[e2e] ECN conversation on /.

Jim Gettys jg at pa.dec.com
Sun Apr 29 12:16:29 PDT 2001


> Sender: end2end-interest-admin at postel.org
> From: Jon Crowcroft <J.Crowcroft at cs.ucl.ac.uk>
> Date: Sun, 29 Apr 2001 10:45:15 +0100
> To: smd at ebone.net (Sean Doran)
> Cc: end2end-interest at postel.org
> Subject: Re: [e2e] ECN conversation on /.
> -----
> this seems to be a sort of rehash of old news - sally floyd and others
> at aciri were doing ECN experiments and found some sites' firewalls
> blocked tcp (or was it the ip code point - can't recall) - it sounded
> like it was more worthwhile pursuing telling peopel that the firewalls
> were misconfigured (actualyl a reasonable 'error' since anything you
> dont know, in a firewalled site is a potential attack, so its more a
> case of bringing people up to date than imparting clue)
> 
> the linux today report didt realy explain that  and seemed to imply
> that if you enabled ecen in your linux box, you would fail to talk to
> end system sites that didnt talk ecn which is plain wrong as far as i
> know - ecn is backward compatible, but nats and firewalls are not
> forward compatible:-)
> In message <20010429064909.9FCA7937 at sean.ebone.net>, Sean Doran typed:
> 

Claim out of Compaq's firewall folks is that there are also bugs in Ciscos
that can cause this trouble; I had a report of someone that he couldn't
get mail to me.  Attached is follow up incase it may help out others with
this problem....

--
Jim Gettys
Technology and Corporate Development
Compaq Computer Corporation
jg at pa.dec.com


> From: "Robinson, Paul (IM Hou)" <Paul.Robinson at Compaq.Com>
> Date: Fri, 6 Apr 2001 15:39:44 -0500
> Subject: RE: Incoming mail isn't happening properly... (firewall's handlin
>         g    of ECN broken).
> -----
> Actually it's not a port, it's a field identified as a Congestion
> Experienced (CE) bit in a packet header that acts as an indication of
> congestion, instead of relying solely on packet drops.  This additional
> field setting isn't recognized by the PIX code as a valid frame so it
> discards it. In talking with Sam Davis, Cisco has a fix for this in another
> rev of the current code loaded on the PIX.   We will have to test/review the
> code in preparation to resolve this issue.
> 
>  -----Original Message-----
> From: 	Donnelly, Troy 
> Sent:	Friday, April 06, 2001 10:47 AM
> To:	Hackney, Greg; Fleck, Michael; White, Bill; Robinson, Paul (IM Hou);
> Davis, Samuel
> Cc:	Carey, Kevin (CRL); Gettys, Jim; Fetterly, Dennis; Briese, Charles
> (Chuck); Baumle, Larry
> Subject:	RE: Incoming mail isn't happening properly... (firewall's
> handling    of ECN broken).
> 
> It sounds like the Linux Explicit Congestion Notification uses a port that
> we do not allow through the firewalls?  Does anyone know what that port is?
> If it is something other than one of standard accetpable protocols al;lowed
> through it will need security review/approval before it can be allowed.
> 
> -Troy
> 
> -----Original Message-----
> From: Hackney, Greg
> Sent: Thursday, April 05, 2001 11:59 AM
> To: Fleck, Michael; Donnelly, Troy; White, Bill; Robinson, Paul (IM
> Hou); Davis, Samuel
> Cc: Carey, Kevin (CRL); Gettys, Jim; Fetterly, Dennis; Briese, Charles
> (Chuck)
> Subject: RE: Incoming mail isn't happening properly... (firewall's
> handling of ECN broken).
> 
> 
> Comments anyone?
> 
> 
> -----Original Message-----
> From: Fetterly, Dennis
> Sent: Thursday, April 05, 2001 11:46 AM
> To: Hackney, Greg
> Cc: Carey, Kevin (CRL); Gettys, Jim
> Subject: Fw: Incoming mail isn't happening properly... (firewall's
> handling of ECN broken).
> 
> 
> Greg,
> 
> Compaq's firewall blocks connections from computers running Linux when they
> have Explicit Congestion Notification enabled.  I'm not sure who the I
> should send this to within Compaq so that it can be resolved.  Could you
> please direct it to the appropriate individual?
> 
> Thanks,
> -Dennis
> 
> --
> Dennis Fetterly
> Systems Research Center
> Compaq Computer Corporation
> +1 650.853.2285
> dennis.fetterly at compaq.com
> 
> ----- Original Message -----
> From: "Jim Gettys" <jg at pa.dec.com>
> To: <fetterly at pa.dec.com>
> Cc: <kevin.carey at compaq.com>
> Sent: Tuesday, March 20, 2001 9:22 AM
> Subject: Incoming mail isn't happening properly... (firewall's handling of
> ECN broken).
> 
> 
> > The firewall complex, however it is now, isn't handling ECN properly.
> >
> > See: http://www.tux.org/lkml/#s14-2 for details.
> >
> > This causes mail to pa.dec.com (and certainly compaq.com) to backup
> > on various machines, and possibly go into the bitbucket.
> > - Jim
> >
> > --
> > Jim Gettys
> > Technology and Corporate Development
> > Compaq Computer Corporation
> > jg at pa.dec.com
> >



More information about the end2end-interest mailing list