nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pay.gov and IPv6

From: JORDI PALET MARTINEZ <jordi.palet () consulintel es>
Date: Thu, 17 Nov 2016 08:48:10 +0900
It happens too often, unfortunately.

People deploying IPv6 at web sites and other services, don’t check if PMTUD is broken by filtering, ECMP, load 
balancers, etc.

This is the case here:

tbit from 2001:df0:4:4000::1:115 to 2605:3100:fffd:100::15
server-mss 1440, result: pmtud-fail
app: http, url: https://www.pay.gov/
[  0.009] TX SYN             64  seq = 0:0            
[  0.165] RX SYN/ACK         64  seq = 0:1            
[  0.166] TX                 60  seq = 1:1            
[  0.166] TX                371  seq = 1:1(311)        
[  0.325] RX               1500  seq = 1:312(1440)    
[  0.325] RX               1500  seq = 1441:312(1440)  
[  0.325] TX PTB           1280  mtu = 1280
[  0.325] RX               1362  seq = 2881:312(1302)  
[  3.325] RX               1500  seq = 1:312(1440)    
[  3.325] TX PTB           1280  mtu = 1280
[  9.326] RX               1500  seq = 1:312(1440)    
[  9.326] TX PTB           1280  mtu = 1280
[ 21.325] RX               1500  seq = 1:312(1440)    
[ 21.325] TX PTB           1280  mtu = 1280
[ 45.325] RX               1500  seq = 1:312(1440)    



Regards,
Jordi


-----Mensaje original-----
De: NANOG <nanog-bounces () nanog org> en nombre de Carl Byington <carl () five-ten-sg com>
Responder a: <carl () five-ten-sg com>
Fecha: miércoles, 16 de noviembre de 2016, 7:30
Para: <nanog () nanog org>
Asunto: pay.gov and IPv6

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512
    
    Following up on a two year old thread, one of my clients just hit this
    problem. The failure is not that www.pay.gov is not reachable over ipv6
    (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
    connection, but the connection then hangs waiting for the TLS handshake.
    
    openssl s_client -connect www.pay.gov:443
    
    openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
    
    Browsers (at least firefox) see that as a very slow site, and it does
    not trigger their happy eyeballs fast failover to ipv4.
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.14 (GNU/Linux)
    
    iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA
    LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC
    =MS8j
    -----END PGP SIGNATURE-----
    
    
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be 
for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, 
copying, distribution or use of the contents of this information, including attached files, is prohibited.
Previous By Date Next
Previous By Thread Next

Current thread: