pay.gov and IPv6
Lee
ler762 at gmail.com
Thu Nov 17 17:48:55 UTC 2016
On 11/16/16, Matthew Kaufman <matthew at matthew.at> wrote:
> The good news is that I reported this particular site as a problem two and
> three years ago, both, and it isn't any worse.
did you contact Pay.gov Customer Service at:
800-624-1373 (Toll free, Option #2)
or send an email to
pay.gov.clev at clev.frb.org
I just called, but I can't duplicate the problem and they need to work
with someone that is having a problem reaching the site.
Regards,
Lee
>
> Matthew Kaufman
> On Wed, Nov 16, 2016 at 6:29 PM Mark Andrews <marka at isc.org> wrote:
>
>>
>> In message <CC8936B2-1396-4375-85AA-A0247FD78012 at consulintel.es>, JORDI
>> PALET M
>> ARTINEZ writes:
>> > I think it is not just a matter of testing behind a 1280 MTU, but about
>> makin
>> > g sure that PMTUD is not broken, so it just works in any circumstances.
>> >
>> > Regards,
>> > Jordi
>>
>> If you don't do MSS fix up a 1280 link in the middle will find PMTUD
>> issues
>> provided the testing host has a MTU > 1280.
>>
>> Mark
>>
>> > -----Mensaje original-----
>> > De: NANOG <nanog-bounces at nanog.org> en nombre de Mark Andrews <
>> marka at isc.org>
>> > Responder a: <marka at isc.org>
>> > Fecha: jueves, 17 de noviembre de 2016, 9:26
>> > Para: Lee <ler762 at gmail.com>
>> > CC: <nanog at nanog.org>
>> > Asunto: Re: pay.gov and IPv6
>> >
>> >
>> > In message
>> <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw at mail.gmai
>> > l.com>
>> > , Lee writes:
>> > > On 11/16/16, Mark Andrews <marka at isc.org> wrote:
>> > > >
>> > > > In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl
>> Byingto
>> > n
>> > > > writes
>> > > > :
>> > > >> -----BEGIN PGP SIGNED MESSAGE-----
>> > > >> Hash: SHA512
>> > > >>
>> > > >> Following up on a two year old thread, one of my clients just
>> hit th
>> > is
>> > > >> problem. The failure is not that www.pay.gov is not reachable
>> over i
>> > pv6
>> > > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the port
>> 443
>> > > >> connection, but the connection then hangs waiting for the TLS
>> handsh
>> > ake.
>> > > >>
>> > > >> openssl s_client -connect www.pay.gov:443
>> > > >>
>> > > >> openssl s_client -servername www.pay.gov -connect
>> 199.169.192.21:443
>> > > >>
>> > > >> Browsers (at least firefox) see that as a very slow site, and
>> it doe
>> > s
>> > > >> not trigger their happy eyeballs fast failover to ipv4.
>> > > >
>> > > > Happy eyeballs is about making the connection not whether TCP
>> > > > connections work after the initial packet exchange.
>> > > >
>> > > > I would send a physical letter to the relevent Inspector
>> > General
>> > > > requesting that they ensure all web sites under their
>> juristiction
>> > > > that are supposed to be reachable from the public net get
>> > audited
>> > > > regularly to ensure that IPv6 connections work from public IP
>> space.
>> > >
>> > > That will absolutely work.
>> > >
>> > > NIST is still monitoring ipv6 .gov sites
>> > > https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
>> >
>> > Which show green which means that the tests they are doing are not
>> > sufficient. They need to test from behind a 1280 mtu link.
>> >
>> > The DNSSEC testing is also insufficient. 9-11commission.gov shows
>> > green for example but if you use DNS COOKIES (which BIND 9.10.4 and
>> > BIND 9.11.0 do) then servers barf and return BADVERS and validation
>> > fails. QWEST you have been informed of this already.
>> >
>> > Why the hell should validating resolver have to work around the
>> > crap you guys are using? DO YOUR JOBS which is to use RFC
>> > COMPLIANT
>> > servers. You get PAID to do DNS because people think you are
>> > compentent to do the job. Evidence shows otherwise.
>> >
>> > https://ednscomp.isc.org/compliance/gov-full-report.html show the
>> broken
>> > servers for .gov. It isn't hard to check.
>> >
>> > > so the IG isn't going to do anything there & pay.gov has a
>> contact us p
>> > age
>> > > https://pay.gov/public/home/contact
>> > > that I'd bet works much better than a letter to the IG
>> >
>> > You have to be able to get to https://pay.gov/public/home/contact
>> to use
>> > it. Most people don't have the skill set to force the use of IPv4.
>> >
>> > If it is production it should work. It is the I-G's role to ensure
>> this
>> > happens. Butts need to kicked.
>> >
>> > Mark
>> >
>> > > Regards,
>> > > Lee
>> > --
>> > Mark Andrews, ISC
>> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>> >
>> >
>> >
>> >
>> >
>> > **********************************************
>> > IPv4 is over
>> > Are you ready for the new Internet ?
>> > http://www.consulintel.es
>> > The IPv6 Company
>> >
>> > This electronic message contains information which may be privileged or
>> confi
>> > dential. The information is intended to be for the use of the
>> individual(s) n
>> > amed above. If you are not the intended recipient be aware that any
>> disclosur
>> > e, copying, distribution or use of the contents of this information,
>> includin
>> > g attached files, is prohibited.
>> >
>> >
>> >
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>>
>
More information about the NANOG
mailing list