pay.gov and IPv6
Matthew Kaufman
matthew at matthew.at
Thu Nov 17 18:30:37 UTC 2016
I sent email there and to another contact I had at the time.
And I'm not going to break my users by turning IPv6 back on, so someone
else will need to work with them.
Matthew Kaufman
On Thu, Nov 17, 2016 at 9:48 AM Lee <ler762 at gmail.com> wrote:
> On 11/16/16, Matthew Kaufman <matthew at matthew.at> wrote:
> > The good news is that I reported this particular site as a problem two
> and
> > three years ago, both, and it isn't any worse.
>
> did you contact Pay.gov Customer Service at:
> 800-624-1373 <(800)%20624-1373> (Toll free, Option #2)
> or send an email to
> pay.gov.clev at clev.frb.org
>
> I just called, but I can't duplicate the problem and they need to work
> with someone that is having a problem reaching the site.
>
> Regards,
> Lee
>
>
> >
> > Matthew Kaufman
> > On Wed, Nov 16, 2016 at 6:29 PM Mark Andrews <marka at isc.org> wrote:
> >
> >>
> >> In message <CC8936B2-1396-4375-85AA-A0247FD78012 at consulintel.es>, JORDI
> >> PALET M
> >> ARTINEZ writes:
> >> > I think it is not just a matter of testing behind a 1280 MTU, but
> about
> >> makin
> >> > g sure that PMTUD is not broken, so it just works in any
> circumstances.
> >> >
> >> > Regards,
> >> > Jordi
> >>
> >> If you don't do MSS fix up a 1280 link in the middle will find PMTUD
> >> issues
> >> provided the testing host has a MTU > 1280.
> >>
> >> Mark
> >>
> >> > -----Mensaje original-----
> >> > De: NANOG <nanog-bounces at nanog.org> en nombre de Mark Andrews <
> >> marka at isc.org>
> >> > Responder a: <marka at isc.org>
> >> > Fecha: jueves, 17 de noviembre de 2016, 9:26
> >> > Para: Lee <ler762 at gmail.com>
> >> > CC: <nanog at nanog.org>
> >> > Asunto: Re: pay.gov and IPv6
> >> >
> >> >
> >> > In message
> >> <CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw at mail.gmai
> >> > l.com>
> >> > , Lee writes:
> >> > > On 11/16/16, Mark Andrews <marka at isc.org> wrote:
> >> > > >
> >> > > > In message <1479249003.3937.6.camel at ns.five-ten-sg.com>, Carl
> >> Byingto
> >> > n
> >> > > > writes
> >> > > > :
> >> > > >> -----BEGIN PGP SIGNED MESSAGE-----
> >> > > >> Hash: SHA512
> >> > > >>
> >> > > >> Following up on a two year old thread, one of my clients just
> >> hit th
> >> > is
> >> > > >> problem. The failure is not that www.pay.gov is not
> reachable
> >> over i
> >> > pv6
> >> > > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the
> port
> >> 443
> >> > > >> connection, but the connection then hangs waiting for the TLS
> >> handsh
> >> > ake.
> >> > > >>
> >> > > >> openssl s_client -connect www.pay.gov:443
> >> > > >>
> >> > > >> openssl s_client -servername www.pay.gov -connect
> >> 199.169.192.21:443
> >> > > >>
> >> > > >> Browsers (at least firefox) see that as a very slow site, and
> >> it doe
> >> > s
> >> > > >> not trigger their happy eyeballs fast failover to ipv4.
> >> > > >
> >> > > > Happy eyeballs is about making the connection not whether TCP
> >> > > > connections work after the initial packet exchange.
> >> > > >
> >> > > > I would send a physical letter to the relevent Inspector
> >> > General
> >> > > > requesting that they ensure all web sites under their
> >> juristiction
> >> > > > that are supposed to be reachable from the public net get
> >> > audited
> >> > > > regularly to ensure that IPv6 connections work from public IP
> >> space.
> >> > >
> >> > > That will absolutely work.
> >> > >
> >> > > NIST is still monitoring ipv6 .gov sites
> >> > > https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
> >> >
> >> > Which show green which means that the tests they are doing are not
> >> > sufficient. They need to test from behind a 1280 mtu link.
> >> >
> >> > The DNSSEC testing is also insufficient. 9-11commission.gov
> shows
> >> > green for example but if you use DNS COOKIES (which BIND 9.10.4
> and
> >> > BIND 9.11.0 do) then servers barf and return BADVERS and
> validation
> >> > fails. QWEST you have been informed of this already.
> >> >
> >> > Why the hell should validating resolver have to work around the
> >> > crap you guys are using? DO YOUR JOBS which is to use RFC
> >> > COMPLIANT
> >> > servers. You get PAID to do DNS because people think you are
> >> > compentent to do the job. Evidence shows otherwise.
> >> >
> >> > https://ednscomp.isc.org/compliance/gov-full-report.html show the
> >> broken
> >> > servers for .gov. It isn't hard to check.
> >> >
> >> > > so the IG isn't going to do anything there & pay.gov has a
> >> contact us p
> >> > age
> >> > > https://pay.gov/public/home/contact
> >> > > that I'd bet works much better than a letter to the IG
> >> >
> >> > You have to be able to get to https://pay.gov/public/home/contact
> >> to use
> >> > it. Most people don't have the skill set to force the use of
> IPv4.
> >> >
> >> > If it is production it should work. It is the I-G's role to
> ensure
> >> this
> >> > happens. Butts need to kicked.
> >> >
> >> > Mark
> >> >
> >> > > Regards,
> >> > > Lee
> >> > --
> >> > Mark Andrews, ISC
> >> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >> > PHONE: +61 2 9871 4742 <+61%202%209871%204742>
> INTERNET: marka at isc.org
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > **********************************************
> >> > IPv4 is over
> >> > Are you ready for the new Internet ?
> >> > http://www.consulintel.es
> >> > The IPv6 Company
> >> >
> >> > This electronic message contains information which may be privileged
> or
> >> confi
> >> > dential. The information is intended to be for the use of the
> >> individual(s) n
> >> > amed above. If you are not the intended recipient be aware that any
> >> disclosur
> >> > e, copying, distribution or use of the contents of this information,
> >> includin
> >> > g attached files, is prohibited.
> >> >
> >> >
> >> >
> >> --
> >> Mark Andrews, ISC
> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >> PHONE: +61 2 9871 4742 <+61%202%209871%204742>
> INTERNET: marka at isc.org
> >>
> >
>
More information about the NANOG
mailing list