pay.gov and IPv6

JORDI PALET MARTINEZ jordi.palet at consulintel.es
Thu Nov 17 02:10:16 UTC 2016


I think it is not just a matter of testing behind a 1280 MTU, but about making sure that PMTUD is not broken, so it just works in any circumstances.

Regards,
Jordi


-----Mensaje original-----
De: NANOG <nanog-bounces at nanog.org> en nombre de Mark Andrews <marka at isc.org>
Responder a: <marka at isc.org>
Fecha: jueves, 17 de noviembre de 2016, 9:26
Para: Lee <ler762 at gmail.com>
CC: <nanog at nanog.org>
Asunto: Re: pay.gov and IPv6

    
    In message <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw at mail.gmail.com>
    , Lee writes:
    > On 11/16/16, Mark Andrews <marka at isc.org> wrote:
    > >
    > > In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl Byington
    > > writes
    > > :
    > >> -----BEGIN PGP SIGNED MESSAGE-----
    > >> Hash: SHA512
    > >>
    > >> Following up on a two year old thread, one of my clients just hit this
    > >> problem. The failure is not that www.pay.gov is not reachable over ipv6
    > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
    > >> connection, but the connection then hangs waiting for the TLS handshake.
    > >>
    > >> openssl s_client -connect www.pay.gov:443
    > >>
    > >> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
    > >>
    > >> Browsers (at least firefox) see that as a very slow site, and it does
    > >> not trigger their happy eyeballs fast failover to ipv4.
    > >
    > > Happy eyeballs is about making the connection not whether TCP
    > > connections work after the initial packet exchange.
    > >
    > > I would send a physical letter to the relevent Inspector General
    > > requesting that they ensure all web sites under their juristiction
    > > that are supposed to be reachable from the public net get audited
    > > regularly to ensure that IPv6 connections work from public IP space.
    > 
    > That will absolutely work.
    > 
    > NIST is still monitoring ipv6 .gov sites
    >   https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
    
    Which show green which means that the tests they are doing are not
    sufficient.  They need to test from behind a 1280 mtu link.
    
    The DNSSEC testing is also insufficient.  9-11commission.gov shows
    green for example but if you use DNS COOKIES (which BIND 9.10.4 and
    BIND 9.11.0 do) then servers barf and return BADVERS and validation
    fails.  QWEST you have been informed of this already.
    
    Why the hell should validating resolver have to work around the
    crap you guys are using?  DO YOUR JOBS which is to use RFC COMPLIANT
    servers.  You get PAID to do DNS because people think you are
    compentent to do the job.  Evidence shows otherwise.
    
    https://ednscomp.isc.org/compliance/gov-full-report.html show the broken
    servers for .gov.  It isn't hard to check.
    
    > so the IG isn't going to do anything there & pay.gov has a contact us page
    >   https://pay.gov/public/home/contact
    > that I'd bet works much better than a letter to the IG
    
    You have to be able to get to https://pay.gov/public/home/contact to use
    it.  Most people don't have the skill set to force the use of IPv4.
    
    If it is production it should work.  It is the I-G's role to ensure this
    happens.  Butts need to kicked.
    
    Mark
     
    > Regards,
    > Lee
    -- 
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.






More information about the NANOG mailing list