[192722] in North American Network Operators' Group
Re: pay.gov and IPv6
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Nov 16 15:24:09 2016
X-Original-To: nanog@nanog.org
To: Carl Byington <carl@five-ten-sg.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Tue, 15 Nov 2016 14:30:03 -0800."
<1479249003.3937.6.camel@ns.five-ten-sg.com>
Date: Thu, 17 Nov 2016 07:23:57 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <1479249003.3937.6.camel@ns.five-ten-sg.com>, Carl Byington writes
:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Following up on a two year old thread, one of my clients just hit this
> problem. The failure is not that www.pay.gov is not reachable over ipv6
> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
> connection, but the connection then hangs waiting for the TLS handshake.
>
> openssl s_client -connect www.pay.gov:443
>
> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
>
> Browsers (at least firefox) see that as a very slow site, and it does
> not trigger their happy eyeballs fast failover to ipv4.
Happy eyeballs is about making the connection not whether TCP
connections work after the initial packet exchange.
I would send a physical letter to the relevent Inspector General
requesting that they ensure all web sites under their juristiction
that are supposed to be reachable from the public net get audited
regularly to ensure that IPv6 connections work from public IP space.
While you are sending the letter can you also ask why pay.gov's DNS
servers are broken.
Checking: 'pay.gov' as at 2016-11-16T20:21:28Z
pay.gov @199.169.194.28 (ns1.twai.gov.): edns=ok edns1=timeout edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
pay.gov @2605:3100:fffc:100::7 (ns1.twai.gov.): edns=ok edns1=timeout edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
pay.gov @199.169.192.28 (ns2.twai.gov.): edns=ok edns1=timeout edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
pay.gov @2605:3100:fffd:100::7 (ns2.twai.gov.): edns=ok edns1=timeout edns@512=noopt ednsopt=ok edns1opt=timeout do=ok ednsflags=ok docookie=ok edns@512tcp=ok optlist=ok
Mark
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA
> LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC
> =MS8j
> -----END PGP SIGNATURE-----
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
