2.6-test10 and ECN
Kit Knox
kit at rootshell.com
Thu Dec 4 18:22:40 UTC 2003
On Wed, 2003-11-26 at 01:29, Arjan van de Ven wrote:
> On Tue, Nov 25, 2003 at 08:12:46PM -0800, Nathan G. Grennan wrote:
> > I have found 2.6-test10.1.95, at least, has ECN turned on. This was
> > breaking many websites for me. Many firewalls are known to have issues
> > with ECN. One example is at least some PIX firewalls. Sadly it seems to
> > more corporate the site, the more likely it is to break.
>
> the sysadmins of those sites need to upgrade their firmware to be compliant
> with internet standards (and iirc the broken firmware is also superceded by
> a series of security upgrades which all have this bug fixed as well)
The sad state of firewall vendors is shown by the fact that you can't
even connect to any of Wells Fargo's online banking with ECN enabled.
I know that in the past a timeout ECN failover has been considered, but
the performance hit would be too large. Are there any thoughts about a
rule based system for making ECN exceptions on outgoing connections?
Alternatively it could also be moved into userspace as a socket option.
-Kit
More information about the fedora-list
mailing list