It is also common when people convert their ACL from IPv4 to IPv6 to forget to add a rule of PTB in their IPv6 ACLs...
I would also suggest to use tracepath(6) for debugging, as it factors the port you want to reach and will try to detect the pmtu. You may find where the packet gets dropped this way. On Mon, Nov 21, 2016 at 1:09 AM, Vladimir Dubrovin via mailop < mailop@mailop.org> wrote: > > This problem is neither new nor specific to Yahoo or IPv6 and is usually > referred as "blackhole router". ICMPv4 "Fragmentation Needed" (type 3 > code4) / ICMPv6 "Packet to Big" (type 2) *are required* for path MTU > discovery and should never be filtered. The only reason it doesn't strike > you with different servers is it's highly recommended for public server to > set MaxMTU lower than 1500 (typically 1400 or so, or more exactly TCP MSS > is usually set to corresponding value), because there is a lot of users > with misconfigured routers and firewall. > > > 18.11.2016 22:58, Carl Byington пишет: > > https://login.yahoo.com > > If you have IPv6 connectivity thru a tunnel, with a smaller MTU, that > will fail. With a 1500 byte MTU, it works. The TCP handshake works - it > then hangs during the TLS handshake which sends full size packets. > > echo -e 'GET / HTTP/1.0\n' | \ > openssl s_client -servername login.yahoo.com -ign_eof -connect \ > '[2001:4998:c:e33::50]:443' > > Please stop filtering icmpv6 packets going to your servers. > > > > > > > _______________________________________________ > mailop mailing > list > mailop@mailop.org > https://chilli.nosignal.org/ > cgi-bin/mailman/listinfo/mailop > > -- > Vladimir Dubrovin > @Mail.Ru > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
