Hello!
Following a discussion about ECN and firewalls some days ago:
We have the same problem here with several Cisco PIX Firewalls not
handling ECN correctly. After a little research we think we know what is
going wrong: The firewall checks the TCP-Header against rfc793. There it
is stated for the Reserved Bits:
<quote>
Reserved: 6 bits
Reserved for future use. Must be zero.
</quote>
The point is: 'must be zero' is redefined by rfc2481 (ECN). (The
firewall-people at cisco do not seem to be fully aware of that yet.) The
firewall sees a header violating rfc793 and considers it a bogous TCP
packet. So it sends a RST instead of letting the connection pass. The
problem is that this is not caused by misadministration of the firewall.
It seems to be built into the Software.
We already sent this issue to cisco (along with our sniffer logs) and are
now waiting for a reply. :-) (Hopefully they will find a solution before
kernels enabling ECN start do be widely distributed - in Mandrake 7.2beta
it is already tha case.)
LL&P Ulrich
-- ,-, .-.,----,--------------------------------------------------------------- | | / / |,---' Ulrich Kiermayr Inst. for Theoret. Physics, Univ. of Vienna | |/ /| ||_ eMail: kie@thp.univie.ac.at PGP Key ID: 0xA8D764D8 | ( | | _: ICQ: 17858333 Web: http://www.thp.univie.ac.at/~kie | |\ \| || @Home: Dampierrestr. 4/5, A-1140 Vienna; +43(699)19671909 | | \ \ |`---, @Work: Boltzmanngasse 5, A-1090 Vienna; +43(1)4277/51555 `-' `-''----'---------------------------------------------------------------They are relatively good but absolutely terrible. -- Alan Kay, commenting on Apollos
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Sep 15 2000 - 21:00:10 EST