pay.gov and IPv6
JORDI PALET MARTINEZ
jordi.palet at consulintel.es
Thu Nov 17 02:10:16 UTC 2016
I think it is not just a matter of testing behind a 1280 MTU, but about making sure that PMTUD is not broken, so it just works in any circumstances.
De: NANOG <nanog-bounces at nanog.org> en nombre de Mark Andrews <marka at isc.org>
Responder a: <marka at isc.org>
Fecha: jueves, 17 de noviembre de 2016, 9:26
Para: Lee <ler762 at gmail.com>
CC: <nanog at nanog.org>
Asunto: Re: pay.gov and IPv6
In message <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw at mail.gmail.com>
, Lee writes:
> On 11/16/16, Mark Andrews <marka at isc.org> wrote:
> > In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl Byington
> > writes
> > :
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >> Following up on a two year old thread, one of my clients just hit this
> >> problem. The failure is not that www.pay.gov is not reachable over ipv6
> >> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
> >> connection, but the connection then hangs waiting for the TLS handshake.
> >> openssl s_client -connect www.pay.gov:443
> >> openssl s_client -servername www.pay.gov -connect 126.96.36.199:443
> >> Browsers (at least firefox) see that as a very slow site, and it does
> >> not trigger their happy eyeballs fast failover to ipv4.
> > Happy eyeballs is about making the connection not whether TCP
> > connections work after the initial packet exchange.
> > I would send a physical letter to the relevent Inspector General
> > requesting that they ensure all web sites under their juristiction
> > that are supposed to be reachable from the public net get audited
> > regularly to ensure that IPv6 connections work from public IP space.
> That will absolutely work.
> NIST is still monitoring ipv6 .gov sites
Which show green which means that the tests they are doing are not
sufficient. They need to test from behind a 1280 mtu link.
The DNSSEC testing is also insufficient. 9-11commission.gov shows
green for example but if you use DNS COOKIES (which BIND 9.10.4 and
BIND 9.11.0 do) then servers barf and return BADVERS and validation
fails. QWEST you have been informed of this already.
Why the hell should validating resolver have to work around the
crap you guys are using? DO YOUR JOBS which is to use RFC COMPLIANT
servers. You get PAID to do DNS because people think you are
compentent to do the job. Evidence shows otherwise.
https://ednscomp.isc.org/compliance/gov-full-report.html show the broken
servers for .gov. It isn't hard to check.
> so the IG isn't going to do anything there & pay.gov has a contact us page
> that I'd bet works much better than a letter to the IG
You have to be able to get to https://pay.gov/public/home/contact to use
it. Most people don't have the skill set to force the use of IPv4.
If it is production it should work. It is the I-G's role to ensure this
happens. Butts need to kicked.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
IPv4 is over
Are you ready for the new Internet ?
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
More information about the NANOG