nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pay.gov and IPv6

From: Matthew Kaufman <matthew () matthew at>
Date: Thu, 17 Nov 2016 18:30:37 +0000
I sent email there and to another contact I had at the time.

And I'm not going to break my users by turning IPv6 back on, so someone
else will need to work with them.

Matthew Kaufman

On Thu, Nov 17, 2016 at 9:48 AM Lee <ler762 () gmail com> wrote:


On 11/16/16, Matthew Kaufman <matthew () matthew at> wrote:

The good news is that I reported this particular site as a problem two

and

three years ago, both, and it isn't any worse.


did you contact Pay.gov Customer Service at:
800-624-1373 <(800)%20624-1373> (Toll free, Option #2)
or send an email to
pay.gov.clev () clev frb org

I just called, but I can't duplicate the problem and they need to work
with someone that is having a problem reaching the site.

Regards,
Lee




Matthew Kaufman
On Wed, Nov 16, 2016 at 6:29 PM Mark Andrews <marka () isc org> wrote:



In message <CC8936B2-1396-4375-85AA-A0247FD78012 () consulintel es>, JORDI
PALET M
ARTINEZ writes:

I think it is not just a matter of testing behind a 1280 MTU, but

about

makin

g sure that PMTUD is not broken, so it just works in any

circumstances.


Regards,
Jordi


If you don't do MSS fix up a 1280 link in the middle will find PMTUD
issues
provided the testing host has a MTU > 1280.

Mark


-----Mensaje original-----
De: NANOG <nanog-bounces () nanog org> en nombre de Mark Andrews <

marka () isc org>

Responder a: <marka () isc org>
Fecha: jueves, 17 de noviembre de 2016, 9:26
Para: Lee <ler762 () gmail com>
CC: <nanog () nanog org>
Asunto: Re: pay.gov and IPv6


    In message

<CAD8GWsvetSmn1ssFk_AdTtKheog0e1ZfXRLd11FpkbPJGHM6hw () mail gmai

l.com>
    , Lee writes:
    > On 11/16/16, Mark Andrews <marka () isc org> wrote:
    > >
    > > In message <1479249003.3937.6.camel () ns five-ten-sg com>, Carl

Byingto

n
    > > writes
    > > :
    > >> -----BEGIN PGP SIGNED MESSAGE-----
    > >> Hash: SHA512
    > >>
    > >> Following up on a two year old thread, one of my clients just

hit th

is
    > >> problem. The failure is not that www.pay.gov is not

reachable

over i

pv6
    > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the

port

443

    > >> connection, but the connection then hangs waiting for the TLS

handsh

ake.
    > >>
    > >> openssl s_client -connect www.pay.gov:443
    > >>
    > >> openssl s_client -servername www.pay.gov -connect

199.169.192.21:443

    > >>
    > >> Browsers (at least firefox) see that as a very slow site, and

it doe

s
    > >> not trigger their happy eyeballs fast failover to ipv4.
    > >
    > > Happy eyeballs is about making the connection not whether TCP
    > > connections work after the initial packet exchange.
    > >
    > > I would send a physical letter to the relevent Inspector
General
    > > requesting that they ensure all web sites under their

juristiction

    > > that are supposed to be reachable from the public net get
audited
    > > regularly to ensure that IPv6 connections work from public IP

space.

    >
    > That will absolutely work.
    >
    > NIST is still monitoring ipv6 .gov sites
    >   https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov

    Which show green which means that the tests they are doing are not
    sufficient.  They need to test from behind a 1280 mtu link.

    The DNSSEC testing is also insufficient.  9-11commission.gov

shows

    green for example but if you use DNS COOKIES (which BIND 9.10.4

and

    BIND 9.11.0 do) then servers barf and return BADVERS and

validation

    fails.  QWEST you have been informed of this already.

    Why the hell should validating resolver have to work around the
    crap you guys are using?  DO YOUR JOBS which is to use RFC
COMPLIANT
    servers.  You get PAID to do DNS because people think you are
    compentent to do the job.  Evidence shows otherwise.

    https://ednscomp.isc.org/compliance/gov-full-report.html show the

broken

    servers for .gov.  It isn't hard to check.

    > so the IG isn't going to do anything there & pay.gov has a

contact us p

age
    >   https://pay.gov/public/home/contact
    > that I'd bet works much better than a letter to the IG

    You have to be able to get to https://pay.gov/public/home/contact

to use

    it.  Most people don't have the skill set to force the use of

IPv4.


    If it is production it should work.  It is the I-G's role to

ensure

this

    happens.  Butts need to kicked.

    Mark

    > Regards,
    > Lee
    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 <+61%202%209871%204742>

 INTERNET: marka () isc org






**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged

or

confi

dential. The information is intended to be for the use of the

individual(s) n

amed above. If you are not the intended recipient be aware that any

disclosur

e, copying, distribution or use of the contents of this information,

includin

g attached files, is prohibited.




--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 <+61%202%209871%204742>

 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: