Re: [squid-users] Connection Refused & Explicit Congestion Notification

From: Joel Jaeggli <joelja@dont-contact.us>
Date: Fri, 6 Apr 2001 13:55:43 -0700 (PDT)

cisco local-director and pix were big culprit in ecn related issues. but
that's fixed in modern releases of the softtware for those platforms. so
it might be useful to examine what sites still have this issue in more
detail (are they using un-upgraded local-directors or is it boxes from
other vedors for which there isn't a fix.

joelja

On Fri, 6 Apr 2001 rriehle@iris.it.luc.edu wrote:

> Squid seems unable to access a number of sites including:
> www.intel.com
> www.chicagotribune.com
> www.computerworld.com
> www.techrepublic.com
> www.zdnet.com
> ...and the list goes on.
>
> These sites are most likely using an IDS system that is triggered by
> TCP/IP stacks that implement ECN (Explicit Congestion Notification).
> This is not a problem with Squid, but rather an apparent failure on
> behalf of some IDS vendors to comply with RFCs and properly recognize
> ECN. One workaround is to disable ECN within the TCP/IP stacks of
> machines running Squid. On Linux this is easy.
>
>
> SAMPLE ERROR MESSAGE RETURNED BY SQUID TO A BROWSER
>
> ERROR
>
> The requested URL could not be retrieved
> -----------------------------------------------------------
> While trying to retrieve the URL: http://www.intel.com/
>
> The following error was encountered:
>
> Connection Failed
>
> The system returned:
>
> (111) Connection refused
>
> The remote host or network may be down. Please try the request again.
>
>
> Your cache administrator is cache-admin@luc.edu.
> -----------------------------------------------------------
> Generated Fri, 06 Apr 2001 19:10:10 GMT by squid.it.luc.edu
> (Squid/2.3.STABLE4)
>
>
> DETAILED PROBLEM DESCRIPTION
>
> Date: Mon, 11 Sep 2000 17:16:14 -0500 (CDT)
> From: B. Galliart <bgallia@orion.it.luc.edu>
> Subject: Castor's use of "ECN" shut-off
>
> Last week, as a work-around to problems with the Loyola network, we
> upgraded Castor (one of our mail servers) to Linux kernel version
> 2.4.0-test7. This kernel, by default, includes an implementation of
> ECN (Explicit Congestion Notification), also known as RFC 2481 [1].
> ECNis also promoted by Cisco in their _Internet_Protocol_Journal_ as
> a method of improving TCP performance [2]. However, some IDS and
> firewall systems appear to expect strict adherence to RFC 793 [3]
> which state that the bits used for ECN "must be zero" (since they
> where reserved for future use). Among these products includes Cisco's
> own PIX firewall and while Cisco's IPJ promotes the support of ECN,
> there is nothing in release notes for PIX IOS 5.1 or IOS 5.2 that
> indicate that Cisco itself is supporting ECN. The maintainers of the
> Linux kernel seem to be aware of the problem and discussion has already
> been underway on the kernel developer's mailing list [6]. In the mean
> time, support of ECN/RFC 2481 will remain turned off on Castor. Also,
> there is no reason at this time to believe that someone comprised the
> administrative access needed to forge their own non-standard TCP header
> from Castor.
>
> Ben Galliart
> bgallia@luc.edu
> Information Technologies
> Loyola University Chicago
>
> References:
> [1] http://www.faqs.org/rfcs/rfc2481.html
> [2] http://www.cisco.com/warp/public/759/ipj_3-2/ipj_3-2_tcp.html
> [3] http://www.faqs.org/rfcs/rfc793.html
> [4]
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/pixrn512.htm
> [5]
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrn521.htm#xtocid133580
> [6]
> http://www.uwsg.indiana.edu/hypermail/linux/kernel/0009.1/index.html
>
>
> WORKAROUND
>
> On a machine with a Linux 2.4 kernel, issue the following command as root:
>
> # echo 0 > /proc/sys/net/ipv4/tcp_ecn
>
>
> Regards,
> Richard Riehle
> rriehle@luc.edu
>

-- 
--------------------------------------------------------------------------
Joel Jaeggli				       joelja@darkwing.uoregon.edu
Academic User Services			     consult@gladstone.uoregon.edu
     PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--------------------------------------------------------------------------
It is clear that the arm of criticism cannot replace the criticism of
arms.  Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.
Received on Fri Apr 06 2001 - 14:55:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:10 MST