From antoine.jacot-descombes@unine.ch Tue Dec 15 17:10:56 2015
From: JACOT-DESCOMBES Antoine <antoine.jacot-descombes@unine.ch>
To: swinog@lists.swinog.ch
Subject: [swinog] www.post.ch IPv6 MTU issue
Date: Tue, 15 Dec 2015 16:10:25 +0000
Message-ID: <efbe65796ebb4b679b2513874d57e415@rana1.UNINE.CH>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4401562406455630789=="

--===============4401562406455630789==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hello Swinog members,

There is apparently an MTU issue with SwissPost website when MTU of the link
is <1500 bytes. It is like if webserver answers everytime with 1500 bytes
packets and doesn't make PMTUD.

The client connexion is over 6in4 with 1480 bytes MTU. No issues with other
IPv6 enabled sites.

Can another person with <1500MTU connexion confirm the same behaviour, and
maybe anyone from Swiss Post IT take a look at this probable ICMP filtering
issue.


Below are the tests done:

jacota(a)cactus:~$ curl -6 http://www.post.ch/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.post.ch/">here</a>.</p>
</body></html>

==> small packet <1480bytes ==> OK

jacota(a)cactus:~$ curl -6 https://www.post.ch/
no answer

==> SSL negociation with full packets ==> FAIL

jacota(a)cactus:~$ telnet -6 www.post.ch 443
Trying 2a00:17c8:0:103::20a...
Connected to www.post.ch.
Escape character is '^]'.

==> TCP connectivity with port 443 ==>OK


Best regards,
Antoine Jacot-Descombes



--===============4401562406455630789==
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIME-Version: 1.0

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCEYYw
ggWaMIIEgqADAgECAhRqKArzRiMoMclbQsKdJMSoLMM14zANBgkqhkiG9w0BAQsFADB/MQswCQYD
VQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eTAeFw0xNDA1MzAxODUwMTNaFw0yMTAzMTcxODMzMzNaMGMxCzAJBgNVBAYTAkNIMSww
KgYDVQQKEyNRdW9WYWRpcyBUcnVzdGxpbmsgU3dpdHplcmxhbmQgTHRkLjEmMCQGA1UEAxMdUXVv
VmFkaXMgU3dpc3MgQWR2YW5jZWQgQ0EgRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCyge5EB5ZP/fnk47KPgdEpuiBd9u7lcdLWxeGLOtrvYYp52fawKeNgm3oQogK4gPQxBMD2Wa08
0nOPo307UzrQQAe37lFCJqXlLpVBluVqjQdPpk9gsyucalNwstNBHmj1xoXgUfTXhTrRWgkAuxGh
GL9odj2+9QxbwVywjikgcidsDzVmo23mXc3xKWik6BIp3zbDjfTTyitIX+NIlDiaMxwq6L5QPnaz
rE2eNsSJrHmwz/Ie3gm8aDVy14+gE1snEw6CK2x/NncRcl/WcdaBjQN338DHN5u/FJI84NMt58y0
BYiH3V3zF6qvntm4n0W216jHXcyyDHmSIEDMpbApuAOh/jhRj+BXq9K/Vnm3PghWJAHXembeS4Ax
0sXMUrrC8mQUW+OOELONE2L+odG0+1cwnnLD2CEJmXCIcoCLsQL1Op7zmF8XXOExLZUtR73oNi1s
Is8Ic3mrOln8shz8tVkLlKmSskr3ilUKQn7M5zKX7F6WKlbA3Vy4hz+IMyjEMAg2cAxNuu6MKEne
oUrlGUiEJnxjvFmWsegwFRVbBcZepRV+cX0d3aViVieUektNjUGsXrRBeADSqH7jj42IdlA6J0Mc
v6HnPjuYn+hU8XyR2EhycpVfWzsA3LuKmSfqQfty1qNNE6Tsxb7YCBbEt+ijnnNHQJ1XNV/jR5wg
3wIDAQABo4IBKDCCASQwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNVHSAECjAIMAYGBFUdIAAwcQYI
KwYBBQUHAQEEZTBjMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5xdW92YWRpc2dsb2JhbC5jb20w
NQYIKwYBBQUHMAKGKWh0dHA6Ly90cnVzdC5xdW92YWRpc2dsb2JhbC5jb20vcXZyY2EuY3J0MA4G
A1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBSLS23t0ym5BhnsOTmp8JeEasvv3zA4BgNVHR8EMTAv
MC2gK6AphidodHRwOi8vY3JsLnF1b3ZhZGlzZ2xvYmFsLmNvbS9xdnJjYS5jcmwwHQYDVR0OBBYE
FKAgbW1JXbpKhdN3ILJ6uIsO7dWdMA0GCSqGSIb3DQEBCwUAA4IBAQCuMV65UC3RkrbWAhVOWN8V
KS1am+0sRTHC379oueJLAv3aWkNL9kDlTC0m+cNiK1/IQ/vVxpPtloqFbqWL4VtIlqauzSLOQuSN
CuRPftMDkHf5IgbcHEeyCMi5z7ZM8Q3thlDSV6vC+F8lhQ1CNB8YCHL99BtAGwhQs3Zn33FQjCgu
qAYsAkbmOkXMUSJ9UflrALhI6YXPUqn74JpZVu2lNJ6UgXzld9QpYV3E130Tjx1jdcCBynDL7ibc
o5VV9CBFxUGdoRiBJr9lomVPyzm7rZJy5hx+qoNnNGoDStJklLF7eogKKYZGxgy9DJDmUevdmBiS
aUYNmzCOpJwgXlcmMIIF0DCCBLigAwIBAgIEOrZQizANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQG
EwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDElMCMGA1UECxMcUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMlUXVvVmFkaXMgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTAeFw0wMTAzMTkxODMzMzNaFw0yMTAzMTcxODMzMzNaMH8xCzAJBgNVBAYTAkJNMRkwFwYD
VQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2G1lVO6V/z68mcLOhrfEYBklbTRvM16z/Ypli4k
VEAkOPcahdxYTMukJ0KX0J+DisPkBgNbAKVRHnAEdOLB1Dqr1607BxgFjv2DrOpm2RgbaIr1VxqY
uvXtdj182d6UajtLF8HVj71lODqV0D1VNk7feVcxKh7YWWVJWCCYfqtffp/p1k3sg3Spx2zY7ilK
hSoGFPlU5tPaZQeLYzcS19Dsw3sgQUSj7cugF+FxZc4dZjH3dgEZyH0DWLaVSR2mEiboxgx24ONm
y+pdpibu5cxfvWenAScOospUxbF6lR1xHkopigPcakXBpBlebzbNw6Kwt/5cOOJSvPhEQ+aQuwID
AQABo4ICUjCCAk4wPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwczovL29jc3AucXVv
dmFkaXNvZmZzaG9yZS5jb20wDwYDVR0TAQH/BAUwAwEB/zCCARoGA1UdIASCAREwggENMIIBCQYJ
KwYBBAG+WAABMIH7MIHUBggrBgEFBQcCAjCBxxqBxFJlbGlhbmNlIG9uIHRoZSBRdW9WYWRpcyBS
b290IENlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRo
ZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRp
ZmljYXRpb24gcHJhY3RpY2VzLCBhbmQgdGhlIFF1b1ZhZGlzIENlcnRpZmljYXRlIFBvbGljeS4w
IgYIKwYBBQUHAgEWFmh0dHA6Ly93d3cucXVvdmFkaXMuYm0wHQYDVR0OBBYEFItLbe3TKbkGGew5
Oanwl4Rqy+/fMIGuBgNVHSMEgaYwgaOAFItLbe3TKbkGGew5Oanwl4Rqy+/foYGEpIGBMH8xCzAJ
BgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMSUwIwYDVQQLExxSb290IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5MS4wLAYDVQQDEyVRdW9WYWRpcyBSb290IENlcnRpZmljYXRpb24g
QXV0aG9yaXR5ggQ6tlCLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOCAQEAitQUtf70
mpKnGdSkfnIYj9lofFIk3WdvOXrEql494liwTXCYhGHoG+NpGA7O+0dQoE7/8CQfvbLO9Sf87C9T
qnN7Az10buYWnuulLsS/VidQK2K6vkscPFVcQR0kvoIgR13VRH56FmjffU1RcHhXHTMe/QKZnAzN
CgVPx7uOpHX6Sm2xgI4JVrmcGmD+XcHXetwReNDWXcG31a0ymQM6isxUJTkxgXsTIlG6Rmyhu576
BGxJJnSP0nPrzDCi5upZIof4l/UO/erMkqQWxFIY6iHOsfHmhIHluqmGKPJDWl0Snawe2ajlCmqn
f6CHKc/yiU3U7MXi5nrQNiOKSnQ2+TCCBhAwggP4oAMCAQICFHskK09xRBcGf5v5lIDmI6gJYigV
MA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAkNIMSwwKgYDVQQKEyNRdW9WYWRpcyBUcnVzdGxp
bmsgU3dpdHplcmxhbmQgTHRkLjEmMCQGA1UEAxMdUXVvVmFkaXMgU3dpc3MgQWR2YW5jZWQgQ0Eg
RzIwHhcNMTQwOTIzMTI1MDI0WhcNMTcwOTIzMTI1MDIzWjB5MQswCQYDVQQGEwJDSDESMBAGA1UE
CBMJTmV1Y2hhdGVsMRIwEAYDVQQHEwlOZXVjaGF0ZWwxIDAeBgNVBAoTF1VuaXZlcnNpdGUgZGUg
TmV1Y2hhdGVsMSAwHgYDVQQDExdBbnRvaW5lIEphY290LURlc2NvbWJlczCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANCyYRgG//j8QBUsON+J1IEP121nVNA0b7a6+6BDsH92h3JqHI9R
rOqevczj0216/WBjjievrchzUV+WI2szOhIqmOO0Nn/yZgrTdzJ6ZHGjb0ZWcuKJhr4tJEj011Gt
fy+Bf6fG0TAgWIxJmEi39IR5vjF61IfJvdJpj1MuV9pUhExL1VB5m4LmxCH/i0BgCGHgvlx5UUIa
h3bPmiPVBZPLEdFqiKEf6ZXj8swcsYkK2WYA/xBry/9YluOmUF8dMTVSlPwm6OOur9e2dio+Udy/
iyC4ToS9C2FPcIqtqeTNR0wYNitdmlTmcAnhRXeNKhjVanxt5Z+vqUa2gOQf1T8CAwEAAaOCAaQw
ggGgMCsGA1UdEQQkMCKBIGFudG9pbmUuamFjb3QtZGVzY29tYmVzQHVuaW5lLmNoMHQGCCsGAQUF
BwEBBGgwZjAqBggrBgEFBQcwAYYeaHR0cDovL29jc3AucXVvdmFkaXNnbG9iYWwuY29tMDgGCCsG
AQUFBzAChixodHRwOi8vdHJ1c3QucXVvdmFkaXNnbG9iYWwuY29tL3F2Y2hhZGcyLmNydDBPBgNV
HSAESDBGMEQGCisGAQQBvlgBgUgwNjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5xdW92YWRpc2ds
b2JhbC5jb20vcmVwb3NpdG9yeTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG
CCsGAQUFBwMEMB8GA1UdIwQYMBaAFKAgbW1JXbpKhdN3ILJ6uIsO7dWdMDsGA1UdHwQ0MDIwMKAu
oCyGKmh0dHA6Ly9jcmwucXVvdmFkaXNnbG9iYWwuY29tL3F2Y2hhZGcyLmNybDAdBgNVHQ4EFgQU
LU4r3SI110syR1q7x1YhGikXXhYwDQYJKoZIhvcNAQELBQADggIBAAToRScrZ/xWfUXJIlFiqzEt
Oqk9w+4X3/V9srlvsCLWNYX0f7v4ysYfuel/a81RE5gEG2zCZfKV+WZfnu86ONeZt4FCFaEhJ3BY
/s2ch9vypJuRVrScAfyJD0cO5eqNis+hfnczZJcFCMjK7M0g6h92aiujgA6GVLO+v2T3Xeonyp++
P7PoxuJSgayyQq3GHDKcOCWDWMKDuTyfgy4tZ6/IQDtAYu3JwwNEzpFSqgRqpS/Y5t1BkvCe9r8l
3cAbd32tGBK1QmFPWiKXw1mISFAhWR1ikJ2Au3w1AmO53LghQfk8R7jPdYq1z6BNkvYBcpv3FL6+
FwByOBysimbL1Xfp4J7YqgmYmf+6g94OigvHVdnVsu/p1G9jzPCnMHUBafQbdTbg0lyHxQ9STDW8
B4mvEsqWl47XDbuZJrFob3l8cRD4VU/QuzV+zzyoguA9E/XdRqg8p3Y89f5RCSTGgIEyigsthsXX
mZs01zupnyK2cLh5yw9vROKnJ/mTzsUQkolzy62mTkkB+JqBpKLMm6sO/nBeMkX8rU/fQWsjgDub
SKXeOPJGKcTBPkvncXNbb368mAbGZW0wb1vuaj89nkUAEIdi5gGAQfyiRNMseby5bw6/kimaLqwY
LIK5uiq3tGmOBKsMmxpeQ/VJKzWQLLHcXAnSsbJriRMMjv7s1lX6MYIDxTCCA8ECAQEwezBjMQsw
CQYDVQQGEwJDSDEsMCoGA1UEChMjUXVvVmFkaXMgVHJ1c3RsaW5rIFN3aXR6ZXJsYW5kIEx0ZC4x
JjAkBgNVBAMTHVF1b1ZhZGlzIFN3aXNzIEFkdmFuY2VkIENBIEcyAhR7JCtPcUQXBn+b+ZSA5iOo
CWIoFTANBglghkgBZQMEAgEFAKCCAhswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG
9w0BCQUxDxcNMTUxMjE1MTYxMDI1WjAvBgkqhkiG9w0BCQQxIgQgKvwQgfCt7sTlQA/NlYVmaYQy
3XdcekOhhiUboDfC+X4wgYoGCSsGAQQBgjcQBDF9MHswYzELMAkGA1UEBhMCQ0gxLDAqBgNVBAoT
I1F1b1ZhZGlzIFRydXN0bGluayBTd2l0emVybGFuZCBMdGQuMSYwJAYDVQQDEx1RdW9WYWRpcyBT
d2lzcyBBZHZhbmNlZCBDQSBHMgIUeyQrT3FEFwZ/m/mUgOYjqAliKBUwgYwGCyqGSIb3DQEJEAIL
MX2gezBjMQswCQYDVQQGEwJDSDEsMCoGA1UEChMjUXVvVmFkaXMgVHJ1c3RsaW5rIFN3aXR6ZXJs
YW5kIEx0ZC4xJjAkBgNVBAMTHVF1b1ZhZGlzIFN3aXNzIEFkdmFuY2VkIENBIEcyAhR7JCtPcUQX
Bn+b+ZSA5iOoCWIoFTCBkwYJKoZIhvcNAQkPMYGFMIGCMAsGCWCGSAFlAwQBKjALBglghkgBZQME
ARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB
QDALBglghkgBZQMEAgEwCwYJYIZIAWUDBAIDMAsGCWCGSAFlAwQCAjAHBgUrDgMCGjANBgkqhkiG
9w0BAQEFAASCAQCudCtGz+K5IaPSO5Olki3iJqw4IUq/Oy9G3bDum30+EMWShYf8Gn6m59PRehnb
UychubR374RavOk/ywqmVIH28KCALqSiVU8OxKX7qHWLyR3RTeFmu16IGm7fHT2vUbPHw/XB0Eam
GmY2ETzMrqWaPjkUpjwqif4r+5HcVUza9f8BvwkLSaU+ce3ZmxhbaOE9UC3jAOfoa6VmdV7KJaun
VnFCsnIRATjVrKQMk0t4a/r4VO+6RCoeV4ZTl15BYilbMUMMKFiFUgbmZUyOBUh2IceuCMvkvOTa
bmBOSaxUqLmA9iygBMfnciMZX0sH3tfg/S3bE/8riMluYox8XB9/AAAAAAAA

--===============4401562406455630789==--


From jeroen@massar.ch Tue Dec 15 17:27:18 2015
From: Jeroen Massar <jeroen@massar.ch>
To: swinog@lists.swinog.ch
Subject: Re: [swinog] www.post.ch IPv6 MTU issue
Date: Tue, 15 Dec 2015 17:26:49 +0100
Message-ID: <56703F49.3000203@massar.ch>
In-Reply-To: <efbe65796ebb4b679b2513874d57e415@rana1.UNINE.CH>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2296383293259605060=="

--===============2296383293259605060==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On 2015-12-15 17:10, JACOT-DESCOMBES Antoine wrote:
> Hello Swinog members,
> 
> There is apparently an MTU issue with SwissPost website when MTU of the link
> is <1500 bytes. It is like if webserver answers everytime with 1500 bytes
> packets and doesn't make PMTUD.

Your browser/OS should properly do Happy Eyeballs and make this
invisible btw.

"Server:Microsoft-IIS/8.5" wow, that is fun to see, IIS doing IPv6.

Request URL:https://www.post.ch/assets/portal/vendor/jquery-1.11.0.min.js
Request Method:GET
Status Code:200 OK
Remote Address:[2a00:17c8:0:103::20a]:443
Content-Length:42757

Seems to work quite fine from a non-1500 MTU link.

> The client connexion is over 6in4 with 1480 bytes MTU. No issues with other
> IPv6 enabled sites.
> 
> Can another person with <1500MTU connexion confirm the same behaviour, and
> maybe anyone from Swiss Post IT take a look at this probable ICMP filtering
> issue.

You don't need to check from a non-1500 link to see that something is
really b0rked in their network. A mere tracepath6 will show you this:

[...]
10:  gw-sunrise.init7.net   9.188ms asymm  9
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  2001:1700:3300::1      64.543ms asymm 11
16:  2001:1700:3300:2::2    23.897ms asymm 10
17:  no reply
18:  no reply
19:  no reply
[..]

Not going anywhere. As traceroutes don't work, it is extremely likely
that somebody is silly enough to filter ICMPv6 and cause issues that
way, but it could be anything else too.

One would think that after 20 years of IPv6's existence people would learn.

Note though there are various load balancers who do not properly handle
ICMPv6.

Cloudflare solved it in a very reasonable way:
https://blog.cloudflare.com/path-mtu-discovery-in-practice/

Google's load balancers apparently just forces the MSS to something
magic that 'might just work'. Hence, never do a test for this against
their network, they are breaking all kinds of things to just handle a
few more bits (which in itself is good engineering work actually, just
ignoring ICMPv6 on the other hand... is not).

Greets,
 Jeroen




--===============2296383293259605060==--