[LEDE-DEV] [PATCH] firewall3: Enable TCP_ECN by default.

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Thu Oct 5 07:26:02 PDT 2017

On 03/10/17 18:22, David Lang wrote:
> On Tue, 3 Oct 2017, Kevin Darbyshire-Bryant wrote:
>> It's tempting to set it to 1 (like I have for the past year+) and be 
>> damned :-)
> So what is the failure mode and how will people who experience failures 
> know what they need to change?
> David Lang

I'd anticipate increased initial connection latency rather than complete 
failure, suggested by this extract from wiki:

Beginning with version 4.1 of the Linux kernel, released in June 2015, 
the tcp_ecn_fallback mechanism, as specified in RFC 3168 section, is enabled by default when ECN is enabled (the value of 1). The 
fallback mechanism attempts ECN connectivity in the initial setup of 
outgoing connections, with a graceful fallback for transmissions without 
ECN capability, mitigating issues with ECN-intolerant hosts or firewalls.


They'd need to add/change if absolutely necessary:


config defaults
	option tcp_ecn '2'  <--- from '1'

rfc extract:  Middlebox Issues

    ECN introduces the use of the ECN-Echo and CWR flags in the TCP
    header (as shown in Figure 3) for initialization.  There exist some
    faulty firewalls, load balancers, and intrusion detection systems in
    the Internet that either drop an ECN-setup SYN packet or respond with
    a RST, in the belief that such a packet (with these bits set) is a
    signature for a port-scanning tool that could be used in a denial-
    of-service attack.  Some of the offending equipment has been
    identified, and a web page [FIXES] contains a list of non-compliant
    products and the fixes posted by the vendors, where these are
    available.  The TBIT web page [TBIT] lists some of the web servers
    affected by this faulty equipment.  We mention this in this document
    as a warning to the community of this problem.

    To provide robust connectivity even in the presence of such faulty
    equipment, a host that receives a RST in response to the transmission
    of an ECN-setup SYN packet MAY resend a SYN with CWR and ECE cleared.
    This could result in a TCP connection being established without using

    A host that receives no reply to an ECN-setup SYN within the normal
    SYN retransmission timeout interval MAY resend the SYN and any
    subsequent SYN retransmissions with CWR and ECE cleared.  To overcome
    normal packet loss that results in the original SYN being lost, the
    originating host may retransmit one or more ECN-setup SYN packets
    before giving up and retransmitting the SYN with the CWR and ECE bits

    We note that in this case, the following example scenario is

    (1) Host A: Sends an ECN-setup SYN.
    (2) Host B: Sends an ECN-setup SYN/ACK, packet is dropped or delayed.
    (3) Host A: Sends a non-ECN-setup SYN.
    (4) Host B: Sends a non-ECN-setup SYN/ACK.

    We note that in this case, following the procedures above, neither
    Host A nor Host B may set the ECT bit on data packets.  Further, an
    important consequence of the rules for ECN setup and usage in Section
    6.1.1 is that a host is forbidden from using the reception of ECT
    data packets as an implicit signal that the other host is ECN-

More information about the Lede-dev mailing list