WHOIS with IPv6
Carmen Sandiego on Thursday, 20 March 2014 06:58:44
Hello,
I have one VM (eth0 interface with subnet::1) - lets call it IPv6-SixXS-Tunnel-Gateway VM - that runs the aiccu service and has configured a firewall similar to the one here: https://www.sixxs.net/wiki/IPv6_Firewalling#A_more_sophisticated_script_for_IPv6_stateful_firewall
and several VMs that use this one VM as gateway;
when doing this:
whois sophiedogg.com
on this IPv6-SixXS-Tunnel-Gateway VM it works fine,
but doing the same on any other VM with IPv4/IPv6 Dual-Stack connectivity this command hangs after '[Querying whois.verisign-grs.com]', on BSD this shows a few more lines and hangs, too;
not any packet has been blocked by the firewall
on the IPv6-SixXS-Tunnel-Gateway VM (checked with dmesg);
doing this on any VMs with IPv4only (not any IPv6) connectivity, it also works fine and shows the complete result ...;
when running wireshark with a filter "tcp.port == 43" while this command runs
on this IPv6-SixXS-Tunnel-Gateway VM, I can see a communication that begins with IPv6 and after a few packets goes on with IPv4 ...
when telling the whois command the IPv4 address of the whois server (whois.verisign-grs.com, IPv4 = 199.7.54.74, IPv6 = 2001:501:8a29:1060::74), like this:
whois -h 199.7.54.74 sophiedogg.com
this works, and shows the partial result of this server, not any redirect is made;
whois -h 2001:501:8a29:1060::74 sophiedogg.com
works only on this IPv6-SixXS-Tunnel-Gateway VM
I'm behind a NAT firewall/router; and with this it is logic, that any host (all are VMs) have a direct IPv4 connectivity with through router box (a Cisco), but the VMs that a configured with Dual-Stack, can only use this IPv6-SixXS-Tunnel-Gateway VM as gateway for IPv6; means they have two totally different gateways: the router box for IPv4 and the IPv6-SixXS-Tunnel-Gateway VM for IPv6;
Can someone explain to me, what is running wrong ...
Thanks;
Greetings from Austria,
Walter H.
WHOIS with IPv6
Shadow Hawkins on Thursday, 10 April 2014 10:32:30
I also had this problem:
https://www.sixxs.net/forum/?msg=general-9469190
Found no resolution so far.
WHOIS with IPv6
Jeroen Massar on Thursday, 10 April 2014 11:08:23 https://www.sixxs.net/wiki/IPv6_Firewalling#A_more_sophisticated_script_for_IPv6_stateful_firewall
Are you sure that that firewall properly handles PathMTU discovery?
when running wireshark with a filter "tcp.port == 43" while this command runs
You should at minimum also look at ICMP.
Likely you (or the PoP[1]) will send a "ICMPv6 Packet Too Big" to the other side (the whois server); if that one does not properly handle that one, your connection will get stuck.
A 'tracepath6' to the whois server in question will be very helpful as then you can at least see if the path should be okay. (any hop not responding to ICMP likely is a ICMP blackhole...)
[1] you can sometimes catch the PoP sending back this packet too big to the other side in the Live Tunnel Status, either you will see the last one or that the count increased a few.
WHOIS with IPv6
Carmen Sandiego on Friday, 09 May 2014 20:15:10
How can I see that the firewall properly handles PathMTU discovery?
(but when disabling the firewall at all
service ip6tables stop
on the Gateway-VM, nothing changes)
I see
[TCP Previous segment lost] or [TCP Out-of-Order] on the Info column
with the source IPv6 address of the whois server and the dest IPv6 address of any of my VMs connected through the Gateway-VM
what does these say to me?
by the way there exist just one webserver I have trouble with getting any connection;
for both problems
- this whois server
- the webserver (my webhosters webmail: https://webmail.world4you.com)
I did an unorthotoxic solution I just made in my DNS new zones, that only have an A records and no AAAA records, and everything works fine ...
WHOIS with IPv6
Jeroen Massar on Saturday, 10 May 2014 00:55:45 How can I see that the firewall properly handles PathMTU discovery?
Check if a tracepath6 succeeds for all the hops. If that works, then PathMTU discovery should work too.
(but when disabling the firewall at all service ip6tables stop on the Gateway-VM, nothing changes)
Depends if that actually unloads the rules and/or sets the default policies correctly.
[TCP Previous segment lost] or [TCP Out-of-Order] on the Info column with the source IPv6 address of the whois server and the dest IPv6 address of any of my VMs connected through the Gateway-VM what does these say to me?
That packets are being dropped somewhere and that some are arriving out of order.
I did an unorthotoxic solution I just made in my DNS new zones, that only have an A records and no AAAA records, and everything works fine ...
IPv6 != IPv4, completely different network.
WHOIS with IPv6
Carmen Sandiego on Thursday, 15 May 2014 18:00:19 Check if a tracepath6 succeeds for all the hops. If that works, then PathMTU discovery should work too.
doing this on my Proxy-VM
this results in this
tracepath6 2a00:1a68:1:101::a80:1b01
1?: [LOCALHOST] pmtu 1500
1: gatevm 0.267ms
1: gatevm 0.137ms
2: gatevm 0.111ms pmtu 1280
2: gw-2005.mbx-01.si.sixxs.net 116.876ms
2: gw-2005.mbx-01.si.sixxs.net 27.035ms
3: simbx01.sixxs.net 66.758ms asymm 2
4: mx-mb1-te-1-2-0-v4.amis.net 45.282ms asymm 3
5: mx-mb1-te-1-3-1.amis.net 71.042ms asymm 4
6: mx-vi1-te-0-0-1.amis.net 115.082ms asymm 5
7: 2001:7f8:30:0:2:1:2:1013 100.959ms asymm 6
8: 2a02:940::1:13 86.627ms asymm 7
9: 2a00:1a68:ff:1::c02 193.211ms asymm 8
10: 2a00:1a68:ff:5::f02 68.952ms asymm 9
11: no reply
12: no reply
13: no reply
...
the same on the IPv6-Gateway-VM
could this be the reason why I see 3 times my Gateway-VM?
> I did an unorthotoxic solution I just made in my DNS new zones, that only have an A records and no AAAA records, and everything works fine ...
IPv6 != IPv4, completely different network.
I know, but this is at the moment the only workaround, otherways I'm disconnected from my webhosters webmail ...
would it be possible for you to try
https://webmail.world4you.com/
any maybe detect the problem?
WHOIS with IPv6
Carmen Sandiego on Thursday, 15 May 2014 18:07:54
the tracepath6 to this whois-Server from my Proxy-VM
tracepath6 2001:501:8a29:1060::74
1?: [LOCALHOST] pmtu 1500
1: gatevm 0.223ms
1: gatevm 0.105ms
2: gatevm 0.110ms pmtu 1280
2: gw-2005.mbx-01.si.sixxs.net 15.970ms
2: gw-2005.mbx-01.si.sixxs.net 16.100ms
3: simbx01.sixxs.net 16.836ms asymm 2
4: mx-mb1-te-1-2-0-v4.amis.net 18.906ms asymm 3
5: mx-mb1-te-1-3-1.amis.net 32.651ms asymm 4
6: mx-vi1-te-0-0-1.amis.net 20.650ms asymm 5
7: 30gigabitethernet4-3.core1.fra1.he.net 89.499ms asymm 6
8: 100ge3-1.core1.ams1.he.net 44.529ms asymm 7
9: 100ge9-1.core1.lon2.he.net 53.801ms asymm 8
10: 2001:7f8:4::272a:2 47.519ms asymm 9
11: 2001:cb0:c113:1:8::1 176.186ms asymm 12
12: 2001:cb0:c113:1:6::2 175.854ms
13: 2001:cb0:c111:1:28::1 283.584ms asymm 12
14: 2001:cb0:104:1:11::2 281.745ms asymm 13
15: 2001:cb0:104:2:a::2 284.571ms asymm 14
16: 2001:501:8a29:13ff::2 286.821ms !A
Resume: pmtu 1280
and without looking up host names
tracepath6 -n 2001:501:8a29:1060::74
1?: [LOCALHOST] pmtu 1500
1: 2001:15c0:65ff:87d4::1 0.200ms
1: 2001:15c0:65ff:87d4::1 0.087ms
2: 2001:15c0:65ff:87d4::1 0.076ms pmtu 1280
2: 2001:15c0:65ff:7d4::1 16.245ms
2: 2001:15c0:65ff:7d4::1 18.131ms
3: 2001:15c0:ffff:7::2 25.742ms asymm 2
4: 2001:15c0:ffff:7::1 17.610ms asymm 3
5: 2001:15c0:ffff:d::c 23.583ms asymm 4
6: 2001:15c0:ffff:d::3 56.921ms asymm 5
7: 2001:7f8::1b1b:0:1 35.002ms asymm 6
8: 2001:470:0:2d4::1 46.317ms asymm 7
9: 2001:470:0:2d0::1 49.543ms asymm 8
10: 2001:7f8:4::272a:2 44.811ms asymm 9
11: 2001:cb0:c113:1:8::1 176.087ms asymm 12
12: 2001:cb0:c113:1:6::2 175.857ms
13: 2001:cb0:c111:1:28::1 281.478ms asymm 12
14: 2001:cb0:104:1:11::2 281.415ms asymm 13
15: 2001:cb0:104:2:a::2 283.553ms asymm 14
16: 2001:501:8a29:13ff::2 287.737ms !A
Resume: pmtu 1280
WHOIS with IPv6
Carmen Sandiego on Friday, 23 May 2014 21:58:06
There has changed something;
whois -h 2001:501:8a29:1060::74 sophiedogg.com
doesn't hang any more, but results in an empty output;
very strange;
Posting is only allowed when you are logged in. |