Differences between current version and predecessor to the previous major change of ECN.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 4 | Last edited on Thursday, August 31, 2006 11:16:51 am | by IanMcDonald | |
| Older page: | version 3 | Last edited on Wednesday, August 30, 2006 3:34:22 pm | by CraigBox | Revert |
@@ -7,11 +7,17 @@
Note that, on the Internet, there are many broken firewalls which refuse connections from ECN-enabled machines, and it may be a while before these firewalls are fixed. Until then, to access a site behind such a firewall (some of which are major sites, at the time of this writing) you will have to disable this option, either by saying N now or by using the sysctl.
----
Apparently most ECN problems are caused by [CiscoPix] routers dropping [IP] packets that have ECN set.
+
+Cisco IOS was fixed in version 12.2(8)T according to this page of Sally Floyd's (one of the authors of ECN) - http://www.icir.org/floyd/ecn.html
+
+This version of IOS was released around 2002 or 2003 so if a firewall is still running that version it probably is very insecure too and should be upgraded.
If you encounter this problem, you can disable ECN at run time:
<pre>
# echo 0 > /proc/sys/net/ipv4/tcp_ecn
</pre>
+
+It would also be good to tell the site that they are using obsolete, and probably insecure, equipment.
----
CategoryNetworking
