Re: [mailop] Anyone from Yahoo - icmpv6 filtering breaks login.yahoo.com MTU detection

[Franck Martin via mailop]

It is also common when people convert their ACL from IPv4 to IPv6 to forget
to add a rule of PTB in their IPv6 ACLs...

I would also suggest to use tracepath(6) for debugging, as it factors the
port you want to reach and will try to detect the pmtu. You may find where
the packet gets dropped this way.

On Mon, Nov 21, 2016 at 1:09 AM, Vladimir Dubrovin via mailop <
mailop@mailop.org> wrote:

>
> This problem is neither new nor specific to Yahoo or IPv6 and is usually
> referred as "blackhole router". ICMPv4 "Fragmentation Needed" (type 3
> code4) / ICMPv6 "Packet to Big" (type 2) *are required* for path MTU
> discovery and should never be filtered. The only reason it doesn't strike
> you with different servers is it's highly recommended for public server to
> set MaxMTU lower than 1500 (typically 1400 or so, or more exactly TCP MSS
> is usually set to corresponding value), because there is a lot of users
> with misconfigured routers and firewall.
>
>
> 18.11.2016 22:58, Carl Byington пишет:
>
> https://login.yahoo.com
>
> If you have IPv6 connectivity thru a tunnel, with a smaller MTU, that
> will fail. With a 1500 byte MTU, it works. The TCP handshake works - it
> then hangs during the TLS handshake which sends full size packets.
>
> echo -e 'GET / HTTP/1.0\n' | \
> openssl s_client -servername login.yahoo.com -ign_eof -connect \
> '[2001:4998:c:e33::50]:443'
>
> Please stop filtering icmpv6 packets going to your servers.
>
>
> > > > > ___ > mailop mailing
> list > mailop@mailop.org > https://chilli.nosignal.org/
> cgi-bin/mailman/listinfo/mailop
>
> --
> Vladimir Dubrovin
> @Mail.Ru
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] Cisco / SenderBase support filtering

[Michael Orlitzky]

> : host vmx.sco.cisco.com[184.94.241.135] refused to
> talk to me: 554-vmx.sco.cisco.com 554 Your access to this mail system has
> been rejected due to the sending MTA's poor reputation. If you believe 
> that
> this failure is in error, please contact the intended recipient via
> alternate means.

No shit, that's why I opened a support ticket.


___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] Anyone from Yahoo - icmpv6 filtering breaks login.yahoo.com MTU detection

[Vladimir Dubrovin via mailop]

This problem is neither new nor specific to Yahoo or IPv6 and is usually
referred as "blackhole router". ICMPv4 "Fragmentation Needed" (type 3
code4) / ICMPv6 "Packet to Big" (type 2) *are required* for path MTU
discovery and should never be filtered. The only reason it doesn't
strike you with different servers is it's highly recommended for public
server to set MaxMTU lower than 1500 (typically 1400 or so, or more
exactly TCP MSS is usually set to corresponding value), because there is
a lot of users with misconfigured routers and firewall.


18.11.2016 22:58, Carl Byington пишет:
> https://login.yahoo.com
>
> If you have IPv6 connectivity thru a tunnel, with a smaller MTU, that
> will fail. With a 1500 byte MTU, it works. The TCP handshake works - it
> then hangs during the TLS handshake which sends full size packets.
>
> echo -e 'GET / HTTP/1.0\n' | \
> openssl s_client -servername login.yahoo.com -ign_eof -connect \
> '[2001:4998:c:e33::50]:443'
>
> Please stop filtering icmpv6 packets going to your servers.
>
>
> > > > ___ > mailop mailing
list > mailop@mailop.org >
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Vladimir Dubrovin
@Mail.Ru

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop