On Thu, 28 Feb 2008 08:41:27 -0500 Joe Abley <jabley@ca.afilias.info> wrote:
On 27-Feb-2008, at 15:09, Mark Smith wrote:
Don't worry if the ISOC website times out, their firewall isn't TCP ECN compatible.
Isn't it the case in the real world that the Internet isn't TCP ECN compatible?
In my experience no. The Linux kernel defaults to ECN enabled (although I think distros switch it off), and I've been running my PC ECN enabled for at least the last 5 to 7 years. The number of websites that I've had trouble with in that time was such a low number (3), that I remember what they are. The other two, other than the ISOC website, have been fixed within the last 3 years. That's not really an excuse anyway. The ECN bit originally was reserved, so things that don't understand it should be ignoring it, not making sure it's set to zero. I understand that's the fundamentals of the robustness principle. If people claim doing that is insecure, how are there so many firewalls out there that don't have / aren't causing this problem?
I thought people had relegated that to the "nice idea but, in practice, waste of time" bucket years ago.
Not exactly sure of it's exact status, however every now and then I come across things relating to it e.g. I think I recently came across proposed ECN additions to MPLS, so it still seems relevant. Regards, Mark. -- "Sheep are slow and tasty, and therefore must remain constantly alert." - Bruce Schneier, "Beyond Fear"