ECN, DNS and Firewalls
Mark Andrews
marka at isc.org
Fri Dec 28 04:07:37 UTC 2018
> On 28 Dec 2018, at 2:49 pm, valdis.kletnieks at vt.edu wrote:
>
> On Fri, 28 Dec 2018 13:35:04 +1100, Mark Andrews said:
>> There are major operators that still have STUPID firewall settings
>> in front of DNS servers that drop SYN packets with ECE and CWR set
>> 17 years after ECN was specified.
>
> Time to name-n-shame?
No yet. Let people test and fix their firewalls first.
A test machine should be sending [SEW] and getting back
[S.E] or [S.] in the TCP flags using tcpdump depending
upon whether the DNS server’s TCP stack supports ECN or not.
e.g.
11:35:50.335713 IP6 2001:470:a001:3:f1f2:b12d:4b18:d934.50670 > 2001:7fe::53.53: Flags [SEW], seq 3764146938, win 65535, options [mss 1220,nop,wscale 5,nop,nop,TS val 522561237 ecr 0,sackOK,eol], length 0
11:35:50.745472 IP6 2001:7fe::53.53 > 2001:470:a001:3:f1f2:b12d:4b18:d934.50670: Flags [S.E], seq 1542147586, ack 3764146939, win 14280, options [mss 1440,sackOK,TS val 1392826170 ecr 522561237,nop,wscale 7], length 0
or
11:40:35.360655 IP6 2001:470:a001:3:f1f2:b12d:4b18:d934.50697 > 2001:502:8cc::30.53: Flags [SEW], seq 81498720, win 65535, options [mss 1220,nop,wscale 5,nop,nop,TS val 522845405 ecr 0,sackOK,eol], length 0
11:40:35.589420 IP6 2001:502:8cc::30.53 > 2001:470:a001:3:f1f2:b12d:4b18:d934.50697: Flags [S.], seq 987294478, ack 81498721, win 1220, options [mss 1220], length 0
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list