pay.gov and IPv6

Mark Andrews marka at isc.org
Thu Nov 17 02:26:47 UTC 2016 

In message <CC8936B2-1396-4375-85AA-A0247FD78012 at consulintel.es>, JORDI PALET M
ARTINEZ writes:
> I think it is not just a matter of testing behind a 1280 MTU, but about makin
> g sure that PMTUD is not broken, so it just works in any circumstances.
> 
> Regards,
> Jordi
 
If you don't do MSS fix up a 1280 link in the middle will find PMTUD issues
provided the testing host has a MTU > 1280.

Mark

> -----Mensaje original-----
> De: NANOG <nanog-bounces at nanog.org> en nombre de Mark Andrews <marka at isc.org>
> Responder a: <marka at isc.org>
> Fecha: jueves, 17 de noviembre de 2016, 9:26
> Para: Lee <ler762 at gmail.com>
> CC: <nanog at nanog.org>
> Asunto: Re: pay.gov and IPv6
> 
>     
>     In message <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw at mail.gmai
> l.com>
>     , Lee writes:
>     > On 11/16/16, Mark Andrews <marka at isc.org> wrote:
>     > >
>     > > In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl Byingto
> n
>     > > writes
>     > > :
>     > >> -----BEGIN PGP SIGNED MESSAGE-----
>     > >> Hash: SHA512
>     > >>
>     > >> Following up on a two year old thread, one of my clients just hit th
> is
>     > >> problem. The failure is not that www.pay.gov is not reachable over i
> pv6
>     > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
>     > >> connection, but the connection then hangs waiting for the TLS handsh
> ake.
>     > >>
>     > >> openssl s_client -connect www.pay.gov:443
>     > >>
>     > >> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
>     > >>
>     > >> Browsers (at least firefox) see that as a very slow site, and it doe
> s
>     > >> not trigger their happy eyeballs fast failover to ipv4.
>     > >
>     > > Happy eyeballs is about making the connection not whether TCP
>     > > connections work after the initial packet exchange.
>     > >
>     > > I would send a physical letter to the relevent Inspector General
>     > > requesting that they ensure all web sites under their juristiction
>     > > that are supposed to be reachable from the public net get audited
>     > > regularly to ensure that IPv6 connections work from public IP space.
>     > 
>     > That will absolutely work.
>     > 
>     > NIST is still monitoring ipv6 .gov sites
>     >   https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
>     
>     Which show green which means that the tests they are doing are not
>     sufficient.  They need to test from behind a 1280 mtu link.
>     
>     The DNSSEC testing is also insufficient.  9-11commission.gov shows
>     green for example but if you use DNS COOKIES (which BIND 9.10.4 and
>     BIND 9.11.0 do) then servers barf and return BADVERS and validation
>     fails.  QWEST you have been informed of this already.
>     
>     Why the hell should validating resolver have to work around the
>     crap you guys are using?  DO YOUR JOBS which is to use RFC COMPLIANT
>     servers.  You get PAID to do DNS because people think you are
>     compentent to do the job.  Evidence shows otherwise.
>     
>     https://ednscomp.isc.org/compliance/gov-full-report.html show the broken
>     servers for .gov.  It isn't hard to check.
>     
>     > so the IG isn't going to do anything there & pay.gov has a contact us p
> age
>     >   https://pay.gov/public/home/contact
>     > that I'd bet works much better than a letter to the IG
>     
>     You have to be able to get to https://pay.gov/public/home/contact to use
>     it.  Most people don't have the skill set to force the use of IPv4.
>     
>     If it is production it should work.  It is the I-G's role to ensure this
>     happens.  Butts need to kicked.
>     
>     Mark
>      
>     > Regards,
>     > Lee
>     -- 
>     Mark Andrews, ISC
>     1 Seymour St., Dundas Valley, NSW 2117, Australia
>     PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>     
>     
> 
> 
> 
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
> 
> This electronic message contains information which may be privileged or confi
> dential. The information is intended to be for the use of the individual(s) n
> amed above. If you are not the intended recipient be aware that any disclosur
> e, copying, distribution or use of the contents of this information, includin
> g attached files, is prohibited.
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the NANOG mailing list