nanog mailing list archives
Re: ECN, DNS and Firewalls
From: Mark Andrews <marka () isc org>
Date: Fri, 28 Dec 2018 15:07:37 +1100
On 28 Dec 2018, at 2:49 pm, valdis.kletnieks () vt edu wrote: On Fri, 28 Dec 2018 13:35:04 +1100, Mark Andrews said:There are major operators that still have STUPID firewall settings in front of DNS servers that drop SYN packets with ECE and CWR set 17 years after ECN was specified.Time to name-n-shame?
No yet. Let people test and fix their firewalls first. A test machine should be sending [SEW] and getting back [S.E] or [S.] in the TCP flags using tcpdump depending upon whether the DNS server’s TCP stack supports ECN or not. e.g. 11:35:50.335713 IP6 2001:470:a001:3:f1f2:b12d:4b18:d934.50670 > 2001:7fe::53.53: Flags [SEW], seq 3764146938, win 65535, options [mss 1220,nop,wscale 5,nop,nop,TS val 522561237 ecr 0,sackOK,eol], length 0 11:35:50.745472 IP6 2001:7fe::53.53 > 2001:470:a001:3:f1f2:b12d:4b18:d934.50670: Flags [S.E], seq 1542147586, ack 3764146939, win 14280, options [mss 1440,sackOK,TS val 1392826170 ecr 522561237,nop,wscale 7], length 0 or 11:40:35.360655 IP6 2001:470:a001:3:f1f2:b12d:4b18:d934.50697 > 2001:502:8cc::30.53: Flags [SEW], seq 81498720, win 65535, options [mss 1220,nop,wscale 5,nop,nop,TS val 522845405 ecr 0,sackOK,eol], length 0 11:40:35.589420 IP6 2001:502:8cc::30.53 > 2001:470:a001:3:f1f2:b12d:4b18:d934.50697: Flags [S.], seq 987294478, ack 81498721, win 1220, options [mss 1220], length 0 Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- ECN, DNS and Firewalls Mark Andrews (Dec 27)
- Re: ECN, DNS and Firewalls valdis . kletnieks (Dec 27)
- Re: ECN, DNS and Firewalls Mark Andrews (Dec 27)
- Re: ECN, DNS and Firewalls valdis . kletnieks (Dec 27)