On Sun, 7 Aug 2005 John Andersen wrote:
On Sunday 07 August 2005 06:38 am, David J N Begley wrote:
Dumb question time. Does anyone know the rationale behind SuSEfirewall2's disabling of ECN (Explicit Congestion Notification, IETF RFC 3168)? ECN's implementation is spotty at best. http://urchin.earth.li/ecn/ And the hall of shame of non-confirming sites: http://urchin.earth.li/cgi-bin/ecn.pl
Yes, this is an issue of compatibility - that's why the DISABLE_ECN variable exists in /etc/sysconfig/sysctl (and defaults to "yes"); however, SuSEfirewall2 disables ECN regardless of the DISABLE_ECN variable - hence my question (my limited testing so far on our internal network hasn't had any problems with ECN crossing Linux, Solaris, various Cisco equipment and two vendors' firewall equipment). I am aware of some potential weaknesses, documented in a number of places including here: "ECN is fine - but will it be used?" http://republika.pl/maom_onet/papers/ecn/378-444.pdf As the author writes, "while one should realize possible threats, they are not a reason to reject ECN and all the advantages it gives". There are also attempts to strengthen ECN including IETF RFC 3540, "Robust Explicit Congestion Notification (ECN) Signaling [sic] with Nonces". So to expand on my original question, is there some specific security concern surrounding ECN that has led to SuSEfirewall2 turning the feature off in all instances rather than honouring the DISABLE_ECN variable? Thanks..