| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070729153049.GA13309@linuxace.com> Date: Sun, 29 Jul 2007 08:30:49 -0700 From: Phil Oester <kernel@...uxace.com> To: "Darryl L. Miles" <darryl-mailinglists@...bauds.net> Cc: linux-kernel@...r.kernel.org Subject: Re: TCP SACK issue, hung connection, tcpdump included On Sun, Jul 29, 2007 at 06:59:26AM +0100, Darryl L. Miles wrote: > The problems start around time index 09:21:39.860302 when the CLIENT issues > a TCP packet with SACK option set (seemingly for a data segment which has > already been seen) from that point on the connection hangs. I'd say most likely scenario is the SERVER is behind a Cisco Pix firewall, which has known bugs in handling packets with sack option. By default the Cisco has sequence number randomization enabled, but it's a half-assed implementation which doesn't bother adjusting the sequence numbers inside sack options. This has been reported to Cisco, and they don't seem to care. As a workaround, you can do this: echo 0 > /proc/sys/net/ipv4/tcp_sack and it will probably fix it up. It'd be really nice, however, to have a per-route option for sack, similar to how we can clamp window scaling per route. Something like the below ip r a <host> <gw> <nosack> Phil - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists