On Mon, 30 May 2016 18:25, Per Jessen wrote:
Per Jessen wrote:
I am having a bit of an issue with a customer and their inbound traffic to us. It's authenticated SMTP on port 587 with TLS. For whatever reason, they're trying to negotiate ECN. The receiving systems are somewhat backlevel/due-for-update, kernel 2.6 with /proc/sys/net/ipv4/tcp_ecn = 0 by default. Newer systems have '2':
0 – disable ECN and neither initiate nor accept it 1 – enable ECN when requested by incoming connections, and also request ECN on outgoing connection attempts 2 – (default) enable ECN when requested by incoming connections, but do not request ECN on outgoing connections
When /proc/sys/net/ipv4/tcp_ecn is 0, incoming connections appear to be simply ignored, even when the sending host switched off ECN after having tried with ECN. The solution seems to be to set /proc/sys/net/ipv4/tcp_ecn = 2.
An alternative would be to use iptables to remove the two ECN bits, I haven't tried this yet.
Any opinions?
Well, if your kernel is fully able to handle ECN, it is a nice to have feature, thus "tcp_ecn = 2" is the most helpful in the reality of the now. If your kernel is NOT able to handle ECN fully, stripping out the ECN-bit is the most wise and efficent way to handle the situation. Here in your case, if the system works well with "tcp_ecn = 2", it would be your best option, for the other cases, stripping out the ECN bits will be the most helpful. - Yamaban. PS: Info for the interested: https://en.wikipedia.org/wiki/Explicit_Congestion_Notification