[e2e] Linux, firewalls and ECN deployment
Jamal Hadi Salim
hadi at znyx.com
Wed May 14 04:16:09 PDT 2003
On Wed, 14 May 2003, Rik Wade wrote:
> On Wed, 14 May 2003, Michael Welzl wrote:
>
> > 1. is this still true? are there any measurements that show this?
>
> I believe that at least one commercial off-the-shelf firewall appliance
> had issues with ECN-enabled traffic. As far as I am aware, this has now
> been fixed with a software update from the vendor(s) in question.
>
> There may still be firewalls out there that would drop ECN traffic, but
> I would have hoped that most admins had updated their software by now! These
> issues were first seen around 2 years ago from what I recall.
>
There are still some sites running legacy stuff although there has
been huge improvements over the last two years.
The Linux community did help substantially in making ECN deployable.
I always have ECN turned on and hardly have to curse for weeks in my web
surfing (from when i would turn it off on every 5th website i visited).
[There are still some of the big sites which are annoying: some links
of developer.intel.com come to mind].
The posting at:
http://www.ussg.iu.edu/hypermail/linux/kernel/0105.1/0145.html
is still valid.
>
> > 2. WHY doesn't my Linux kernel try without ECN after a while
> > if I enable it? This way, it would be incrementally deployable ...
> > users would have an incentive to turn it on, or it could even
> > be turned on by default, which would lead to an incentive to
> > correct these firewall bugs ...
>
> Off the top of my head...
>
The retry idea you suggest is actually in the ECN RFC but was turned down
on Linux for being unclean (you either have to break TCP or accept
ambiguity - look at old end2end archives). Two ways to resolve things on
linux:
1) disable via sysctl or /proc
/proc/sys/net/ipv4/tcp_ecn
2) Use iptables to conditionaly turn it off for certain web sites:
> >From a coding perspective this may pose issues along the lines of:
>
> - do I try ENC for every outgoing connection? If so, this may incur a delay
> in establishing each and every TCP connection to a remote host. It may also
> generate unwanted alarms on a local (or remote) firewall. Generally,
> speaking this approach would generate bad karma.
>
> - do I maintain a table of all the subnets I've addressed and keep track of
> whether ECN worked (or not) for each of them. Each outgoing TCP connection
> therefore requires lookup into this table and for a busy server, the memory
> and housekeeping requirements here are just astronomical.
The later. But these days you wont need it that much. And if you do he
cost of stripping of ECN bits is negligible on standard desktop class PCs.
Maybe its time someone run a few tests again. I am not sure if Sally is
listening to this conversation.
cheers,
jamal
More information about the end2end-interest
mailing list