I think it is not just a matter of testing behind a 1280 MTU, but about making
sure that PMTUD is not broken, so it just works in any circumstances.
Regards,
Jordi
-----Mensaje original-----
De: NANOG <nanog-boun...@nanog.org> en nombre de Mark Andrews <ma...@isc.org>
Responder a: <ma...@isc.org>
Fecha: jueves, 17 de noviembre de 2016, 9:26
Para: Lee <ler...@gmail.com>
CC: <nanog@nanog.org>
Asunto: Re: pay.gov and IPv6
In message
<cad8gwsvetsmn1ssfk_adttkheog0e1zfxrld11fpkbpjghm...@mail.gmail.com>
, Lee writes:
> On 11/16/16, Mark Andrews <ma...@isc.org> wrote:
> >
> > In message <1479249003.3937.6.ca...@ns.five-ten-sg.com>, Carl Byington
> > writes
> > :
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA512
> >>
> >> Following up on a two year old thread, one of my clients just hit this
> >> problem. The failure is not that www.pay.gov is not reachable over ipv6
> >> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
> >> connection, but the connection then hangs waiting for the TLS
handshake.
> >>
> >> openssl s_client -connect www.pay.gov:443
> >>
> >> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
> >>
> >> Browsers (at least firefox) see that as a very slow site, and it does
> >> not trigger their happy eyeballs fast failover to ipv4.
> >
> > Happy eyeballs is about making the connection not whether TCP
> > connections work after the initial packet exchange.
> >
> > I would send a physical letter to the relevent Inspector General
> > requesting that they ensure all web sites under their juristiction
> > that are supposed to be reachable from the public net get audited
> > regularly to ensure that IPv6 connections work from public IP space.
>
> That will absolutely work.
>
> NIST is still monitoring ipv6 .gov sites
> https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
Which show green which means that the tests they are doing are not
sufficient. They need to test from behind a 1280 mtu link.
The DNSSEC testing is also insufficient. 9-11commission.gov shows
green for example but if you use DNS COOKIES (which BIND 9.10.4 and
BIND 9.11.0 do) then servers barf and return BADVERS and validation
fails. QWEST you have been informed of this already.
Why the hell should validating resolver have to work around the
crap you guys are using? DO YOUR JOBS which is to use RFC COMPLIANT
servers. You get PAID to do DNS because people think you are
compentent to do the job. Evidence shows otherwise.
https://ednscomp.isc.org/compliance/gov-full-report.html show the broken
servers for .gov. It isn't hard to check.
> so the IG isn't going to do anything there & pay.gov has a contact us page
> https://pay.gov/public/home/contact
> that I'd bet works much better than a letter to the IG
You have to be able to get to https://pay.gov/public/home/contact to use
it. Most people don't have the skill set to force the use of IPv4.
If it is production it should work. It is the I-G's role to ensure this
happens. Butts need to kicked.
Mark
> Regards,
> Lee
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the use of the
individual(s) named above. If you are not the intended recipient be aware that
any disclosure, copying, distribution or use of the contents of this
information, including attached files, is prohibited.
