1391354723&mv=m&range=0-557055&ratebypass=yes&signature=64E30F975EEAA8AE72550DF267CFE5C80D2B2DB2.B1DC09B817AB7CD13E8090B53946169040B19576&source=youtube&sparams=algorithm%2Cburst%2Cclen%2Cdur%2Cfactor%2Cgir%2Cid%2Cip%2Cipbits%2Citag%2Clmt%2Csource%2Cupn%2Cexpire&sver=3&upn=dI5RokaMTI0 HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,7,700,224
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: r4---sn-2apm-f5fs.googlevideo.com
DNT: 1
Connection: Keep-Alive

HTTP/1.1 302 Found
Last-Modified: Wed, 02 May 2007 10:26:10 GMT
Date: Sun, 02 Feb 2014 15:26:20 GMT
Expires: Sun, 02 Feb 2014 15:26:20 GMT
Cache-Control: private, max-age=900
Location: http://r13---sn-c0q7lnes.googlevideo.com/videoplayback?algorithm=throttle-factor&burst=40&clen=159556413&cpn=mSQM1Ep6jssC3tKp&dur=5224.000&expire=1391377361&factor=1.25&fexp=935643%2C907720%2C906949%2C945000%2C927856%2C929305%2C936910%2C936913&fr=yes&gir=yes&id=f253eb1786a8b4f1&ip=2001%3A470%3A1f0a%3Axxxx%3A%3A2&ipbits=0&itag=133&keepalive=yes&key=yt5&lmt=1386308727209579&range=0-557055&ratebypass=yes&signature=64E30F975EEAA8AE72550DF267CFE5C80D2B2DB2.B1DC09B817AB7CD13E8090B53946169040B19576&source=youtube&sparams=algorithm%2Cburst%2Cclen%2Cdur%2Cfactor%2Cgir%2Cid%2Cip%2Cipbits%2Citag%2Clmt%2Csource%2Cupn%2Cexpire&sver=3&upn=dI5RokaMTI0&redirect_counter=1&cms_redirect=yes&ms=nxu&mt=1391354725&mv=m
Connection: close
X-Content-Type-Options: nosniff
Content-Type: text/html
Server: gvs 1.0

Request and reply on IPv6:

GET /videoplayback?algorithm=throttle-factor&burst=40&clen=82969771&cpn=mSQM1Ep6jssC3tKp&dur=5224.094&expire=1391377361&factor=1.25&fexp=935643%2C907720%2C906949%2C945000%2C927856%2C929305%2C936910%2C936913&fr=yes&gir=yes&id=f253eb1786a8b4f1&ip=2001%3A470%3A1f0a%3Axxxx%3A%3A2&ipbits=0&itag=140&keepalive=yes&key=yt5&lmt=1386308727174352&range=0-245759&ratebypass=yes&signature=6B4D3958E8D69E98054364F6FB4646EB8D6F4A94.DE0884733A94DFB875376B04D0D9BB998A95E920&source=youtube&sparams=algorithm%2Cburst%2Cclen%2Cdur%2Cfactor%2Cgir%2Cid%2Cip%2Cipbits%2Citag%2Clmt%2Csource%2Cupn%2Cexpire&sver=3&upn=dI5RokaMTI0&redirect_counter=1&cms_redirect=yes&ms=nxu&mt=1391354725&mv=m HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,7,700,224
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: r13---sn-c0q7lnes.googlevideo.com
DNT: 1
Connection: Keep-Alive

HTTP/1.1 200 OK
Last-Modified: Fri, 06 Dec 2013 05:45:27 GMT
Date: Sun, 02 Feb 2014 15:26:21 GMT
Expires: Sun, 02 Feb 2014 15:26:21 GMT
Cache-Control: private, max-age=22280
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 245760
Connection: keep-alive
Alternate-Protocol: 80:quic
X-Content-Type-Options: nosniff
Server: gvs 1.0

> r4---sn-2apm-f5fs.googlevideo.com
...
Name:    r4.sn-2apm-f5fs.googlevideo.com
Address:  208.117.224.15
Aliases:  r4---sn-2apm-f5fs.googlevideo.com

> r13---sn-c0q7lnes.googlevideo.com
...
Name:    r13.sn-c0q7lnes.googlevideo.com
Addresses:  2a00:1450:400d:8::12
          173.194.1.18
Aliases:  r13---sn-c0q7lnes.googlevideo.com

Testing with IPv4-only host when the video stream is OK. The client address in the request is obviously IPv4.

C:\>netsh interface ipv6 delete interface IP6Tunnel

y04

GET /videoplayback?algorithm=throttle-factor&burst=40&clen=325650529&cpn=TagHT7VbvmS9mqSK&dur=9811.033&expire=1391289569&factor=1.25&fexp=935643%2C907720%2C906949%2C945000%2C927856%2C929305%2C930901%2C911928%2C936910%2C936913&fr=yes&gcr=hu&gir=yes&id=8e9e6c79e1d002f8&ip=89.13x.xxx.94&ipbits=0&itag=134&keepalive=yes&key=yt5&lmt=1390793773252930&ms=au&mt=1391263481&mv=m&range=0-1126399&ratebypass=yes&signature=3BDA45F600D1828FDCAE86093D8FE8BD6DF8B2DB.5ABBF98701AF1F1C0C7BAFFB80DE69414FE93246&source=youtube&sparams=algorithm%2Cburst%2Cclen%2Cdur%2Cfactor%2Cgcr%2Cgir%2Cid%2Cip%2Cipbits%2Citag%2Clmt%2Csource%2Cupn%2Cexpire&sver=3&upn=UwxynjPfHTI HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,7,700,224
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: r5---sn-c0q7ln7k.googlevideo.com
DNT: 1
Connection: Keep-Alive

HTTP/1.1 200 OK
Last-Modified: Mon, 27 Jan 2014 03:36:13 GMT
Date: Sat, 01 Feb 2014 14:05:52 GMT
Expires: Sat, 01 Feb 2014 14:05:52 GMT
Cache-Control: private, max-age=25717
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 1126400
Connection: keep-alive
Alternate-Protocol: 80:quic
X-Content-Type-Options: nosniff
Server: gvs 1.0

Of course this is a temporary problem until all services will be available via IPv6. ;-)

Unfortunately I don’t know about a channel where this flaw could be reported to Youtube.

Software version:
Internet Explorer 11.0.9600.16476 update 11.0.2

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: