Following up on a two year old thread, one of my clients just hit this
problem. The failure is not that www.pay.gov is not reachable over ipv6
(2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
connection, but the connection then hangs waiting for the TLS handshake.
Following up on a two year old thread, one of my clients just hit this
problem. The failure is not that www.pay.gov is not reachable over ipv6
(2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
connection, but the connection then hangs waiting for the TLS handshake.
Browsers (at least firefox) see that as a very slow site, and it does
not trigger their happy eyeballs fast failover to ipv4.
Happy eyeballs is about making the connection not whether TCP
connections work after the initial packet exchange.
I would send a physical letter to the relevent Inspector General
requesting that they ensure all web sites under their juristiction
that are supposed to be reachable from the public net get audited
regularly to ensure that IPv6 connections work from public IP space.
While you are sending the letter can you also ask why pay.gov's DNS
servers are broken.
into the local rpz zone. That suppresses the AAAA record, so local
clients are forced into IPv4 for that site. That allows them to use IPv6
for other sites.
I’m not seeing the issue here, but they do have some possible issues the way they’re setting cookies (See details below).
What path are you seeing to them? I’m also not having the issue from the IETF97 network here in Seoul which has IPv6 as well.
puck:~$ traceroute6 www.pay.gov.
traceroute to www.pay.gov. (2605:3100:fffd:100::15), 30 hops max, 80 byte packets
1 ge-0-7-0-22.r05.chcgil09.us.bb.gin.ntt.net (2001:418:3f4::1) 0.751 ms 0.871 ms 0.994 ms
2 verio-gw.cgcil.ipv6.att.net (2001:1890:1fff:307:192:205:32:193) 2.008 ms 1.991 ms 2.837 ms
3 cgcil22crs.ipv6.att.net (2001:1890:ff:ffff:12:122:132:198) 27.333 ms 27.167 ms 27.070 ms
4 sl9mo22crs.ipv6.att.net (2001:1890:ff:ffff:12:122:2:178) 27.602 ms 27.646 ms 27.628 ms
5 sl9mo21crs.ipv6.att.net (2001:1890:ff:ffff:12:122:2:217) 30.055 ms 29.894 ms 29.855 ms
6 dlstx22crs.ipv6.att.net (2001:1890:ff:ffff:12:122:2:1) 28.888 ms 27.016 ms 26.933 ms
7 dlstx84crs.ipv6.att.net (2001:1890:ff:ffff:12:123:18:249) 28.126 ms 26.757 ms 26.645 ms
8 2001:1890:ff:ffff:12:122:124:141 (2001:1890:ff:ffff:12:122:124:141) 26.142 ms 26.269 ms 26.179 ms
9 2001:1890:c00:610b::1138:7d27 (2001:1890:c00:610b::1138:7d27) 27.273 ms 27.255 ms 27.544 ms
10 2001:1890:1c08:cf01::2 (2001:1890:1c08:cf01::2) 27.673 ms !X 27.559 ms !X 27.465 ms !X
curl -v Pay.gov - Home
* Trying 2605:3100:fffd:100::15...
* TCP_NODELAY set
* Connected to www.pay.gov (2605:3100:fffd:100::15) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* ALPN/NPN, server did not agree to a protocol
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* start date: May 28 14:58:43 2015 GMT
* expire date: May 29 06:16:02 2018 GMT
* common name: www.pay.gov
* issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
GET /public/home HTTP/1.1
Host: www.pay.gov
User-Agent: curl/7.51.0
Accept: */*
>
> :
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Following up on a two year old thread, one of my clients just hit this
>> problem. The failure is not that www.pay.gov is not reachable over ipv6
>> (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443
>> connection, but the connection then hangs waiting for the TLS handshake.
>>
>> openssl s_client -connect www.pay.gov:443
>>
>> openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
>>
>> Browsers (at least firefox) see that as a very slow site, and it does
>> not trigger their happy eyeballs fast failover to ipv4.
>
> Happy eyeballs is about making the connection not whether TCP
> connections work after the initial packet exchange.
>
> I would send a physical letter to the relevent Inspector General
> requesting that they ensure all web sites under their juristiction
> that are supposed to be reachable from the public net get audited
> regularly to ensure that IPv6 connections work from public IP space.
Which show green which means that the tests they are doing are not
sufficient. They need to test from behind a 1280 mtu link.
The DNSSEC testing is also insufficient. 9-11commission.gov shows
green for example but if you use DNS COOKIES (which BIND 9.10.4 and
BIND 9.11.0 do) then servers barf and return BADVERS and validation
fails. QWEST you have been informed of this already.
Why the hell should validating resolver have to work around the
crap you guys are using? DO YOUR JOBS which is to use RFC COMPLIANT
servers. You get PAID to do DNS because people think you are
compentent to do the job. Evidence shows otherwise.
I am working with pay.gov.clev@clev.frb.org, trying to explain the
problem. They seem to think I should provide "application name and ID"
before they can research this. I responded as below. I will let you know
if there is any progress on this. It is 100% reproducible here - and
should be reproducible from anywhere with a slightly smaller than normal
MTU.
We try to get to https://www.pay.gov/public/home - which fails. I
presume that is before there is any application name or ID.
Try to reach that page from a browser on a machine with ipv6
connectivity that goes thru a tunnel with a 1300 byte MTU. It will fail.
That's fine, but until someone is willing to work with them don't
expect it to get fixed.
I am working with pay.gov.clev@clev.frb.org, trying to explain the
problem. They seem to think I should provide "application name and ID"
before they can research this.
They probably want that so they know where to route the ticket. I
pointed them at RFC 4890 - Recommendations for Filtering ICMPv6 Messages in Firewalls
and suggested they have someone on the network team use ipv6 to
connect to pay.gov over a 1280 byte MTU link. Hopefully that's enough
to get the ticket routed to the correct group.
I responded as below. I will let you know
if there is any progress on this.
I'd appreciate that.
And thanks for being willing to work with them to fix the problem.
The DNSSEC testing is also insufficient. 9-11commission.gov shows
green for example but if you use DNS COOKIES (which BIND 9.10.4 and
BIND 9.11.0 do) then servers barf and return BADVERS and validation
fails. QWEST you have been informed of this already.
Why the hell should validating resolver have to work around the
crap you guys are using?
The protocol doesn't have proper version negotation, and again and
again, implementers have tried to force backwards-incompatible
implementations on the Internet at large.
> I am working with pay.gov.clev@clev.frb.org, trying to explain the
problem.
The intersection of government bureaucracy and technical issues is
frustrating to say the least. I just sent the message below, but have no
expectation that it will change anything.