pay.gov and IPv6

Lee ler762 at gmail.com
Thu Nov 17 20:32:53 UTC 2016 

On 11/17/16, Matthew Kaufman <matthew at matthew.at> wrote:
> I sent email there and to another contact I had at the time.

and the response was?

> And I'm not going to break my users by turning IPv6 back on, so someone
> else will need to work with them.

That's fine, but until someone is willing to work with them don't
expect it to get fixed.

Regards,
Lee


>
> Matthew Kaufman
>
> On Thu, Nov 17, 2016 at 9:48 AM Lee <ler762 at gmail.com> wrote:
>
>> On 11/16/16, Matthew Kaufman <matthew at matthew.at> wrote:
>> > The good news is that I reported this particular site as a problem two
>> and
>> > three years ago, both, and it isn't any worse.
>>
>> did you contact Pay.gov Customer Service at:
>> 800-624-1373 <(800)%20624-1373> (Toll free, Option #2)
>> or send an email to
>> pay.gov.clev at clev.frb.org
>>
>> I just called, but I can't duplicate the problem and they need to work
>> with someone that is having a problem reaching the site.
>>
>> Regards,
>> Lee
>>
>>
>> >
>> > Matthew Kaufman
>> > On Wed, Nov 16, 2016 at 6:29 PM Mark Andrews <marka at isc.org> wrote:
>> >
>> >>
>> >> In message <CC8936B2-1396-4375-85AA-A0247FD78012 at consulintel.es>,
>> >> JORDI
>> >> PALET M
>> >> ARTINEZ writes:
>> >> > I think it is not just a matter of testing behind a 1280 MTU, but
>> about
>> >> makin
>> >> > g sure that PMTUD is not broken, so it just works in any
>> circumstances.
>> >> >
>> >> > Regards,
>> >> > Jordi
>> >>
>> >> If you don't do MSS fix up a 1280 link in the middle will find PMTUD
>> >> issues
>> >> provided the testing host has a MTU > 1280.
>> >>
>> >> Mark
>> >>
>> >> > -----Mensaje original-----
>> >> > De: NANOG <nanog-bounces at nanog.org> en nombre de Mark Andrews <
>> >> marka at isc.org>
>> >> > Responder a: <marka at isc.org>
>> >> > Fecha: jueves, 17 de noviembre de 2016, 9:26
>> >> > Para: Lee <ler762 at gmail.com>
>> >> > CC: <nanog at nanog.org>
>> >> > Asunto: Re: pay.gov and IPv6
>> >> >
>> >> >
>> >> >     In message
>> >> <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw at mail.gmai
>> >> > l.com>
>> >> >     , Lee writes:
>> >> >     > On 11/16/16, Mark Andrews <marka at isc.org> wrote:
>> >> >     > >
>> >> >     > > In message <1479249003.3937.6.camel at ns.five-ten-sg.com>,
>> >> > Carl
>> >> Byingto
>> >> > n
>> >> >     > > writes
>> >> >     > > :
>> >> >     > >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> >     > >> Hash: SHA512
>> >> >     > >>
>> >> >     > >> Following up on a two year old thread, one of my clients
>> >> > just
>> >> hit th
>> >> > is
>> >> >     > >> problem. The failure is not that www.pay.gov is not
>> reachable
>> >> over i
>> >> > pv6
>> >> >     > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the
>> port
>> >> 443
>> >> >     > >> connection, but the connection then hangs waiting for the
>> >> > TLS
>> >> handsh
>> >> > ake.
>> >> >     > >>
>> >> >     > >> openssl s_client -connect www.pay.gov:443
>> >> >     > >>
>> >> >     > >> openssl s_client -servername www.pay.gov -connect
>> >> 199.169.192.21:443
>> >> >     > >>
>> >> >     > >> Browsers (at least firefox) see that as a very slow site,
>> >> > and
>> >> it doe
>> >> > s
>> >> >     > >> not trigger their happy eyeballs fast failover to ipv4.
>> >> >     > >
>> >> >     > > Happy eyeballs is about making the connection not whether
>> >> > TCP
>> >> >     > > connections work after the initial packet exchange.
>> >> >     > >
>> >> >     > > I would send a physical letter to the relevent Inspector
>> >> > General
>> >> >     > > requesting that they ensure all web sites under their
>> >> juristiction
>> >> >     > > that are supposed to be reachable from the public net get
>> >> > audited
>> >> >     > > regularly to ensure that IPv6 connections work from public
>> >> > IP
>> >> space.
>> >> >     >
>> >> >     > That will absolutely work.
>> >> >     >
>> >> >     > NIST is still monitoring ipv6 .gov sites
>> >> >     >   https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
>> >> >
>> >> >     Which show green which means that the tests they are doing are
>> >> > not
>> >> >     sufficient.  They need to test from behind a 1280 mtu link.
>> >> >
>> >> >     The DNSSEC testing is also insufficient.  9-11commission.gov
>> shows
>> >> >     green for example but if you use DNS COOKIES (which BIND 9.10.4
>> and
>> >> >     BIND 9.11.0 do) then servers barf and return BADVERS and
>> validation
>> >> >     fails.  QWEST you have been informed of this already.
>> >> >
>> >> >     Why the hell should validating resolver have to work around the
>> >> >     crap you guys are using?  DO YOUR JOBS which is to use RFC
>> >> > COMPLIANT
>> >> >     servers.  You get PAID to do DNS because people think you are
>> >> >     compentent to do the job.  Evidence shows otherwise.
>> >> >
>> >> >     https://ednscomp.isc.org/compliance/gov-full-report.html show
>> >> > the
>> >> broken
>> >> >     servers for .gov.  It isn't hard to check.
>> >> >
>> >> >     > so the IG isn't going to do anything there & pay.gov has a
>> >> contact us p
>> >> > age
>> >> >     >   https://pay.gov/public/home/contact
>> >> >     > that I'd bet works much better than a letter to the IG
>> >> >
>> >> >     You have to be able to get to
>> >> > https://pay.gov/public/home/contact
>> >> to use
>> >> >     it.  Most people don't have the skill set to force the use of
>> IPv4.
>> >> >
>> >> >     If it is production it should work.  It is the I-G's role to
>> ensure
>> >> this
>> >> >     happens.  Butts need to kicked.
>> >> >
>> >> >     Mark
>> >> >
>> >> >     > Regards,
>> >> >     > Lee
>> >> >     --
>> >> >     Mark Andrews, ISC
>> >> >     1 Seymour St., Dundas Valley, NSW 2117, Australia
>> >> >     PHONE: +61 2 9871 4742 <+61%202%209871%204742>
>>  INTERNET: marka at isc.org
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > **********************************************
>> >> > IPv4 is over
>> >> > Are you ready for the new Internet ?
>> >> > http://www.consulintel.es
>> >> > The IPv6 Company
>> >> >
>> >> > This electronic message contains information which may be privileged
>> or
>> >> confi
>> >> > dential. The information is intended to be for the use of the
>> >> individual(s) n
>> >> > amed above. If you are not the intended recipient be aware that any
>> >> disclosur
>> >> > e, copying, distribution or use of the contents of this information,
>> >> includin
>> >> > g attached files, is prohibited.
>> >> >
>> >> >
>> >> >
>> >> --
>> >> Mark Andrews, ISC
>> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> >> PHONE: +61 2 9871 4742 <+61%202%209871%204742>
>>  INTERNET: marka at isc.org
>> >>
>> >
>>
>

More information about the NANOG mailing list