[plug] 2.4 Kernel and TCP

James Bromberger james at rcpt.to
Thu Sep 27 15:11:37 WST 2001


On Thu, Sep 27, 2001 at 02:18:04PM +0800, AWoodley at IINet.net.au wrote:
> Cheers guys, you blokes must be gods! You don't realise how happy that 
> much trouble you've solved!


Moreover, it is a problem with some Cisco PIX firewalls, employed 
by many larger web sites to protect the server from any non-port 80 
(or 443) traffic. 

The ECN fields were marked as "reserved" int he IP headers. Linux is one of 
the first OS'es to actually implement this. Cisco has now fixed their 
PIX image; these firewalls need to be updated. Instead of ignoring these 
reserved bits, Cisco was actually examining them, and dropping them 
if they were not set to zero.

http://www.aciri.org/floyd/ecn.html
http://uwsg.iu.edu/hypermail/linux/kernel/0101.3/0977.html


Or so I understand the problem. There may be other equipment as well which 
is not handling it correctly, but that is where the problem is that I found 
(look at the PLUG archives from about 4 - 6 months ago).


There is a poll at the moment on Debianplanet.org (or debianhelp.org, 
not sure) of what people think should be done with the 'default' state of 
ECN in the upcoming Woody release.


Test cases: Bankwest Online Banking. Whitepages. (Unless they have 
upgraded since then)


Hope this helps.


  James

> 
> Adrian
> 
> > AWoodley at IINet.net.au wrote:
> > 
> > > Hey yeah, that worked really well! What did it do? I assume it will 
> need 
> > > to be done after every boot?
> > 
> > 
> > Well, if you are running a RedHat (or derived) system, put it in 
> > /etc/sysctl.conf.
> > 
> >  
> > > Adrian
> > > 
> > > 
> > >>try "echo 0 > /proc/sys/net/ipv4/tcp_ecn"  does that help ???
> > >>
> > >>Yours Tony.
> > >>
> > >>/*
> > >> * "The significant problems we face cannot be solved at the
> > >> * same level of thinking we were at when we created them."
> > >> * --Albert Einstein
> > >> */
> > >>
> > >>
> > >>
> > >>
> > > 
> > 
> > 
> > -- 
> > Richard Sharpe, rsharpe at ns.aus.com, LPIC-1
> > www.samba.org, www.ethereal.com, SAMS Teach Yourself Samba
> > in 24 Hours, Special Edition, Using Samba
> > 
> > 
> > 

-- 
 James Bromberger <james_AT_rcpt.to> www.james.rcpt.to

 Remainder moved to http://www.james.rcpt.to/james/sig.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20010927/798c4e1f/attachment.pgp>


More information about the plug mailing list