nanog mailing list archives
Re: pay.gov and IPv6
From: Matthew Kaufman <matthew () matthew at>
Date: Thu, 17 Nov 2016 18:30:37 +0000
I sent email there and to another contact I had at the time. And I'm not going to break my users by turning IPv6 back on, so someone else will need to work with them. Matthew Kaufman On Thu, Nov 17, 2016 at 9:48 AM Lee <ler762 () gmail com> wrote:
On 11/16/16, Matthew Kaufman <matthew () matthew at> wrote:The good news is that I reported this particular site as a problem twoandthree years ago, both, and it isn't any worse.did you contact Pay.gov Customer Service at: 800-624-1373 <(800)%20624-1373> (Toll free, Option #2) or send an email to pay.gov.clev () clev frb org I just called, but I can't duplicate the problem and they need to work with someone that is having a problem reaching the site. Regards, LeeMatthew Kaufman On Wed, Nov 16, 2016 at 6:29 PM Mark Andrews <marka () isc org> wrote:In message <CC8936B2-1396-4375-85AA-A0247FD78012 () consulintel es>, JORDI PALET M ARTINEZ writes:I think it is not just a matter of testing behind a 1280 MTU, butaboutmaking sure that PMTUD is not broken, so it just works in anycircumstances.Regards, JordiIf you don't do MSS fix up a 1280 link in the middle will find PMTUD issues provided the testing host has a MTU > 1280. Mark-----Mensaje original----- De: NANOG <nanog-bounces () nanog org> en nombre de Mark Andrews <marka () isc org>Responder a: <marka () isc org> Fecha: jueves, 17 de noviembre de 2016, 9:26 Para: Lee <ler762 () gmail com> CC: <nanog () nanog org> Asunto: Re: pay.gov and IPv6 In message<CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw () mail gmail.com> , Lee writes: > On 11/16/16, Mark Andrews <marka () isc org> wrote: > > > > In message <1479249003.3937.6.camel () ns five-ten-sg com>, CarlByington > > writes > > : > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA512 > >> > >> Following up on a two year old thread, one of my clients justhit this > >> problem. The failure is not that www.pay.gov is notreachableover ipv6 > >> (2605:3100:fffd:100::15). They accept (TCP handshake) theport443> >> connection, but the connection then hangs waiting for the TLShandshake. > >> > >> openssl s_client -connect www.pay.gov:443 > >> > >> openssl s_client -servername www.pay.gov -connect199.169.192.21:443> >> > >> Browsers (at least firefox) see that as a very slow site, andit does > >> not trigger their happy eyeballs fast failover to ipv4. > > > > Happy eyeballs is about making the connection not whether TCP > > connections work after the initial packet exchange. > > > > I would send a physical letter to the relevent Inspector General > > requesting that they ensure all web sites under theirjuristiction> > that are supposed to be reachable from the public net get audited > > regularly to ensure that IPv6 connections work from public IPspace.> > That will absolutely work. > > NIST is still monitoring ipv6 .gov sites > https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov Which show green which means that the tests they are doing are not sufficient. They need to test from behind a 1280 mtu link. The DNSSEC testing is also insufficient. 9-11commission.govshowsgreen for example but if you use DNS COOKIES (which BIND 9.10.4andBIND 9.11.0 do) then servers barf and return BADVERS andvalidationfails. QWEST you have been informed of this already. Why the hell should validating resolver have to work around the crap you guys are using? DO YOUR JOBS which is to use RFC COMPLIANT servers. You get PAID to do DNS because people think you are compentent to do the job. Evidence shows otherwise. https://ednscomp.isc.org/compliance/gov-full-report.html show thebrokenservers for .gov. It isn't hard to check. > so the IG isn't going to do anything there & pay.gov has acontact us page > https://pay.gov/public/home/contact > that I'd bet works much better than a letter to the IG You have to be able to get to https://pay.gov/public/home/contactto useit. Most people don't have the skill set to force the use ofIPv4.If it is production it should work. It is the I-G's role toensurethishappens. Butts need to kicked. Mark > Regards, > Lee -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 <+61%202%209871%204742>INTERNET: marka () isc org********************************************** IPv4 is over Are you ready for the new Internet ? http://www.consulintel.es The IPv6 Company This electronic message contains information which may be privilegedorconfidential. The information is intended to be for the use of theindividual(s) named above. If you are not the intended recipient be aware that anydisclosure, copying, distribution or use of the contents of this information,including attached files, is prohibited.-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 <+61%202%209871%204742>INTERNET: marka () isc org
Current thread:
- pay.gov and IPv6, (continued)
- pay.gov and IPv6 Carl Byington (Nov 16)
- Re: pay.gov and IPv6 Mark Andrews (Nov 16)
- Re: pay.gov and IPv6 Matthew Kaufman (Nov 16)
- Re: pay.gov and IPv6 Carl Byington (Nov 16)
- Re: pay.gov and IPv6 Lee (Nov 16)
- Re: pay.gov and IPv6 Mark Andrews (Nov 16)
- Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 16)
- Re: pay.gov and IPv6 Mark Andrews (Nov 16)
- Re: pay.gov and IPv6 Matthew Kaufman (Nov 16)
- Re: pay.gov and IPv6 Lee (Nov 17)
- Re: pay.gov and IPv6 Matthew Kaufman (Nov 17)
- Re: pay.gov and IPv6 Lee (Nov 17)
- Re: pay.gov and IPv6 Carl Byington (Nov 17)
- Re: pay.gov and IPv6 Lee (Nov 18)
- Re: pay.gov and IPv6 Carl Byington (Nov 18)
- Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 18)
- Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 20)
- Re: pay.gov and IPv6 Carl Byington (Nov 20)
- Re: pay.gov and IPv6 Mark Andrews (Nov 20)
- Re: pay.gov and IPv6 Carl Byington (Nov 20)
- Re: pay.gov and IPv6 JORDI PALET MARTINEZ (Nov 20)
- Re: pay.gov and IPv6 Mark Andrews (Nov 16)
- pay.gov and IPv6 Carl Byington (Nov 16)