lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <54535535.3040900@redhat.com> Date: Fri, 31 Oct 2014 10:24:05 +0100 From: Daniel Borkmann <dborkman@...hat.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: Florian Westphal <fw@...len.de>, David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH -next 0/2] net: allow setting ecn via routing table On 10/31/2014 12:05 AM, Eric Dumazet wrote: > On Thu, 2014-10-30 at 23:15 +0100, Florian Westphal wrote: > >> Do you think a fallback to non-ecn for retransmitted syns would help? >> If not, do you think having ecn tunable available via route is helpful? > > Unfortunately some firewalls are buggy and accept a single SYN per flow. > > You would need to blacklist ecn at first sign of a possible ecn problem, > for all following connections attempts. > > Note that ECN problems are not only contained in SYN packets being > eventually dropped. You might have a success to establish a flow, and > later get CE marks for all packets and cwnd converges to 1. Wow, that is buggy! Btw, fwiw, there was a recent study [1] (paper not public yet) which scanned the Alexa's publicly available top million websites list from a vantage point in US, Europe and Asia: Half of the Alexa list will now happily use ECN (tcp_ecn=2, most likely blamed to commit 255cac91c3c9 ;)), the break in connectivity on-path was found is about 1 in 10,000 cases. Timeouts rather than receiving back RSTs were much more common in the negotiation phase (and mostly seen in the Alexa middle band, ranks around 50k-150k): from 12-thousand hosts on which there _may_ be ECN-linked connection failures, only 79 failed with RST when _not_ failing with RST when ECN is not requested. It's unclear though, how much equipment actually marks the CE, and as you mention above, marks it correctly ... > This is really a lot of work to get all sorted out. Yep, you are right. [1] http://ecn.ethz.ch/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists