[nottingham] ECN and the wonderful world of firewalls

From: Graeme Fowler (graeme@graemef.net)
Date: Sat 05 May 2001 - 20:55:28 BST

Previous message: Robert Davies: "Re: [nottingham] Antitrust"
Next in thread: Graeme Fowler: "Re: [nottingham] ECN and the wonderful world of firewalls"
Reply: Graeme Fowler: "Re: [nottingham] ECN and the wonderful world of firewalls"
Reply: Robert Davies: "[nottingham] SuSE7.1 - Initial impressions and Personal Firewall Info"
Reply: Jon Masters: "Re: [nottingham] ECN and the wonderful world of firewalls"
Reply: Simon Huggins: "Re: [nottingham] ECN and the wonderful world of firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi folks

I recently upgraded my home machine's kernel to 2.4.3 - yeah, I know,
2.4.4 is out now, but hey.

I've started noticing an alarming number of 'connection refused' messages
in recent days when trying to do stuff like, ooh, browse the web. So I
started digging and found 'only switch on ECN if you really have to,
it isn't honoured yet and is in fact spat out and logged as an attack by
some broken firewalls' messages all over the place.

What's ECN? I asked myself - it's Explicit Congestion Notification. I
quote the Kernel docs:

"TCP Explicit Congestion Notification support
CONFIG_INET_ECN
  Explicit Congestion Notification (ECN) allows routers to notify
  clients about network congestion, resulting in fewer dropped packets
  and increased network performance. This option adds ECN support to the
  Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) which
  allows ECN support to be disabled at runtime.

  Note that, on the Internet, there are many broken firewalls which
  refuse connections from ECN-enabled machines, and it may be a while
  before these firewalls are fixed. Until then, to access a site behind
  such a firewall (some of which are major sites, at the time of this
  writing) you will have to disable this option, either by saying N now
  or by using the sysctl.

If in doubt, say N."

So I do a quick tcpdump when trying to connect to Way Ahead's box office
site:

[root@server /root]# tcpdump -n -l src or dst www.wayahead.com
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on all devices
20:36:45.831320 eth0 > 212.135.210.179.40675 > 212.69.230.96.www:
S [ECN-Echo,CWR] 2508995240:2508995240(0) win 5840
<mss 1460,sackOK,timestamp 62072681 0,nop,wscale 0> (DF)

20:36:45.867406 eth0 < 212.69.230.96.www > 212.135.210.179.40675:
R 0:0(0) ack 2508995241 win 5840
<mss 1460,sackOK,timestamp 62072681 0,nop,wscale 0> (DF)

Uh-oh, that's a TCP RST packet there. And it follows an ECN enabled
packet, by jingo!

So, I echo "1" to the sysctl listed in the docs above, and guess what? It
works and lets me in. And so does the BBC news, the Guardian, yadda yadda
yadda.

Moral? Switch ECN off, kids. It's bad for your browsing experience!

Graeme

--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------

Previous message: Robert Davies: "Re: [nottingham] Antitrust"
Next in thread: Graeme Fowler: "Re: [nottingham] ECN and the wonderful world of firewalls"
Reply: Graeme Fowler: "Re: [nottingham] ECN and the wonderful world of firewalls"
Reply: Robert Davies: "[nottingham] SuSE7.1 - Initial impressions and Personal Firewall Info"
Reply: Jon Masters: "Re: [nottingham] ECN and the wonderful world of firewalls"
Reply: Simon Huggins: "Re: [nottingham] ECN and the wonderful world of firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu 22 Nov 2001 - 13:11:54 GMT