Re: hotmail not dealing with ECN

Gregory Maxwell (greg@linuxpower.cx)
Sat, 27 Jan 2001 14:20:32 -0500


On Sat, Jan 27, 2001 at 07:18:09PM +0100, Frank v Waveren wrote:
> On Sat, Jan 27, 2001 at 04:10:48AM +0000, David Wagner wrote:
> > Practice being really, really paranoid. Think: You're designing a
> > firewall; you've got some reserved bits, currently unused; any future code
> > that uses them could behave in completely arbitrary and insecure ways,
> > for all you know. Now recall that anything not known to be safe should
> > be denied (in a good firewall) -- see Cheswick and Bellovin for why.
> > When you take this point of view, it is completely understandable why
> > firewalls designed before ECN was introduced might block it.
>
> Why? Why not just zero them, and get both security and compatibility...

Eeek! NO!!!! NO NO NO NO NO NO NO!
For ECN that would have worked, but that doesn't mean that something
couldn't have been implimented there that wouldn't have worked that way..

I think that older Checkpoint firewalls (perhaps current?) zeroed out SACK
on 'hide nat'ed connections. This causes unreasonable stalls for users on
SACK enabled clients. Not cool.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/