[192766] in North American Network Operators' Group
Re: pay.gov and IPv6
daemon@ATHENA.MIT.EDU (JORDI PALET MARTINEZ)
Sun Nov 20 04:51:28 2016
X-Original-To: nanog@nanog.org
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: nanog@nanog.org
Date: Sun, 20 Nov 2016 10:51:16 +0100
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: <nanog@nanog.org>
In-Reply-To: <97BDEF32-892B-48AE-8AA2-C663CF1CD9E0@consulintel.es>
Reply-To: jordi.palet@consulintel.es
Errors-To: nanog-bounces@nanog.org
Somebody pointed to me that even happy eyeballs will not fall back to IPv4 =
when PMTUD is blocked =E2=80=A6
This is a big issue, many folks are deploying IPv6 web sites, and not doubl=
e-checking this. Actually, this is VERY BIG issue with all the 1&1 sites. I=
tried to contact them many times for more than a year, and they seem to no=
t care, so clearly not a recommended hosting provider, as they don=E2=80=99=
t care about the quality of service that their customers have. I will chang=
e my mind if someone from 1&1 is finally responding, in case they are in th=
is list =E2=80=A6 For example, you will not get this working if you have a =
lower MTU than 1.500, which is quite normal, not just for tunnels, but also=
because the PPP/others encapsulation in many access links:
http://diskmakerx.com/
Furthermore, I mention this filtering problem in the article about the IPv6=
survey results, for those that don=E2=80=99t follow RIPE LABS site:
https://labs.ripe.net/Members/jordipaletm/results-of-the-ipv6-deployment-su=
rvey
Regards,
Jordi
-----Mensaje original-----
De: NANOG <nanog-bounces@nanog.org> en nombre de JORDI PALET MARTINEZ <jord=
i.palet@consulintel.es>
Responder a: <jordi.palet@consulintel.es>
Fecha: viernes, 18 de noviembre de 2016, 21:05
Para: <nanog@nanog.org>
Asunto: Re: pay.gov and IPv6
I tested from my home and happy eyeballs is not falling back to IPv4.
=20
So, I tend to suspect that is not ICMPv6 filtering, but something else,=
such as wrong load balancer or ECMP configuration.
=20
Regards,
Jordi
=20
=20
-----Mensaje original-----
De: NANOG <nanog-bounces@nanog.org> en nombre de Carl Byington <carl@fi=
ve-ten-sg.com>
Responder a: <carl@five-ten-sg.com>
Fecha: s=C3=A1bado, 19 de noviembre de 2016, 3:22
Para: <nanog@nanog.org>
Asunto: Re: pay.gov and IPv6
=20
=20
> > I am working with pay.gov.clev@clev.frb.org, trying to explain =
the
> problem.
=20
The intersection of government bureaucracy and technical issues is
frustrating to say the least. I just sent the message below, but ha=
ve no
expectation that it will change anything.=20
=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
On Fri, 2016-11-18 at 12:39 +0000, CLEV Pay Gov wrote:
> It would be best to discuss this via phone. Please contact our h=
elp
> desk at the number below and we could see if there's anything we =
could
> do over the phone to help troubleshoot.
=20
That is hopeless. Verbal technical discussions rarely work unless b=
oth
sides can see the same text. Have you ever tried (while talking on =
the
phone) to get someone to type in clev.frb.org without making a bunc=
h of
mistakes in the spelling??
=20
Anyway, just for my amusement, I did call 800-624-1373, Option #2, =
and
am on the line now, trying to explain this. 10 minutes and counting=
. Ok,
there does not seem to be any overall ticket for "pay.gov does not =
work
at all". They refuse to open a tech support ticket.
=20
=20
> If not, we may need to open a ticket for our technical support.
=20
Please open a ticket, and attach the following text for your tech
support folks. Alternatively, have them look at the "pay.gov and ip=
v6"
thread on nanog:
=20
http://mailman.nanog.org/pipermail/nanog/2016-November/thread.html
=20
=20
=20
www.pay.gov has an IPv6 address of 2605:3100:fffd:100::15, but that
machine or its upstream routers are filtering icmpv6 messages. That=
web
site is not accessible from systems with an MTU of 1280 bytes.
=20
The test case is:
=20
echo -e 'GET /public/home HTTP/1.0\n' | \
openssl s_client -servername www.pay.gov -ign_eof -connect \
'[2605:3100:fffd:100::15]:443'
=20
Run that (or just use a browser to try https://www.pay.gov) from a
system with a 1500 byte MTU, and it works. Run it from a system wit=
h
upstream connectivity via a tunnel, so the path MTU is smaller, and=
it
fails. Such tunnels are common for IPv6.
=20
Please stop filtering icmpv6.
=20
=20
=20
=20
=20
=20
=20
=20
=20
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
=20
This electronic message contains information which may be privileged or=
confidential. The information is intended to be for the use of the individ=
ual(s) named above. If you are not the intended recipient be aware that any=
disclosure, copying, distribution or use of the contents of this informati=
on, including attached files, is prohibited.
=20
=20
=20
=20
=20
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
=20
This electronic message contains information which may be privileged or=
confidential. The information is intended to be for the use of the individ=
ual(s) named above. If you are not the intended recipient be aware that any=
disclosure, copying, distribution or use of the contents of this informati=
on, including attached files, is prohibited.
=20
=20
=20
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or con=
fidential. The information is intended to be for the use of the individual(=
s) named above. If you are not the intended recipient be aware that any dis=
closure, copying, distribution or use of the contents of this information, =
including attached files, is prohibited.
