Description
Hello,
using clients with IPv6 flow label enabled, i.e. non-zero values in flow label header have problems connecting to e.g. files.pythonhosted.org, www.python.org
steps for reproduction:
- e.g. Latest Windows 10 with "netsh int ipv6 set global flowlabel=enabled"
- wget.exe (Version 1.20) from https://eternallybored.org/misc/wget/
- On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
DEBUG output created by Wget 1.20 on mingw32.
Reading HSTS entries from c:\Users\user1\Downloads/.wget-hsts
URI encoding = 'CP1252'
converted 'https://files.pythonhosted.org' (CP1252) -> 'https://files.pythonhosted.org' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252)
--2019-01-29 12:45:23-- https://files.pythonhosted.org/
Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319
Caching files.pythonhosted.org => 2a04:4e42:1b::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x00000000029e8630 (new refcount 1).
Initiating SSL handshake.
seconds 900,00, Winsock error: 10054
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
- On CLI do ""netsh int ipv6 set global flowlabel=disabled"
- On CLI do "wget -6 -d https://files.pythonhosted.org"
Output:
DEBUG output created by Wget 1.20 on mingw32.
Reading HSTS entries from c:\Users\user1\Downloads/.wget-hsts
URI encoding = 'CP1252'
converted 'https://files.pythonhosted.org' (CP1252) -> 'https://files.pythonhosted.org' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (CP1252)
--2019-01-29 12:52:01-- https://files.pythonhosted.org/
Resolving files.pythonhosted.org (files.pythonhosted.org)... seconds 0,00, 2a04:4e42:1b::319
Caching files.pythonhosted.org => 2a04:4e42:1b::319
Connecting to files.pythonhosted.org (files.pythonhosted.org)|2a04:4e42:1b::319|:443... seconds 0,00, connected.
Created socket 3.
Releasing 0x0000000000b78570 (new refcount 1).
Initiating SSL handshake.
seconds 900,00, Winsock error: 0
Handshake successful; connected socket 3 to SSL handle 0x0000000000b7cb60
certificate:
subject: CN=r.ssl.fastly.net,O=Fastly\, Inc,L=San Francisco,ST=California,C=US
issuer: CN=GlobalSign CloudSSL CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE
X509 certificate successfully verified and matches host files.pythonhosted.org---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.20 (mingw32)
Accept: /
Accept-Encoding: identity
Host: files.pythonhosted.org
Connection: Keep-Alive---request end---
HTTP request sent, awaiting response... seconds 900,00, Winsock error: 0
seconds 900,00, Winsock error: 0---response begin---
HTTP/1.1 200 OK
Content-Type: text/html
Server: nginx/1.13.9
Content-Length: 1822
Accept-Ranges: bytes
Date: Tue, 29 Jan 2019 11:52:01 GMT
Age: 0
Connection: keep-alive
X-Served-By: cache-iad2150-IAD, cache-hhn1551-HHN
X-Cache: HIT, MISS
X-Cache-Hits: 1, 0
X-Timer: S1548762722.675927,VS0,VE88
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
X-Robots-Header: noindex---response end---
200 OK
Registered socket 3 for persistent reuse.
Parsed Strict-Transport-Security max-age = 31536000, includeSubDomains = true
Updated HSTS host: files.pythonhosted.org:443 (max-age: 31536000, includeSubdomains: true)
Length: 1822 (1,8K) [text/html]
Saving to: 'index.html.7'index.html.7 0%[ ] 0 --.-KB/s seconds 900,00, Winsock error: 0
index.html.7 100%[========================================================================================================================================>] 1,78K --.-KB/s in 0,002s
So, is using IPv6 flow labels for load balancing traffic evil nowadays as network vendors are note able to use it correctly?
=> https://www.youtube.com/watch?v=b0CRjOpnT7w
=> https://blog.apnic.net/2018/01/11/ipv6-flow-label-misuse-hashing/
Therefore I would like to suggest to completely disable IPv6 flow label support on the servers hosting e.g. files.pythonhosted.org as this only causes headaches
Regards
Michael