[192725] in North American Network Operators' Group
Re: pay.gov and IPv6
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Nov 16 16:56:42 2016
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <1479249003.3937.6.camel@ns.five-ten-sg.com>
Date: Wed, 16 Nov 2016 16:56:09 -0500
To: Carl Byington <carl@five-ten-sg.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Nov 15, 2016, at 5:30 PM, Carl Byington <carl@five-ten-sg.com> =
wrote:
>=20
> openssl s_client -connect www.pay.gov:443
I=E2=80=99m not seeing the issue here, but they do have some possible =
issues the way they=E2=80=99re setting cookies (See details below).
What path are you seeing to them? I=E2=80=99m also not having the issue =
from the IETF97 network here in Seoul which has IPv6 as well.
puck:~$ traceroute6 www.pay.gov.
traceroute to www.pay.gov. (2605:3100:fffd:100::15), 30 hops max, 80 =
byte packets
1 ge-0-7-0-22.r05.chcgil09.us.bb.gin.ntt.net (2001:418:3f4::1) 0.751 =
ms 0.871 ms 0.994 ms
2 verio-gw.cgcil.ipv6.att.net (2001:1890:1fff:307:192:205:32:193) =
2.008 ms 1.991 ms 2.837 ms
3 cgcil22crs.ipv6.att.net (2001:1890:ff:ffff:12:122:132:198) 27.333 =
ms 27.167 ms 27.070 ms
4 sl9mo22crs.ipv6.att.net (2001:1890:ff:ffff:12:122:2:178) 27.602 ms =
27.646 ms 27.628 ms
5 sl9mo21crs.ipv6.att.net (2001:1890:ff:ffff:12:122:2:217) 30.055 ms =
29.894 ms 29.855 ms
6 dlstx22crs.ipv6.att.net (2001:1890:ff:ffff:12:122:2:1) 28.888 ms =
27.016 ms 26.933 ms
7 dlstx84crs.ipv6.att.net (2001:1890:ff:ffff:12:123:18:249) 28.126 ms =
26.757 ms 26.645 ms
8 2001:1890:ff:ffff:12:122:124:141 (2001:1890:ff:ffff:12:122:124:141) =
26.142 ms 26.269 ms 26.179 ms
9 2001:1890:c00:610b::1138:7d27 (2001:1890:c00:610b::1138:7d27) =
27.273 ms 27.255 ms 27.544 ms
10 2001:1890:1c08:cf01::2 (2001:1890:1c08:cf01::2) 27.673 ms !X =
27.559 ms !X 27.465 ms !X
curl -v https://www.pay.gov/public/home
* Trying 2605:3100:fffd:100::15...
* TCP_NODELAY set
* Connected to www.pay.gov (2605:3100:fffd:100::15) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* ALPN/NPN, server did not agree to a protocol
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=3Dwww.pay.gov,O=3DUnited States Department of =
Treasury,L=3DWashington,ST=3DDistrict of Columbia,C=3DUS
* start date: May 28 14:58:43 2015 GMT
* expire date: May 29 06:16:02 2018 GMT
* common name: www.pay.gov
* issuer: CN=3DEntrust Certification Authority - L1K,OU=3D"(c) =
2012 Entrust, Inc. - for authorized use only",OU=3DSee =
www.entrust.net/legal-terms,O=3D"Entrust, Inc.",C=3DUS
> GET /public/home HTTP/1.1
> Host: www.pay.gov
> User-Agent: curl/7.51.0
> Accept: */*
>=20
< HTTP/1.1 200 OK
< Date: Wed, 16 Nov 2016 21:52:08 GMT
< Content-type: text/html; charset=3DISO-8859-1
< Strict-transport-security: max-age=3D31536001; includeSubDomains
< Cache-Control: no-cache
< Cache-Control: no-store
< Pragma: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-XSS-Protection: 1; mode=3Dblock
< Strict-Transport-Security: max-age=3D31536000
< Set-Cookie: =
JSESSIONID=3D949QYsVLKQqBB42HTy91pJnGfnfJthLfQTv02CvDnt7rNQnpSvb1!12591753=
35!-1040755441!1479333128223; path=3D/public; secure; HttpOnly
< Set-Cookie: =
JSESSIONID=3D949QYsVLKQqBB42HTy91pJnGfnfJthLfQTv02CvDnt7rNQnpSvb1!12591753=
35!-1040755441; path=3D/public; HttpOnly
< Set-Cookie: ClientId=3D14793331282345260; path=3D/public; HttpOnly; =
secure
< Set-Cookie: ClientId=3D1479333128244363; path=3D/public; HttpOnly; =
secure
< X-FRAME-OPTIONS: DENY
< Content-Language: en-US
< X-Powered-By: Servlet/2.5 JSP/2.1
< Transfer-encoding: chunked
