ECN

Tore Anderson tore at fud.no
Thu Nov 14 07:16:51 UTC 2019


* Saku Ytti

> Not true. Hash result should indicate discreet flow, more importantly
> discreet flow should not result into two unique hash numbers. Using
> whole TOS byte breaks this promise and thus breaks ECMP.
> 
> Platforms allow you to configure which  bytes are part of hash
> calculation, whole TOS byte should not be used as discreet flow SHOULD
> have unique ECN bits during congestion. Toke has diagnosed the problem
> correctly, solution is to remove TOS from ECMP hash calculation.

Agreed. This also goes for the other bits, so whole byte must be excluded.

For example, the OpenSSH client will by default change the code point from zero (during authentication) to af21/cs1 (when it enters a interactive/non-interactive session).

I have experienced this break IPv6 SSH sessions to an anycasted SSH server instance that was reached through old Juniper DPC cards with ECMP enabled. Symptom was that authentication went fine, only for the connection to be reset immediately after (unless default IPQoS config was changed). The «solution» was to simply disable ECMP for all IPv6 traffic, since I could not figure out how to make the Juniper exclude the DiffServ byte from the ECMP hash calculation.

Tore



More information about the NANOG mailing list