Re: pay.gov and IPv6

[JORDI PALET MARTINEZ <jordi.palet () consulintel es>]

Somebody pointed to me that even happy eyeballs will not fall back to IPv4 when PMTUD is blocked …

This is a big issue, many folks are deploying IPv6 web sites, and not double-checking this. Actually, this is VERY BIG 
issue with all the 1&1 sites. I tried to contact them many times for more than a year, and they seem to not care, so 
clearly not a recommended hosting provider, as they don’t care about the quality of service that their customers have. 
I will change my mind if someone from 1&1 is finally responding, in case they are in this list … For example, you will 
not get this working if you have a lower MTU than 1.500, which is quite normal, not just for tunnels, but also because 
the PPP/others encapsulation in many access links:

http://diskmakerx.com/

Furthermore, I mention this filtering problem in the article about the IPv6 survey results, for those that don’t follow 
RIPE LABS site:

https://labs.ripe.net/Members/jordipaletm/results-of-the-ipv6-deployment-survey

Regards,
Jordi


-----Mensaje original-----
De: NANOG <nanog-bounces () nanog org> en nombre de JORDI PALET MARTINEZ <jordi.palet () consulintel es>
Responder a: <jordi.palet () consulintel es>
Fecha: viernes, 18 de noviembre de 2016, 21:05
Para: <nanog () nanog org>
Asunto: Re: pay.gov and IPv6

    I tested from my home and happy eyeballs is not falling back to IPv4.
    
    So, I tend to suspect that is not ICMPv6 filtering, but something else, such as wrong load balancer or ECMP 
configuration.
    
    Regards,
    Jordi
    
    
    -----Mensaje original-----
    De: NANOG <nanog-bounces () nanog org> en nombre de Carl Byington <carl () five-ten-sg com>
    Responder a: <carl () five-ten-sg com>
    Fecha: sábado, 19 de noviembre de 2016, 3:22
    Para: <nanog () nanog org>
    Asunto: Re: pay.gov and IPv6
    
        
        > > I am working with pay.gov.clev () clev frb org, trying to explain the
        > problem.
        
        The intersection of government bureaucracy and technical issues is
        frustrating to say the least. I just sent the message below, but have no
        expectation that it will change anything. 
        
        ==============
        
        On Fri, 2016-11-18 at 12:39 +0000, CLEV Pay Gov wrote:
        > It would be best to discuss this via phone.  Please contact our help
        > desk at the number below and we could see if there's anything we could
        > do over the phone to help troubleshoot.
        
        That is hopeless. Verbal technical discussions rarely work unless both
        sides can see the same text. Have you ever tried (while talking on the
        phone) to get someone to type in clev.frb.org without making a bunch of
        mistakes in the spelling??
        
        Anyway, just for my amusement, I did call 800-624-1373, Option #2, and
        am on the line now, trying to explain this. 10 minutes and counting. Ok,
        there does not seem to be any overall ticket for "pay.gov does not work
        at all". They refuse to open a tech support ticket.
        
        
        > If not, we may need to open a ticket for our technical support.
        
        Please open a ticket, and attach the following text for your tech
        support folks. Alternatively, have them look at the "pay.gov and ipv6"
        thread on nanog:
        
        http://mailman.nanog.org/pipermail/nanog/2016-November/thread.html
        
        
        
        www.pay.gov has an IPv6 address of 2605:3100:fffd:100::15, but that
        machine or its upstream routers are filtering icmpv6 messages. That web
        site is not accessible from systems with an MTU of 1280 bytes.
        
        The test case is:
        
        echo -e 'GET /public/home HTTP/1.0\n' | \
        openssl s_client -servername www.pay.gov -ign_eof -connect \
        '[2605:3100:fffd:100::15]:443'
        
        Run that (or just use a browser to try https://www.pay.gov) from a
        system with a 1500 byte MTU, and it works. Run it from a system with
        upstream connectivity via a tunnel, so the path MTU is smaller, and it
        fails. Such tunnels are common for IPv6.
        
        Please stop filtering icmpv6.
        
        
        
        
        
        
    
    
    
    **********************************************
    IPv4 is over
    Are you ready for the new Internet ?
    http://www.consulintel.es
    The IPv6 Company
    
    This electronic message contains information which may be privileged or confidential. The information is intended 
to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, 
copying, distribution or use of the contents of this information, including attached files, is prohibited.
    
    
    
    
    
    **********************************************
    IPv4 is over
    Are you ready for the new Internet ?
    http://www.consulintel.es
    The IPv6 Company
    
    This electronic message contains information which may be privileged or confidential. The information is intended 
to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, 
copying, distribution or use of the contents of this information, including attached files, is prohibited.
    
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be 
for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, 
copying, distribution or use of the contents of this information, including attached files, is prohibited.