RE: IPF and ECN

["Hammerle, Tye F." <Tye.F.Hammerle () snapon com>]

I recently had a couple of mail servers using ECN trigger an alert wiht
snort while they were trying to send mail to us. Upon investigation I found
one was from Loyola. The admin there, Ben Galliart, did some research and
came up with the info in the message below. 

I am running a PIX (5.1) which does not recognize a connection attempt with
ECN set, it denies it with a 'no connection' message. These two mail servers
were unable to deliver mail to us due to this. 

BTW, snort classified it as a 'Queso Fingerprint Attempt'.

So far you are the only post I've seen that has noticed this. What version
of IPF are you running? platform?

Tye



From: B. Galliart [bgallia () orion it luc edu]
Sent: Monday, September 11, 2000 5:16 PM
To: Hammerle, Tye F.
Cc: Phil Wood; bmontes () luc edu; Richard Riehle
Subject: Castor's use of "ECN" shut-off

This is the results of my research into the unusual behavior of Castor:

Last week, as a work-around to problems with the Loyola network, we
upgraded Castor (one of our mail servers) to Linux kernel version
2.4.0-test7.  This kernel, by default, includes an implimentation of ECN
(Explicit Congestion Notification), also known as RFC 2481 [1].  ECN is
also promoted by Cisco in their _Internet_Protocol_Journal_ as a method of
improving TCP performance [2].  However, some IDS and firewall systems
appear to expect strict adherence to RFC 793 [3] which state that the bits
used for ECN "must be zero" (since they where reserved for future
use).  Among these products includes Cisco's own PIX firewall and while
Cisco's IPJ promotes the support of ECN, there is nothing in release notes
for PIX IOS 5.1 or IOS 5.2 that indicate that Cisco itself is supporting
ECN.  The maintainers of the Linux kernel seem to be aware of the problem
and discussion has already been underway on the kernel developer's mailing
list [6].  In the mean time, support of ECN/RFC 2481 will remain turned
off on Castor.  Also, there is no reason at this time to believe that
someone comprised the administrative access needed to forge their own
non-standard TCP header from Castor.

Ben Galliart
Information Technologies
Loyola University Chicago

References:
[1] http://www.faqs.org/rfcs/rfc2481.html
[2] http://www.cisco.com/warp/public/759/ipj_3-2/ipj_3-2_tcp.html
[3] http://www.faqs.org/rfcs/rfc793.html
[4]
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/pixrn512.h
tm
[5]
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrn521.h
tm#xtocid133580
[6] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0009.1/index.html




-----Original Message-----
From: Patrick Oonk [mailto:patrick () pine nl]
Sent: Tuesday, September 19, 2000 6:50 AM
To: firewall-wizards () nfr net
Subject: [fw-wiz] IPF and ECN


Hi,

My IPF firewall is barfing about packets containing
ECN information (Explicit Congestion Notification,
http://www.aciri.org/floyd/ecn.html). 
The strange thing is, that it does not log WHY, just
that it blocked the packet. I have been reading the
ipf docs and I see no way to pass packets containing that 
extra information. I think that IPF just expects the
position in the packet to be zero and blocks it.

I have also looked into newer versions of IPF, and found
no info about the processing of ECN info.
        
Any clues ?

-- 
 Patrick Oonk -  PO1-6BONE -  patrick () pine nl -  www.pine.nl/~patrick
 Pine Internet - PAT31337-RIPE - PGPkeyID BE7497F1 - XOIP+31208723350 
 Tel: +31-70-3111010  -   Fax: +31-70-3111011   -  http://security.nl
 PGP   fingerprint   97 27 CB 46 25 39 66 77  F8 BF C3 93 4A EC 21 D6
 Excuse of the day: pizeo-electric interference

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards