pay.gov and IPv6

• Previous message (by thread): pay.gov and IPv6
• Next message (by thread): pay.gov and IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The good news is that I reported this particular site as a problem two and
three years ago, both, and it isn't any worse.

Matthew Kaufman
On Wed, Nov 16, 2016 at 6:29 PM Mark Andrews <marka at isc.org> wrote:

>
> In message <CC8936B2-1396-4375-85AA-A0247FD78012 at consulintel.es>, JORDI
> PALET M
> ARTINEZ writes:
> > I think it is not just a matter of testing behind a 1280 MTU, but about
> makin
> > g sure that PMTUD is not broken, so it just works in any circumstances.
> >
> > Regards,
> > Jordi
>
> If you don't do MSS fix up a 1280 link in the middle will find PMTUD issues
> provided the testing host has a MTU > 1280.
>
> Mark
>
> > -----Mensaje original-----
> > De: NANOG <nanog-bounces at nanog.org> en nombre de Mark Andrews <
> marka at isc.org>
> > Responder a: <marka at isc.org>
> > Fecha: jueves, 17 de noviembre de 2016, 9:26
> > Para: Lee <ler762 at gmail.com>
> > CC: <nanog at nanog.org>
> > Asunto: Re: pay.gov and IPv6
> >
> >
> >     In message
> <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw at mail.gmai
> > l.com>
> >     , Lee writes:
> >     > On 11/16/16, Mark Andrews <marka at isc.org> wrote:
> >     > >
> >     > > In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl
> Byingto
> > n
> >     > > writes
> >     > > :
> >     > >> -----BEGIN PGP SIGNED MESSAGE-----
> >     > >> Hash: SHA512
> >     > >>
> >     > >> Following up on a two year old thread, one of my clients just
> hit th
> > is
> >     > >> problem. The failure is not that www.pay.gov is not reachable
> over i
> > pv6
> >     > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the port
> 443
> >     > >> connection, but the connection then hangs waiting for the TLS
> handsh
> > ake.
> >     > >>
> >     > >> openssl s_client -connect www.pay.gov:443
> >     > >>
> >     > >> openssl s_client -servername www.pay.gov -connect
> 199.169.192.21:443
> >     > >>
> >     > >> Browsers (at least firefox) see that as a very slow site, and
> it doe
> > s
> >     > >> not trigger their happy eyeballs fast failover to ipv4.
> >     > >
> >     > > Happy eyeballs is about making the connection not whether TCP
> >     > > connections work after the initial packet exchange.
> >     > >
> >     > > I would send a physical letter to the relevent Inspector General
> >     > > requesting that they ensure all web sites under their
> juristiction
> >     > > that are supposed to be reachable from the public net get audited
> >     > > regularly to ensure that IPv6 connections work from public IP
> space.
> >     >
> >     > That will absolutely work.
> >     >
> >     > NIST is still monitoring ipv6 .gov sites
> >     >   https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
> >
> >     Which show green which means that the tests they are doing are not
> >     sufficient.  They need to test from behind a 1280 mtu link.
> >
> >     The DNSSEC testing is also insufficient.  9-11commission.gov shows
> >     green for example but if you use DNS COOKIES (which BIND 9.10.4 and
> >     BIND 9.11.0 do) then servers barf and return BADVERS and validation
> >     fails.  QWEST you have been informed of this already.
> >
> >     Why the hell should validating resolver have to work around the
> >     crap you guys are using?  DO YOUR JOBS which is to use RFC COMPLIANT
> >     servers.  You get PAID to do DNS because people think you are
> >     compentent to do the job.  Evidence shows otherwise.
> >
> >     https://ednscomp.isc.org/compliance/gov-full-report.html show the
> broken
> >     servers for .gov.  It isn't hard to check.
> >
> >     > so the IG isn't going to do anything there & pay.gov has a
> contact us p
> > age
> >     >   https://pay.gov/public/home/contact
> >     > that I'd bet works much better than a letter to the IG
> >
> >     You have to be able to get to https://pay.gov/public/home/contact
> to use
> >     it.  Most people don't have the skill set to force the use of IPv4.
> >
> >     If it is production it should work.  It is the I-G's role to ensure
> this
> >     happens.  Butts need to kicked.
> >
> >     Mark
> >
> >     > Regards,
> >     > Lee
> >     --
> >     Mark Andrews, ISC
> >     1 Seymour St., Dundas Valley, NSW 2117, Australia
> >     PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >
> >
> >
> >
> >
> > **********************************************
> > IPv4 is over
> > Are you ready for the new Internet ?
> > http://www.consulintel.es
> > The IPv6 Company
> >
> > This electronic message contains information which may be privileged or
> confi
> > dential. The information is intended to be for the use of the
> individual(s) n
> > amed above. If you are not the intended recipient be aware that any
> disclosur
> > e, copying, distribution or use of the contents of this information,
> includin
> > g attached files, is prohibited.
> >
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>

• Previous message (by thread): pay.gov and IPv6
• Next message (by thread): pay.gov and IPv6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]