On Tue, 06 Jul 2004 13:00:07 -0700
Nivedita Singhvi <niv@xxxxxxxxxx> wrote:
> Stephen Hemminger wrote:
> > Recent TCP changes exposed the problem that there ar lots of really broken
> > firewalls
> > that strip or alter TCP options.
>
> We should not be accepting of this situation, surely. I mean, the firewalls
> have to get fixed. Multiple things are breaking here, due to this. What
> are the other options they are messing with, and and any idea why?
I totally agree with Nivedita, and that's why I'm not going to
apply Stephen's patch.
> If the firewall is actually stripping the TCP window scaling option,
> then that tells the other end that we can't *receive* scaled windows
> either, since the option indicates both, we are sending and capable
> of receiving. i.e. The other end will not send us scaled windows.
> There is no way we can fix this on the rcv end.
>
That's correct. If the SYN contains a window scale option, this tells
the SYN+ACK sending side that both receive and send side window scaling
is supported. I think what's really happening is that the firewall is
patching the non-zero window scale option in the SYN+ACK packet to be
zero, yet not adjusting the window field of packets in the rest of the
TCP stream.
> Does this need to be the default behaviour? Just how prevalent is
> this??
Frankly, I've personally seen none of this. I sit on a DSL line with
no firewalling at my end and I can access all sites just fine. This
seems to indicate that most of the breakage is local to the user's
point of access to the net, rather than a firewall at google.com
or kernel.org or similar.
|