-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, 2016-11-18 at 16:52 -0500, valdis.kletni...@vt.edu wrote: > And you identified that the problem was at Yahoo, and not one or more > of the hops between the far end of your tunnel and Yahoo, how, > exactly?
Taking the top 1000 sites from Alexa, for those domain names $n where www.$n has at least one aaaa record $ip, and where "nmap -6 -Pn -p 443 $ip" shows that something seems to be running https there, we try echo -e 'GET / HTTP/1.0\n' | \ openssl s_client -servername www.$n -ign_eof -connect "[$ip]:443" In general, even if the TLS certificate is small enough to fit into about 1500 bytes, the home page is almost always larger that that. So something in that request would result in the server trying to send a large packet, getting an icmpv6 "too big", and resending with a smaller MSS. Of the 220 sites identified above, 218 of them manage to see the icmpv6 packet and respond by resending with a packet that makes it thru the tunnel. I suspect that packets from at least one of those 218 sites goes thru many of the same systems as the packets from login.yahoo.com. https://www.mega.nz and https://www.1fichier.com seem to have the same icmpv6 filtering issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlgwfrkACgkQL6j7milTFsFCAwCfQHnivoU5QlBvmfABC8swnutz QR8AnRIsSUaCIw6dh1Jr92+5/FgXeSqq =Hx/k -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop