In message <[email protected]>, JORDI PALET M ARTINEZ writes: > I think it is not just a matter of testing behind a 1280 MTU, but about makin > g sure that PMTUD is not broken, so it just works in any circumstances. > > Regards, > Jordi If you don't do MSS fix up a 1280 link in the middle will find PMTUD issues provided the testing host has a MTU > 1280.
Mark > -----Mensaje original----- > De: NANOG <[email protected]> en nombre de Mark Andrews <[email protected]> > Responder a: <[email protected]> > Fecha: jueves, 17 de noviembre de 2016, 9:26 > Para: Lee <[email protected]> > CC: <[email protected]> > Asunto: Re: pay.gov and IPv6 > > > In message <[email protected] > l.com> > , Lee writes: > > On 11/16/16, Mark Andrews <[email protected]> wrote: > > > > > > In message <[email protected]>, Carl Byingto > n > > > writes > > > : > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA512 > > >> > > >> Following up on a two year old thread, one of my clients just hit th > is > > >> problem. The failure is not that www.pay.gov is not reachable over i > pv6 > > >> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443 > > >> connection, but the connection then hangs waiting for the TLS handsh > ake. > > >> > > >> openssl s_client -connect www.pay.gov:443 > > >> > > >> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443 > > >> > > >> Browsers (at least firefox) see that as a very slow site, and it doe > s > > >> not trigger their happy eyeballs fast failover to ipv4. > > > > > > Happy eyeballs is about making the connection not whether TCP > > > connections work after the initial packet exchange. > > > > > > I would send a physical letter to the relevent Inspector General > > > requesting that they ensure all web sites under their juristiction > > > that are supposed to be reachable from the public net get audited > > > regularly to ensure that IPv6 connections work from public IP space. > > > > That will absolutely work. > > > > NIST is still monitoring ipv6 .gov sites > > https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov > > Which show green which means that the tests they are doing are not > sufficient. They need to test from behind a 1280 mtu link. > > The DNSSEC testing is also insufficient. 9-11commission.gov shows > green for example but if you use DNS COOKIES (which BIND 9.10.4 and > BIND 9.11.0 do) then servers barf and return BADVERS and validation > fails. QWEST you have been informed of this already. > > Why the hell should validating resolver have to work around the > crap you guys are using? DO YOUR JOBS which is to use RFC COMPLIANT > servers. You get PAID to do DNS because people think you are > compentent to do the job. Evidence shows otherwise. > > https://ednscomp.isc.org/compliance/gov-full-report.html show the broken > servers for .gov. It isn't hard to check. > > > so the IG isn't going to do anything there & pay.gov has a contact us p > age > > https://pay.gov/public/home/contact > > that I'd bet works much better than a letter to the IG > > You have to be able to get to https://pay.gov/public/home/contact to use > it. Most people don't have the skill set to force the use of IPv4. > > If it is production it should work. It is the I-G's role to ensure this > happens. Butts need to kicked. > > Mark > > > Regards, > > Lee > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > > > > > > ********************************************** > IPv4 is over > Are you ready for the new Internet ? > http://www.consulintel.es > The IPv6 Company > > This electronic message contains information which may be privileged or confi > dential. The information is intended to be for the use of the individual(s) n > amed above. If you are not the intended recipient be aware that any disclosur > e, copying, distribution or use of the contents of this information, includin > g attached files, is prohibited. > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
