[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 2.4.x Kernel, ECN And Problem Websites

On Wed, Apr 25, 2001 at 10:16:30PM +1000, Daniel Stone wrote:
> It may be a minor catch-22, but ECN is currently so broken, that only power
> users should be using it, as the rest will just continue flooding the
> netfilter list with "Netfilter breaks all my websites!". [OK, ECN isn't
> broken, the routers are, I know, but same effect. ECN breaks stuff]. So, if
> you're smart enough to know that you want ECN, and smart enough to
> understand the consequences, you should be compiling your own kernel.

Incorrect.  ECN is not broken.  The problem is there are broken
firewalls and load balancing machines out there that incorrectly
(violating the relevant RFC's) dropping packets with the ECN bit set,
when they have no business doing that.  (The RFC's indicate that the
bit should be set to zero by the sender when it was previously
undefined, but that receivers were supposed it ignore that bit.  Be
conservative in what you send, and liberal in what you accept.)

The vendors who have broken hardware out there, such as the Cisco Load
Director, have patches out there which fix the bug; they've had the
bug fixes available for the better part of the year.  The problem is
that end-customers (i.e., sites like E-Trade) are being slow to
install the patch.

As to why install with ECN?  That's because ECN is important in terms
of helping the core internet routers deal with increasing amounts of
load.  ECN stands for "Explicit Congestion Notification", and what it
means is that routers can explicitly tell end-hosts to back off
because of congestion in the internet core, as opposed to simply
dropping packets on the floor.  It improves the overall efficiency of
the network, and in the future may be important in avoiding congestive
collapse of overloaded links.

Aside from being a real Linux kernel developer (sorry, couldn't resist
:-), I also do quite a bit of work with the Internet Engineering Task
Force, the standards body for the Internet where ECN originated, and
my colleagues in this organization, which include Jamal Hadi Salim
(one of the core Linux networking kernel developers who also works
with the IETF), tell me that it's widely regarded that if it weren't
for Linux, a lot of bleeding edge protocols that may ultimately become
very important to the Internet either wouldn't have been widely
adopted, or the adoption rate would have been much, much slower.

So I think it's important that Linux distributions provide an easy way
for sites to use ECN.  Whether or not ECN should be enabled by default
is a more difficult question, and really depends on what you think is
more important.  Do you turn off something that will ultimately be
very beneficial to the entire Internet because there are some broken
sites out there that are willfully refusing to apply a bug fix which
Cisco and other vendors have had available for months, at the cost of
inconveniencing some users until they can figure out how to disable
ECN or lobby those sites to apply the bug fix?  Or do you take the
Microsoftian approach way out, and sacrifice the long-term good of the
Internet in the name of user convenience?

Ultimately, how you choose is a matter of your priorities.  But please
don't call ECN broken.  It's not ECN's fault; it's the fault of those
web sites that refuse to update their software with a bugfix release.

						- Ted

Reply to: