Yamaban wrote:
On Mon, 30 May 2016 18:25, Per Jessen wrote:
Per Jessen wrote:
I am having a bit of an issue with a customer and their inbound traffic to us. It's authenticated SMTP on port 587 with TLS. For whatever reason, they're trying to negotiate ECN. The receiving systems are somewhat backlevel/due-for-update, kernel 2.6 with /proc/sys/net/ipv4/tcp_ecn = 0 by default. Newer systems have '2':
0 – disable ECN and neither initiate nor accept it 1 – enable ECN when requested by incoming connections, and also request ECN on outgoing connection attempts 2 – (default) enable ECN when requested by incoming connections, but do not request ECN on outgoing connections
When /proc/sys/net/ipv4/tcp_ecn is 0, incoming connections appear to be simply ignored, even when the sending host switched off ECN after having tried with ECN. The solution seems to be to set /proc/sys/net/ipv4/tcp_ecn = 2.
An alternative would be to use iptables to remove the two ECN bits, I haven't tried this yet.
Any opinions?
Well, if your kernel is fully able to handle ECN, it is a nice to have feature, thus "tcp_ecn = 2" is the most helpful in the reality of the now.
If your kernel is NOT able to handle ECN fully, stripping out the ECN-bit is the most wise and efficent way to handle the situation.
Here in your case, if the system works well with "tcp_ecn = 2", it would be your best option, for the other cases, stripping out the ECN bits will be the most helpful.
Thanks Yamaban, most helpful! Do you also happen to know how I determine if the kernel is capable? If that cannot be or is difficult to determine, I presume it is best to just strip the ECN bits? The mechanism seems to be mostly superfluous these days anyway. It is the first time ever in ten years I have had this issue.
PS: Info for the interested: https://en.wikipedia.org/wiki/Explicit_Congestion_Notification
I've been reading that backwards and forwards all day, it's not one of the better wikipedia articles. -- Per Jessen, Zürich (18.2°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org