[192726] in North American Network Operators' Group
Re: pay.gov and IPv6
daemon@ATHENA.MIT.EDU (Lee)
Wed Nov 16 17:00:13 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20161116202357.4096B5A4FCB4@rock.dv.isc.org>
From: Lee <ler762@gmail.com>
Date: Wed, 16 Nov 2016 17:00:08 -0500
To: Mark Andrews <marka@isc.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On 11/16/16, Mark Andrews <marka@isc.org> wrote:
>
> In message <1479249003.3937.6.camel@ns.five-ten-sg.com>, Carl Byington
> writes
> :
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Following up on a two year old thread, one of my clients just hit this
>> problem. The failure is not that www.pay.gov is not reachable over ipv6
>> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
>> connection, but the connection then hangs waiting for the TLS handshake.
>>
>> openssl s_client -connect www.pay.gov:443
>>
>> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
>>
>> Browsers (at least firefox) see that as a very slow site, and it does
>> not trigger their happy eyeballs fast failover to ipv4.
>
> Happy eyeballs is about making the connection not whether TCP
> connections work after the initial packet exchange.
>
> I would send a physical letter to the relevent Inspector General
> requesting that they ensure all web sites under their juristiction
> that are supposed to be reachable from the public net get audited
> regularly to ensure that IPv6 connections work from public IP space.
That will absolutely work.
NIST is still monitoring ipv6 .gov sites
https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov
so the IG isn't going to do anything there & pay.gov has a contact us page
https://pay.gov/public/home/contact
that I'd bet works much better than a letter to the IG
Regards,
Lee
