[ntp:questions] What to do about broken IPv6 sites

Allen Kistler ackistler at oohay.moc
Sun Jun 21 21:00:54 UTC 2009


Steve Kostecke wrote:
> On 2009-06-19, Rick Jones <rick.jones2 at hp.com> wrote:
> 
>> Allen Kistler <ackistler at oohay.moc> wrote:
>>
>>> For example, http://www.ntp.org.
>>> NTP.org has a perfectly good IPv4 site, but the IPv6 site doesn't
>>> answer to SYNs.
> 
> ???

tcpdump says:

14:33:53.083303 IP6 2002:638e:214e:1:20b:cdff:fe8b:1495.57122 > 
2001:4f8:0:2::23.http: S 3716484184:3716484184(0) win 5760 <mss 
1440,sackOK,timestamp 91455773 0,nop,wscale 5>

14:33:56.082896 IP6 2002:638e:214e:1:20b:cdff:fe8b:1495.57122 > 
2001:4f8:0:2::23.http: S 3716484184:3716484184(0) win 5760 <mss 
1440,sackOK,timestamp 91458773 0,nop,wscale 5>

14:34:02.082937 IP6 2002:638e:214e:1:20b:cdff:fe8b:1495.57122 > 
2001:4f8:0:2::23.http: S 3716484184:3716484184(0) win 5760 <mss 
1440,sackOK,timestamp 91464773 0,nop,wscale 5>

etc.

Other IPv6 sites work fine.  The turtle dances.
http://sixy.ch/ is a source of handy test sites.

FWIW, *.ntp.org has _never_ worked for me on IPv6.  "Never" in this case 
means since about October 2008.  I've just finally gotten annoyed enough 
to start looking for things to do about the general problem of 
unreachable sites (not so much ntp, in particular).

>>> Since RFC-compliant behavior is to try the IPv6 address first, I
>>> have to timeout on every page element before switching to IPv4.
> 
> I have an IPv6 tunnel through Hurricane Electric and have _no_ problems
> with IPv6 to *.ntp.org

Interesting.  traceroute (tcp, udp, and icmp) says:

  1  2002:638e:214e:1::1 (2002:638e:214e:1::1)
  2  2002:c058:6301:: (2002:c058:6301::)
  3  v41.core1.nyc1.he.net (2001:470:0:51::1)
  4  10gigabitethernet1-1.core1.nyc4.he.net (2001:470:0:37::1)
  5  10gigabitethernet3-1.core1.sjc2.he.net (2001:470:0:33::1)
  6  10gigabitethernet3-2.core1.pao1.he.net (2001:470:0:32::2)
  7  * * *
  8  * * *
  9  * * *
etc.

The drops are meaningless, of course, since something just after pao1 
(Palo Alto?) could be stupidly configured never to allow icmp.  Or that 
could be the thing that's losing packets.  But HE is definitely in the path.

So should the guy who's actually paying HE ask HE what's up?




More information about the questions mailing list