In message <Pine.GSO.4.20.0011051948220.2665-100000@xxxxxxxxxxxxxxxx> you write
:
> 4) According to Sally's web page:
>
> AIX 4.3.2.0-4.3.3.0, IRIX 6.2- 6.5, Solaris 2.6 - 2.7,
> or Linux 2.1.122 - 2.2.14 of possible systems (as id-ed by nmap) that
> might be causing this.
> I know that old netfilter/ipchains has these problems. I doubt if it was
> anywhere around Linux 2.1.122 - 2.2.14; maybe someone could clarify.
I know Andi claimed that netfilter's (EXPERIMENTAL) `unclean' match
used to dislike this, but I couldn't see (and checking again, still
can't see) anywhere in the code where that was ever the case.
I can't see anything like this in 2.2; I think someone said we used to
blindly echo the ECN bits, though.
> Summary3: We have to do something about this if ECN is to be deployed.
> So far there is a proposal by Sally Floyd and company which neither Alexey
> nor Davem are thrilled about. I know i am not.
Penalizes first SYN failures (quite common from .au) and doesn't solve
the Cisco-sends-RST problem. We could generalize the Floyd solution
to N transmits (I suggest N >= 2, rather than one, but it's just a
inverse of the ECN sysctl), and use two bits in the route cache: one
to indicate that we've spoken to the host with ECN flags set, and one
to indicate that we've received a RST for an ECN packet.
Bogocode:
#define IPECN_RT_OK 0x01
#define IPECN_RT_RST 0x02
if (sysctl_ecn_disable &&
(trans(rt) > sysctl_ecn_disable || IPECN_RT(rt) == IPECN_RT_RST)) {
... no ECN ...
} else {
... ECN ...
}
Horrible? Yes. But it would allow us to ship ECN by default (good),
and still communicate with the world (which is the highest priority).
Rusty.
--
Hacking time.
|