pay.gov and IPv6

• Previous message (by thread): pay.gov and IPv6
• Next message (by thread): Eisenach & the FCC - was: [Re: Here we go again.]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It happens too often, unfortunately.

People deploying IPv6 at web sites and other services, don’t check if PMTUD is broken by filtering, ECMP, load balancers, etc.

This is the case here:

tbit from 2001:df0:4:4000::1:115 to 2605:3100:fffd:100::15
server-mss 1440, result: pmtud-fail
app: http, url: https://www.pay.gov/
[  0.009] TX SYN             64  seq = 0:0            
[  0.165] RX SYN/ACK         64  seq = 0:1            
[  0.166] TX                 60  seq = 1:1            
[  0.166] TX                371  seq = 1:1(311)        
[  0.325] RX               1500  seq = 1:312(1440)    
[  0.325] RX               1500  seq = 1441:312(1440)  
[  0.325] TX PTB           1280  mtu = 1280
[  0.325] RX               1362  seq = 2881:312(1302)  
[  3.325] RX               1500  seq = 1:312(1440)    
[  3.325] TX PTB           1280  mtu = 1280
[  9.326] RX               1500  seq = 1:312(1440)    
[  9.326] TX PTB           1280  mtu = 1280
[ 21.325] RX               1500  seq = 1:312(1440)    
[ 21.325] TX PTB           1280  mtu = 1280
[ 45.325] RX               1500  seq = 1:312(1440)    



Regards,
Jordi


-----Mensaje original-----
De: NANOG <nanog-bounces at nanog.org> en nombre de Carl Byington <carl at five-ten-sg.com>
Responder a: <carl at five-ten-sg.com>
Fecha: miércoles, 16 de noviembre de 2016, 7:30
Para: <nanog at nanog.org>
Asunto: pay.gov and IPv6

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512
    
    Following up on a two year old thread, one of my clients just hit this
    problem. The failure is not that www.pay.gov is not reachable over ipv6
    (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
    connection, but the connection then hangs waiting for the TLS handshake.
    
    openssl s_client -connect www.pay.gov:443
    
    openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
    
    Browsers (at least firefox) see that as a very slow site, and it does
    not trigger their happy eyeballs fast failover to ipv4.
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.14 (GNU/Linux)
    
    iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA
    LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC
    =MS8j
    -----END PGP SIGNATURE-----
    
    
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.

• Previous message (by thread): pay.gov and IPv6
• Next message (by thread): Eisenach & the FCC - was: [Re: Here we go again.]
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]