Hello,
What is the impact of enabling ECN on the server side ? I mean, will
any clients (with broken firewalls) be affected if a SMTP/HTTP server
has ECN enabled ?
On the other hand, is there any advantage with ECN enabled on the server
side ?
--
Petru Paler, mailto:[email protected]
http://www.ppetru.net - ICQ: 41817235
Followup to: <[email protected]>
By author: Petru Paler <[email protected]>
In newsgroup: linux.dev.kernel
>
> Hello,
>
> What is the impact of enabling ECN on the server side ? I mean, will
> any clients (with broken firewalls) be affected if a SMTP/HTTP server
> has ECN enabled ?
>
> On the other hand, is there any advantage with ECN enabled on the server
> side ?
>
Pro: better behaviour in presence of network congestion.
Con: people behind broken firewalls can't connect.
-hpa
--
<[email protected]> at work, <[email protected]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
On 14 Feb 2001, H. Peter Anvin wrote:
> By author: Petru Paler <[email protected]>
> > What is the impact of enabling ECN on the server side ? I mean, will
> > any clients (with broken firewalls) be affected if a SMTP/HTTP server
> > has ECN enabled ?
> Pro: better behaviour in presence of network congestion.
>
> Con: people behind broken firewalls can't connect.
Since you can use ICMP to tunnel data, a lot of security ppl are
reluctant to stop filtering ICMP :/
Jeff
Jeff Garzik wrote:
>
> On 14 Feb 2001, H. Peter Anvin wrote:
> > By author: Petru Paler <[email protected]>
> > > What is the impact of enabling ECN on the server side ? I mean, will
> > > any clients (with broken firewalls) be affected if a SMTP/HTTP server
> > > has ECN enabled ?
>
> > Pro: better behaviour in presence of network congestion.
> >
> > Con: people behind broken firewalls can't connect.
>
> Since you can use ICMP to tunnel data, a lot of security ppl are
> reluctant to stop filtering ICMP :/
>
You can use DNS to tunnel data, too. As far as ICMP is concerned,
perhaps they should consider sterilizing approaches instead.
-hp
--
<[email protected]> at work, <[email protected]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
> > Con: people behind broken firewalls can't connect.
>
> Since you can use ICMP to tunnel data, a lot of security ppl are
> reluctant to stop filtering ICMP :/
ICMP isnt the problem. Some of the load balancers and proxy setups didnt
allow ECN frames through. ICMP blocking just breaks path mtu discovery and
accessing the site via IPsec, via mobile ip and a few other things.
And you can tunnel data over ack sequence spaces, IP over http is trivial.
There are reasons proper proxy setups have passwords outgoing and do not let
any control data/header info across untouched
"H. Peter Anvin" <[email protected]> writes:
> Con: people behind broken firewalls can't connect.
Are you sure that is correct? "Servers" normally listen for incoming
connections from clients rather than establish them[1]. So, if the
server implements ECN then it will respond appropriately to incoming
SYN packets irrespective of whether the ECN bits are set. People, who
use ECN, who are behind a broken firewall will have problems
connecting irrespective of whether or not the server implements ECN.
[1] Passive FTP being an exception.
Hi
no they should not be effected
the place that starts the connection eg send the first SYN
has to ask to use ECN if it is not requested it will
never be used in that connection
In local.linux-kernel-list, you wrote:
>Hello,
>
>What is the impact of enabling ECN on the server side ? I mean, will
>any clients (with broken firewalls) be affected if a SMTP/HTTP server
>has ECN enabled ?
>
>On the other hand, is there any advantage with ECN enabled on the server
>side ?
>
>--
>Petru Paler, mailto:[email protected]
>http://www.ppetru.net - ICQ: 41817235
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to [email protected]
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/
>
--
---------------------------------------------
Check Out: http://stev.org
E-Mail: [email protected]
8:10pm up 13 days, 3:55, 2 users, load average: 0.08, 0.28, 0.14