Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 14 Feb 2001 16:09:47 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 14 Feb 2001 16:09:38 -0500 Received: from router-100M.swansea.linux.org.uk ([194.168.151.17]:1554 "EHLO the-village.bc.nu") by vger.kernel.org with ESMTP id ; Wed, 14 Feb 2001 16:09:27 -0500 Subject: Re: ECN for servers ? To: jgarzik@mandrakesoft.mandrakesoft.com (Jeff Garzik) Date: Wed, 14 Feb 2001 21:09:39 +0000 (GMT) Cc: hpa@zytor.com (H. Peter Anvin), linux-kernel@vger.kernel.org In-Reply-To: from "Jeff Garzik" at Feb 14, 2001 02:53:50 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: From: Alan Cox Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org > > Con: people behind broken firewalls can't connect. > > Since you can use ICMP to tunnel data, a lot of security ppl are > reluctant to stop filtering ICMP :/ ICMP isnt the problem. Some of the load balancers and proxy setups didnt allow ECN frames through. ICMP blocking just breaks path mtu discovery and accessing the site via IPsec, via mobile ip and a few other things. And you can tunnel data over ack sequence spaces, IP over http is trivial. There are reasons proper proxy setups have passwords outgoing and do not let any control data/header info across untouched - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/