Re: IPv6 day non-participants
On Thu, 9 Jun 2011 12:21:12 -0700, George B. geor...@gmail.com said: GB There is a reason for that. First of all, we (my employer) took this GB as a brief test to simply see how much IPv6 traffic there really was, GB and who and what would actually attempt to reach us by IPv6. The idea GB here being to attempt to identify IPv6 native networks. Yep. I agree, there are many reasons why you wouldn't want to participate in a full set of tests. I never said otherwise! In fact, many (very much most) sites didn't participate at all in IPv6 day, so certainly the ones that did get some kudos for playing at all. GB The test did, however, expose a bug in a piece of vendor gear that was GB catastrophic to the business service. And that's really the point: get up to speed, test things before hand as best you can, and then test everything you can. The whole point of the day was to expose problems (and successes)! You've exposed one and I'm sure are looking for fixes for it! My only real point is that you still probably don't know what problems exist with the DNS services if you didn't turn IPv6 support for DNS too. I do understand your hesitation, however, as it sounds like you were pretty sure there would be an issue. -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/
Re: IPv6 day non-participants
On Wed, 8 Jun 2011 10:59:41 -0500, James Harr james.h...@gmail.com said: JH I noticed that one of our vendors wasn't actually participating when JH they very publicly put on their home page that they would. So I JH queried the IPv6 day participation list to see who didn't have 's JH for their listed website. It turned out to be around 9.5% IMHO, it's worse than that. Most sites only added a record for their website, and frequently didn't for their DNS server. So they weren't *really* doing a complete IPv6 test, IMHO. I actually ended up documenting my full results of testing for a number of things (including DNSSEC, just because I could) at: http://pontifications.hardakers.net/computers/celebrating-world-ipv6-day-by-testing-the-candidates/ -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/
Re: IPv6 day non-participants
Someone has told me that Microsoft switched off IPv6 for the day. Is that true? To what extent? j -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -
RE: IPv6 day non-participants
They are probably referring to this: http://support.microsoft.com/kb/2533454/ The following Fix it solution will resolve the issue by configuring your computer to prefer IPv4, instead of IPv6. By default, Windows prefers IPv6 over IPv4. This Fix it solution is temporary, to resolve issues on World IPv6 Day for affected Internet users. On June 10, 2011 at 12:00AM, your computer will be configured to prefer IPv6 again after your next reboot. --h -Original Message- From: Joly MacFie [mailto:j...@punkcast.com] Sent: Thursday, June 09, 2011 3:03 PM To: Wes Hardaker Cc: nanog Subject: Re: IPv6 day non-participants Someone has told me that Microsoft switched off IPv6 for the day. Is that true? To what extent? j -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -
Re: IPv6 day non-participants
IMHO, it's worse than that. Most sites only added a record for their website, and frequently didn't for their DNS server. So they weren't *really* doing a complete IPv6 test, IMHO. There is a reason for that. First of all, we (my employer) took this as a brief test to simply see how much IPv6 traffic there really was, and who and what would actually attempt to reach us by IPv6. The idea here being to attempt to identify IPv6 native networks. We had to do this in a way that did not break our existing IPv4 services. We run some services that we do not consider breakable and our user profile is much different than a web site is. We might have millions of clients on a network that are, for the most part, identically configured. So for example, if one users device believes it has IPv6 but doesn't *really* have IPv6 (as a link local IP so it believes it has IPv6 or has IPv6 inside its network but not clean to the Internet), then there are probably tens of thousands of identically configured devices in that customer's network. So we don't face the some small fraction of one percent are broken problem, we face a if one is broken, then a significant portion of and possibly all of that customer's devices are broken. If we put IPv6 DNS records in place that caused 100,000 clients to break, we would have some serious explaining to do. In this case, a very safe approach was to place an IPv6 address for our web site in DNS. None of our business traffic goes to our website. In the course of IPv6 day for the roughly 18 hours it was operating, we might have had 200 hits on IPv6 compared to thousands of transactions per second on our business protocols. The test did, however, expose a bug in a piece of vendor gear that was catastrophic to the business service. The entire piece of gear blew up that handles the business traffic in addition to the web traffic. It rebooted itself but apparently did not boot cleanly. This was bad enough but it was rather quickly placed back into service (manual kick) and happened at the slowest traffic time of the day and few/no clients would have noticed. Had we also experienced customer complaints of slow/poor/no service during the time of the test, it would have been pretty bad. So enabling IPv6 DNS had the potential to cause global problems and not limited to a single data center, it could have had global impact to the domain. Placing a single IPv6 DNS glue record and DNS server in service would have also potentially resulted in local DNS servers from around the globe that might prefer IPv6 attempting to reach that one DNS server. In other words, it would have created a potential single point of failure and possibly degraded performance. So the IPv6 DNS infrastructure is being rolled out in a planned, methodical fashion. Dropping an record for the web site was an easy thing to do that was considered very low risk (as we assumed all of our other gear could simply pass IPv6 packets without exploding) and offered some participation with the community. George (speaking for himself)
Re: IPv6 day non-participants
On Jun 9, 2011, at 3:03 PM, Joly MacFie wrote: Someone has told me that Microsoft switched off IPv6 for the day. Is that true? To what extent? I think this depends on the division. their search (bing) folks turned it off. % host www.bing.com. www.bing.com is an alias for search.ms.com.edgesuite.net. search.ms.com.edgesuite.net is an alias for a134.b.akamai.net. a134.b.akamai.net has address 96.17.150.114 a134.b.akamai.net has address 96.17.150.112 a134.b.akamai.net has address 96.17.150.105 their gaming folks (xbox) left it on. % host www.xbox.com. www.xbox.com is an alias for www.gtm.xbox.com. www.gtm.xbox.com is an alias for msxbwsd.vo.llnwd.net. msxbwsd.vo.llnwd.net has address 208.111.170.165 msxbwsd.vo.llnwd.net has address 68.142.73.109 msxbwsd.vo.llnwd.net has IPv6 address 2607:f4e8:200:12:225:90ff:fe2a:9f9a msxbwsd.vo.llnwd.net has IPv6 address 2607:f4e8:200:11:230:48ff:fed2:5022 (another view on the world) 2011-06-08.out:www.bing.com.|216.156.249.136,216.156.249.152|2600:1406::5043:4aa7,2600:1406::5043:4a8e|OK|OK|OKOK 2011-06-09.out:www.bing.com.|63.236.253.34,63.236.253.75,63.236.253.82,63.236.253.81,63.236.253.32,63.236.253.41,63.236.253.48,63.236.253.25||OK|Name or service not known| 2011-06-08.out:www.xbox.com.|128.242.186.238,128.242.186.198|2001:418:2401:3::c6ad:1531,2001:418:2401:3::c6ad:1548|OK|OK|OKOK 2011-06-09.out:www.xbox.com.|128.242.186.198,128.242.186.238|2a02:26f0:c:1::5c7a:32ba,2a02:26f0:c:1::5c7a:32b2|OK|OK|OKOK
IPv6 day non-participants
I noticed that one of our vendors wasn't actually participating when they very publicly put on their home page that they would. So I queried the IPv6 day participation list to see who didn't have 's for their listed website. It turned out to be around 9.5% Before you read the list, here's me shedding responsibility with a list of caveats: - The crappy perl script I am using might be broken. IE - it doesn't think about foo.com vs www.foo.com, HTTP redirection, or any of that. - The organizations in this list may have withdrawn because they found out something was terribly broken. - DNS caching may be skewing the results if the TTLs are long. SNIP www.xiphiastec.com Xiphiastec www.pir.orgPublic Interest Registry www.exactabacus.comExact Abacus www.comcast.netComcast www.shazzlemail.comShazzle, LLC www.bangzoom.com Bangzoom Software Inc www.mihostcgi.com mihostcgi www.unclesamnames.com American Domain Names opendns.comOpenDNS www.mutali.rw Mutali townnews.com TownNews www.infoblox.com Infoblox www.ripplecom.net Ripple Communications www.agame.com Spil Games www.alexville.com Alexville Games www.hkirc.hk Hong Kong Internet Registration Corporation www.hkdnr.hk Hong Kong Domain Name Registration www.buffalo.feb.govUnited States Office of Personnel Management www.cyberport.hk Hong Kong Cyberport Management Ltd www.catnix.com CATNIX sucomo.com Sucomo OHG www.mybrighthouse.com BrightHouse Networks www.it-in.ru it-in ivancorp.net Ivanhoe-IT www.forestdaleinc.org Forestdale Inc www.towerstream.comTowerstream www.intuix.com Intuix LLC suse.org Novell Inc. www.IronNails.com IronNails Consultancy www.orbitdiensten.com Orbit-Diensten madonnaradio.com Voila www.gov.bc.ca Government of British Columbia www.zte.com.cn ZTE Corporation www.tamagawa.jpTamagawa Academy University -- ^[:wq^M
Re: IPv6 day non-participants
ISOC has a red/green dashboard of individual (non)participants: http://www.worldipv6day.org/participant-websites/index.html Cheers, ~Chris On Wed, Jun 8, 2011 at 09:59, James Harr james.h...@gmail.com wrote: I noticed that one of our vendors wasn't actually participating when they very publicly put on their home page that they would. So I queried the IPv6 day participation list to see who didn't have 's for their listed website. It turned out to be around 9.5% Before you read the list, here's me shedding responsibility with a list of caveats: - The crappy perl script I am using might be broken. IE - it doesn't think about foo.com vs www.foo.com, HTTP redirection, or any of that. - The organizations in this list may have withdrawn because they found out something was terribly broken. - DNS caching may be skewing the results if the TTLs are long. SNIP www.xiphiastec.com Xiphiastec www.pir.org Public Interest Registry www.exactabacus.com Exact Abacus www.comcast.net Comcast www.shazzlemail.com Shazzle, LLC www.bangzoom.com Bangzoom Software Inc www.mihostcgi.com mihostcgi www.unclesamnames.com American Domain Names opendns.com OpenDNS www.mutali.rw Mutali townnews.com TownNews www.infoblox.com Infoblox www.ripplecom.net Ripple Communications www.agame.com Spil Games www.alexville.com Alexville Games www.hkirc.hk Hong Kong Internet Registration Corporation www.hkdnr.hk Hong Kong Domain Name Registration www.buffalo.feb.gov United States Office of Personnel Management www.cyberport.hk Hong Kong Cyberport Management Ltd www.catnix.com CATNIX sucomo.com Sucomo OHG www.mybrighthouse.com BrightHouse Networks www.it-in.ru it-in ivancorp.net Ivanhoe-IT www.forestdaleinc.org Forestdale Inc www.towerstream.com Towerstream www.intuix.com Intuix LLC suse.org Novell Inc. www.IronNails.com IronNails Consultancy www.orbitdiensten.com Orbit-Diensten madonnaradio.com Voila www.gov.bc.ca Government of British Columbia www.zte.com.cn ZTE Corporation www.tamagawa.jp Tamagawa Academy University -- ^[:wq^M -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.theIPv6experts.net www.coisoc.org
RE: IPv6 day non-participants
The list of TownNews domains participating can be found here: http://www.townnews365.com/ipv6/ -mjf -Original Message- From: James Harr [mailto:james.h...@gmail.com] Sent: Wednesday, June 08, 2011 12:00 PM To: nanog Subject: IPv6 day non-participants I noticed that one of our vendors wasn't actually participating when they very publicly put on their home page that they would. So I queried the IPv6 day participation list to see who didn't have 's for their listed website. It turned out to be around 9.5% Before you read the list, here's me shedding responsibility with a list of caveats: - The crappy perl script I am using might be broken. IE - it doesn't think about foo.com vs www.foo.com, HTTP redirection, or any of that. - The organizations in this list may have withdrawn because they found out something was terribly broken. - DNS caching may be skewing the results if the TTLs are long. SNIP
RE: IPv6 day non-participants
The list of TownNews domains participating can be found here: http://www.townnews365.com/ipv6/ ahwatukee.com alpineavalanche.com anchoragepress.com aransaspassprogress.com argus-press.com auburnpub.com azdailysun.com banderabulletin.com beatricedailysun.com belgrade-news.com bigbeargrizzly.net billingsgazette.com bismarcktribune.com bloxcms-ny1.com bloxcms.com boernestar.com bonnercountydailybee.com bonnersferryherald.com bozemandailychronicle.com breezejmu.org cameronherald.com camplejeuneglobe.com carrollcountytimes.com casperjournal.com cdapress.com cdapressextra.com chetekalert.com chieftain.com chippewa.com citizen.com coastreportonline.com codyenterprise.com colletontoday.com coloradocountycitizen.com columbiabasinherald.com columbustelegram.com coronadonewsca.com cumberlink.com dailyjournalonline.com dailyleader.com dailyrecordnews.com dailytoreador.com democratherald.com doaneline.com douglas-budget.com eastvalleytribune.com elgincourier.com elkodaily.com enterprise-journal.com explorernews.com farmandranchguide.com flatheadnewsgroup.com florala.net fltimes.com forest-blade.com fortcampbellcourier.com fortstocktonpioneer.com fremonttribune.com fromthevine.info ftleetraveller.com gazettetimes.com gettysburgtimes.com glendalestar.com globegazette.com goac.com gonzalesinquirer.com gvnews.com hanfordsentinel.com helenair.com herald-review.com heraldextra.com hillcountrynews.com hmbreview.com houstonherald.com huskerextra.com huskerfootball.com iberianet.com idahopress.com illelections.com imperialbeachnewsca.com indianapolisrecorder.com insidetucsonbusiness.com iowastatedaily.com jg-tc.com journalnet.com journalreview.com journalstar.com journaltimes.com katytimes.com keepmecurrent.com kokomoperspective.com lacrossetribune.com lakeexpo.com leaderadvertiser.com leadertelegram.com lebanon-express.com leecmstraining.com leetemplates.com livingstonparishnews.com lodinews.com lompocrecord.com lonepeaklookout.com loyolaphoenix.com madisonvillemeteor.com magiccitymagazine.com magicvalley.com magnoliareporter.com marlindemocrat.com maysville-online.com messenger-index.com midwestproducer.com minnesotafarmguide.com mississippilink.com missoulian.com mountain-news.com mtstandard.com murrayledger.com muscatinejournal.com mycaldwellcounty.com mycarrollcountynews.com mynwmo.com napavalleyregister.com navasotaexaminer.com nctimes.com newjerseyhills.com news-expressky.com news-graphic.com norfolknavyflagship.com nwitimes.com nwmissourinews.com ourcoloradonews.com outdoornews.com ozarkcountytimes.com pantagraph.com peoriatimes.com portlavacawave.com poststar.com pressofatlanticcity.com priestrivertimes.com qctimes.com rapidcityjournal.com ravallirepublic.com riverfloodwatch.com rrdailyherald.com rrobserver.com salamancapress.com santamariatimes.com savvyshopperdeals.com scene262.com sealynews.com seasidesignal.com shoshonenewspress.com siouxcityjournal.com statehornet.com syvnews.com taylordailypress.net tdn.com terrelltribune.com tetonvalleynews.net the-standard.org thechiefleader.com thecountrytoday.com theeaglepost.us thegardenisland.com thehuttonews.com theorion.com theprairiestar.com therandolphleader.com theroyalregister.com thesouthern.com thetandd.com thevindicator.com thewesternnews.com thewetumpkaherald.com theworldlink.com tipofyourfingers.com townnews-cms.com townnews365.com trib.com tristate-media.com tristateneighbor.com utownnews.com uvaldeleadernews.com voiceoftheironrange.com vp-mi.com wcfcourier.com wereadnatrona.com westyellowstonenews.com winonadailynews.com yourwestvalley.com -mjf -Original Message- From: James Harr [mailto:james.h...@gmail.com] Sent: Wednesday, June 08, 2011 12:00 PM To: nanog Subject: IPv6 day non-participants I noticed that one of our vendors wasn't actually participating when they very publicly put on their home page that they would. So I queried the IPv6 day participation list to see who didn't have 's for their listed website. It turned out to be around 9.5% Before you read the list, here's me shedding responsibility with a list of caveats: - The crappy perl script I am using might be broken. IE - it doesn't think about foo.com vs www.foo.com, HTTP redirection, or any of that. - The organizations in this list may have withdrawn because they found out something was terribly broken. - DNS caching may be skewing the results if the TTLs are long. SNIP
Re: IPv6 day non-participants
Was participating until we hit a rather nasty load balancer bug that took out the entire unit if clients with a short MTU connected and it needed to fragment packets (Citrix Netscaler running latest code). No fix is available for it yet, so we had to shut it down. Ran for about 9 hours before the magic client that blew it up connected. So if you are using a Netscaler with SLB-PT (IPv6 VIP balancing to IPv4 servers), the entire LB is subject to stop working until they get this fixed.
Re: IPv6 day non-participants
I notice that that page currently lists as http://www.bbc.co.uk/ as unreachable via IPv4 ! ? j On Wed, Jun 8, 2011 at 12:16 PM, Chris Grundemann cgrundem...@gmail.comwrote: ISOC has a red/green dashboard of individual (non)participants: http://www.worldipv6day.org/participant-websites/index.html Cheers, ~Chris -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -
Re: IPv6 day non-participants
The ISOC dashboard that Chris mentions is indeed accurate and up to date from our perspective. Comcast is definitely an active participant with our website http://xfinity.comcast.net, which is live with a published and is IPv6 reachable. Thanks -- Chris Griffiths Comcast Cable Communications, Inc. On 6/8/11 12:16 PM, Chris Grundemann cgrundem...@gmail.com wrote: ISOC has a red/green dashboard of individual (non)participants: http://www.worldipv6day.org/participant-websites/index.html Cheers, ~Chris On Wed, Jun 8, 2011 at 09:59, James Harr james.h...@gmail.com wrote: I noticed that one of our vendors wasn't actually participating when they very publicly put on their home page that they would. So I queried the IPv6 day participation list to see who didn't have 's for their listed website. It turned out to be around 9.5% Before you read the list, here's me shedding responsibility with a list of caveats: - The crappy perl script I am using might be broken. IE - it doesn't think about foo.com vs www.foo.com, HTTP redirection, or any of that. - The organizations in this list may have withdrawn because they found out something was terribly broken. - DNS caching may be skewing the results if the TTLs are long. SNIP www.xiphiastec.com Xiphiastec www.pir.orgPublic Interest Registry www.exactabacus.comExact Abacus www.comcast.netComcast www.shazzlemail.comShazzle, LLC www.bangzoom.com Bangzoom Software Inc www.mihostcgi.com mihostcgi www.unclesamnames.com American Domain Names opendns.comOpenDNS www.mutali.rw Mutali townnews.com TownNews www.infoblox.com Infoblox www.ripplecom.net Ripple Communications www.agame.com Spil Games www.alexville.com Alexville Games www.hkirc.hk Hong Kong Internet Registration Corporation www.hkdnr.hk Hong Kong Domain Name Registration www.buffalo.feb.govUnited States Office of Personnel Management www.cyberport.hk Hong Kong Cyberport Management Ltd www.catnix.com CATNIX sucomo.com Sucomo OHG www.mybrighthouse.com BrightHouse Networks www.it-in.ru it-in ivancorp.net Ivanhoe-IT www.forestdaleinc.org Forestdale Inc www.towerstream.comTowerstream www.intuix.com Intuix LLC suse.org Novell Inc. www.IronNails.com IronNails Consultancy www.orbitdiensten.com Orbit-Diensten madonnaradio.com Voila www.gov.bc.ca Government of British Columbia www.zte.com.cn ZTE Corporation www.tamagawa.jpTamagawa Academy University -- ^[:wq^M -- @ChrisGrundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.theIPv6experts.net www.coisoc.org
Re: IPv6 day non-participants
On Jun 8, 2011, at 12:49 PM, George B. wrote: Was participating until we hit a rather nasty load balancer bug that took out the entire unit if clients with a short MTU connected and it needed to fragment packets (Citrix Netscaler running latest code). No fix is available for it yet, so we had to shut it down. Ran for about 9 hours before the magic client that blew it up connected. So if you are using a Netscaler with SLB-PT (IPv6 VIP balancing to IPv4 servers), the entire LB is subject to stop working until they get this fixed. And this is EXACTLY why we needed World IPv6 Day. Thank you for participating. -- TTFN, patrick
Re: IPv6 day non-participants
On 6/8/2011 6:18 PM, Patrick W. Gilmore wrote: On Jun 8, 2011, at 12:49 PM, George B. wrote: Was participating until we hit a rather nasty load balancer bug that took out the entire unit if clients with a short MTU connected and it needed to fragment packets (Citrix Netscaler running latest code). No fix is available for it yet, so we had to shut it down. Ran for about 9 hours before the magic client that blew it up connected. So if you are using a Netscaler with SLB-PT (IPv6 VIP balancing to IPv4 servers), the entire LB is subject to stop working until they get this fixed. And this is EXACTLY why we needed World IPv6 Day. It is also probably why doing it again next month is too aggressive, and why we probably should have started doing them earlier. I wonder how many bug reports got filed today? -Dave
Re: IPv6 day non-participants
So if you are using a Netscaler with SLB-PT (IPv6 VIP balancing to IPv4 servers), the entire LB is subject to stop working until they get this fixed. And this is EXACTLY why we needed World IPv6 Day. Agreed, right on the money !! Traffic stats may not say a lot yet due to tunnels and lack of native IPv6 connectivity but finding this type of bugs is a major reason to do live tests, even if the test fails. Next one ? a month seems to be too soon, I guess there is a lot of useful data to crunch and analyze and fixes to do, but sure we need more live IPv6 activity. I think it would be cool if for the next one, some major broadband access providers take IPv6 down to the end customer, and not just commercial customers. I know that CPE could be an issue but we need to reach that layer. It does not help that the test says that my machine and browser are ready when in the middle I've a brick that won't work.. Cheers Jorge
Re: IPv6 day non-participants
On Wed, Jun 8, 2011 at 4:31 PM, Jorge Amodio jmamo...@gmail.com wrote: So if you are using a Netscaler with SLB-PT (IPv6 VIP balancing to IPv4 servers), the entire LB is subject to stop working until they get this fixed. And this is EXACTLY why we needed World IPv6 Day. Agreed, right on the money !! Traffic stats may not say a lot yet due to tunnels and lack of native IPv6 connectivity but finding this type of bugs is a major reason to do live tests, even if the test fails. Well, we are still attempting to recreate the problem. It isn't something as simple as someone coming in over a tunnel with a small MTU with a larger advertised MSS. There is some magic that must happen to actually put the unit in this state. We ran for 9 hours before and 9 hours after the hiccup without any problems. So it is going to take a while before we are ready to test this again live. The sooner I can recreate the problem, the better, though.
Re: IPv6 day non-participants
I dont think ISOC dashboard is updating any more. Google is no longer advertising but dashboard still shows green and TTLs were short on those records. \\ ; DiG 9.6.0-APPLE-P2 www.google.com in ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15535 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com.IN ;; ANSWER SECTION: www.google.com.588628INCNAMEwww.l.google.com. ;; Query time: 191 msec ;; SERVER: 2620:0:ccc::2#53(2620:0:ccc::2) ;; WHEN: Wed Jun 8 18:08:38 2011 ;; MSG SIZE rcvd: 52 On Wed, Jun 8, 2011 at 5:16 PM, George B. geor...@gmail.com wrote: On Wed, Jun 8, 2011 at 4:31 PM, Jorge Amodio jmamo...@gmail.com wrote: So if you are using a Netscaler with SLB-PT (IPv6 VIP balancing to IPv4 servers), the entire LB is subject to stop working until they get this fixed. And this is EXACTLY why we needed World IPv6 Day. Agreed, right on the money !! Traffic stats may not say a lot yet due to tunnels and lack of native IPv6 connectivity but finding this type of bugs is a major reason to do live tests, even if the test fails. Well, we are still attempting to recreate the problem. It isn't something as simple as someone coming in over a tunnel with a small MTU with a larger advertised MSS. There is some magic that must happen to actually put the unit in this state. We ran for 9 hours before and 9 hours after the hiccup without any problems. So it is going to take a while before we are ready to test this again live. The sooner I can recreate the problem, the better, though.