[e2e] Linux, firewalls and ECN deployment
Rik Wade
rik at rikwade.com
Wed May 14 01:47:05 PDT 2003
On Wed, 14 May 2003, Michael Welzl wrote:
> 1. is this still true? are there any measurements that show this?
I believe that at least one commercial off-the-shelf firewall appliance
had issues with ECN-enabled traffic. As far as I am aware, this has now
been fixed with a software update from the vendor(s) in question.
There may still be firewalls out there that would drop ECN traffic, but
I would have hoped that most admins had updated their software by now! These
issues were first seen around 2 years ago from what I recall.
> 2. WHY doesn't my Linux kernel try without ECN after a while
> if I enable it? This way, it would be incrementally deployable ...
> users would have an incentive to turn it on, or it could even
> be turned on by default, which would lead to an incentive to
> correct these firewall bugs ...
Off the top of my head...
>From a coding perspective this may pose issues along the lines of:
- do I try ENC for every outgoing connection? If so, this may incur a delay
in establishing each and every TCP connection to a remote host. It may also
generate unwanted alarms on a local (or remote) firewall. Generally,
speaking this approach would generate bad karma.
- do I maintain a table of all the subnets I've addressed and keep track of
whether ECN worked (or not) for each of them. Each outgoing TCP connection
therefore requires lookup into this table and for a busy server, the memory
and housekeeping requirements here are just astronomical.
--
rik
More information about the end2end-interest
mailing list