[192727] in North American Network Operators' Group
Re: pay.gov and IPv6
daemon@ATHENA.MIT.EDU (JORDI PALET MARTINEZ)
Wed Nov 16 18:48:26 2016
X-Original-To: nanog@nanog.org
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: nanog@nanog.org
Date: Thu, 17 Nov 2016 08:48:10 +0900
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: <nanog@nanog.org>
In-Reply-To: <1479249003.3937.6.camel@ns.five-ten-sg.com>
Reply-To: jordi.palet@consulintel.es
Errors-To: nanog-bounces@nanog.org
It happens too often, unfortunately.
People deploying IPv6 at web sites and other services, don=E2=80=99t check =
if PMTUD is broken by filtering, ECMP, load balancers, etc.
This is the case here:
tbit from 2001:df0:4:4000::1:115 to 2605:3100:fffd:100::15
server-mss 1440, result: pmtud-fail
app: http, url: https://www.pay.gov/
[ 0.009] TX SYN 64 seq =3D 0:0 =20
[ 0.165] RX SYN/ACK 64 seq =3D 0:1 =20
[ 0.166] TX 60 seq =3D 1:1 =20
[ 0.166] TX 371 seq =3D 1:1(311) =20
[ 0.325] RX 1500 seq =3D 1:312(1440) =20
[ 0.325] RX 1500 seq =3D 1441:312(1440) =20
[ 0.325] TX PTB 1280 mtu =3D 1280
[ 0.325] RX 1362 seq =3D 2881:312(1302) =20
[ 3.325] RX 1500 seq =3D 1:312(1440) =20
[ 3.325] TX PTB 1280 mtu =3D 1280
[ 9.326] RX 1500 seq =3D 1:312(1440) =20
[ 9.326] TX PTB 1280 mtu =3D 1280
[ 21.325] RX 1500 seq =3D 1:312(1440) =20
[ 21.325] TX PTB 1280 mtu =3D 1280
[ 45.325] RX 1500 seq =3D 1:312(1440) =20
Regards,
Jordi
-----Mensaje original-----
De: NANOG <nanog-bounces@nanog.org> en nombre de Carl Byington <carl@five-t=
en-sg.com>
Responder a: <carl@five-ten-sg.com>
Fecha: mi=C3=A9rcoles, 16 de noviembre de 2016, 7:30
Para: <nanog@nanog.org>
Asunto: pay.gov and IPv6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=20
Following up on a two year old thread, one of my clients just hit this
problem. The failure is not that www.pay.gov is not reachable over ipv6
(2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
connection, but the connection then hangs waiting for the TLS handshake=
.
=20
openssl s_client -connect www.pay.gov:443
=20
openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
=20
Browsers (at least firefox) see that as a very slow site, and it does
not trigger their happy eyeballs fast failover to ipv4.
=20
=20
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
=20
iEYEAREKAAYFAlgrjDEACgkQL6j7milTFsG8OwCgh5yRxxZHskjL4HVhzxIEmenA
LQgAniRMcYf/DIcg+8ve55MxUgrUbmzC
=3DMS8j
-----END PGP SIGNATURE-----
=20
=20
=20
=20
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or con=
fidential. The information is intended to be for the use of the individual(=
s) named above. If you are not the intended recipient be aware that any dis=
closure, copying, distribution or use of the contents of this information, =
including attached files, is prohibited.
