[192755] in North American Network Operators' Group
Re: pay.gov and IPv6
daemon@ATHENA.MIT.EDU (JORDI PALET MARTINEZ)
Fri Nov 18 15:06:00 2016
X-Original-To: nanog@nanog.org
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: nanog@nanog.org
Date: Sat, 19 Nov 2016 05:05:43 +0900
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: <nanog@nanog.org>
In-Reply-To: <1479493373.7178.35.camel@ns.five-ten-sg.com>
Reply-To: jordi.palet@consulintel.es
Errors-To: nanog-bounces@nanog.org
I tested from my home and happy eyeballs is not falling back to IPv4.
So, I tend to suspect that is not ICMPv6 filtering, but something else, suc=
h as wrong load balancer or ECMP configuration.
Regards,
Jordi
-----Mensaje original-----
De: NANOG <nanog-bounces@nanog.org> en nombre de Carl Byington <carl@five-t=
en-sg.com>
Responder a: <carl@five-ten-sg.com>
Fecha: s=C3=A1bado, 19 de noviembre de 2016, 3:22
Para: <nanog@nanog.org>
Asunto: Re: pay.gov and IPv6
=20
> > I am working with pay.gov.clev@clev.frb.org, trying to explain the
> problem.
=20
The intersection of government bureaucracy and technical issues is
frustrating to say the least. I just sent the message below, but have n=
o
expectation that it will change anything.=20
=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
On Fri, 2016-11-18 at 12:39 +0000, CLEV Pay Gov wrote:
> It would be best to discuss this via phone. Please contact our help
> desk at the number below and we could see if there's anything we coul=
d
> do over the phone to help troubleshoot.
=20
That is hopeless. Verbal technical discussions rarely work unless both
sides can see the same text. Have you ever tried (while talking on the
phone) to get someone to type in clev.frb.org without making a bunch of
mistakes in the spelling??
=20
Anyway, just for my amusement, I did call 800-624-1373, Option #2, and
am on the line now, trying to explain this. 10 minutes and counting. Ok=
,
there does not seem to be any overall ticket for "pay.gov does not work
at all". They refuse to open a tech support ticket.
=20
=20
> If not, we may need to open a ticket for our technical support.
=20
Please open a ticket, and attach the following text for your tech
support folks. Alternatively, have them look at the "pay.gov and ipv6"
thread on nanog:
=20
http://mailman.nanog.org/pipermail/nanog/2016-November/thread.html
=20
=20
=20
www.pay.gov has an IPv6 address of 2605:3100:fffd:100::15, but that
machine or its upstream routers are filtering icmpv6 messages. That web
site is not accessible from systems with an MTU of 1280 bytes.
=20
The test case is:
=20
echo -e 'GET /public/home HTTP/1.0\n' | \
openssl s_client -servername www.pay.gov -ign_eof -connect \
'[2605:3100:fffd:100::15]:443'
=20
Run that (or just use a browser to try https://www.pay.gov) from a
system with a 1500 byte MTU, and it works. Run it from a system with
upstream connectivity via a tunnel, so the path MTU is smaller, and it
fails. Such tunnels are common for IPv6.
=20
Please stop filtering icmpv6.
=20
=20
=20
=20
=20
=20
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or con=
fidential. The information is intended to be for the use of the individual(=
s) named above. If you are not the intended recipient be aware that any dis=
closure, copying, distribution or use of the contents of this information, =
including attached files, is prohibited.
