nanog mailing list archives

Re: pay.gov and IPv6

From: Matthew Kaufman <matthew () matthew at>
Date: Wed, 16 Nov 2016 20:59:32 +0000

I fixed it (and Netflix) by turning off IPv6 for all my users... but any
chance this is a path MTU issue causing the apparent hang?

Matthew Kaufman
On Wed, Nov 16, 2016 at 12:26 PM Mark Andrews <marka () isc org> wrote:


In message <1479249003.3937.6.camel () ns five-ten-sg com>, Carl Byington
writes
:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Following up on a two year old thread, one of my clients just hit this
problem. The failure is not that www.pay.gov is not reachable over ipv6
(2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
connection, but the connection then hangs waiting for the TLS handshake.

openssl s_client -connect www.pay.gov:443

openssl s_client -servername www.pay.gov -connect 199.169.192.21:443

Browsers (at least firefox) see that as a very slow site, and it does
not trigger their happy eyeballs fast failover to ipv4.


Happy eyeballs is about making the connection not whether TCP
connections work after the initial packet exchange.

I would send a physical letter to the relevent Inspector General
requesting that they ensure all web sites under their juristiction
that are supposed to be reachable from the public net get audited
regularly to ensure that IPv6 connections work from public IP space.

While you are sending the letter can you also ask why pay.gov's DNS
servers are broken.

Checking: 'pay.gov' as at 2016-11-16T20:21:28Z

pay.gov @199.169.194.28 (ns1.twai.gov.): edns=ok edns1=timeout edns@512=noopt
ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok
optlist=ok
pay.gov @2605:3100:fffc:100::7 (ns1.twai.gov.): edns=ok edns1=timeout
edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok
edns@512tcp=ok optlist=ok
pay.gov @199.169.192.28 (ns2.twai.gov.): edns=ok edns1=timeout edns@512=noopt
ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok
optlist=ok
pay.gov @2605:3100:fffd:100::7 (ns2.twai.gov.): edns=ok edns1=timeout
edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok
edns@512tcp=ok optlist=ok

Mark

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA
LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC
=MS8j
-----END PGP SIGNATURE-----

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

pay.gov and IPv6 Carl Byington (Nov 16)
- <Possible follow-ups>
- pay.gov and IPv6 Carl Byington (Nov 16)
  - Re: pay.gov and IPv6 Mark Andrews (Nov 16)
    - Re: pay.gov and IPv6 Matthew Kaufman (Nov 16)
    - Re: pay.gov and IPv6 Carl Byington (Nov 16)
    - Re: pay.gov and IPv6 Lee (Nov 16)
    - Re: pay.gov and IPv6 Mark Andrews (Nov 16)
    - Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 16)
    - Re: pay.gov and IPv6 Mark Andrews (Nov 16)
    - Re: pay.gov and IPv6 Matthew Kaufman (Nov 16)
    - Re: pay.gov and IPv6 Lee (Nov 17)
    - Re: pay.gov and IPv6 Matthew Kaufman (Nov 17)
    - Re: pay.gov and IPv6 Lee (Nov 17)
    - Re: pay.gov and IPv6 Carl Byington (Nov 17)

(Thread continues...)