On 11/16/16, Mark Andrews <marka@isc.org> wrote:
In message <1479249003.3937.6.camel@ns.five-ten-sg.com>, Carl Byington writes :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Following up on a two year old thread, one of my clients just hit this problem. The failure is not that www.pay.gov is not reachable over ipv6 (2605:3100:fffd:100::15). They accept (TCP handshake) the port 443 connection, but the connection then hangs waiting for the TLS handshake.
openssl s_client -connect www.pay.gov:443
openssl s_client -servername www.pay.gov -connect 199.169.192.21:443
Browsers (at least firefox) see that as a very slow site, and it does not trigger their happy eyeballs fast failover to ipv4.
Happy eyeballs is about making the connection not whether TCP connections work after the initial packet exchange.
I would send a physical letter to the relevent Inspector General requesting that they ensure all web sites under their juristiction that are supposed to be reachable from the public net get audited regularly to ensure that IPv6 connections work from public IP space.
That will absolutely work. NIST is still monitoring ipv6 .gov sites https://usgv6-deploymon.antd.nist.gov/cgi-bin/generate-gov so the IG isn't going to do anything there & pay.gov has a contact us page https://pay.gov/public/home/contact that I'd bet works much better than a letter to the IG Regards, Lee