Problems with non-ECN-compatible equipment in the network:
There are several (broken) deployed TCP implementations and routers
that don't respond
to SYN packets that use the ECN-related flags for negotiating
The ECN Hall of
Shame, with recent results.
8% of the Internet unreachable!,
Sept. 10, 2000. Email to the linux-kernel mailing list showing that
8.3% of websites tested were unreachable from an ECN capable client.
results for a list of web servers not accessible to ECN-capable
clients. In the December 2000 tests, 2,151 of 24,030 web servers were
not accessible to ECN-capable clients. The TBIT results also show
March 2002 results including
203 addresses for which an ECN-setup SYN
is followed by a RST, and 420 addresses
for which ECN-setup SYN packets appear to be dropped.
RFC 3168 incorporates a procedure as a work-around for this broken,
(as in earlier email).
This is illustrated in
Examples of TCP Initialization with ECN.
This was discussed in the
end2end-interest mailing list under the subject heading
"Negotiating ECN-Capability in a TCP connection".
Why Can't My 2.4 Kernel See Some Web Sites?, Scott Courtney,
April 17, 2001, Enterprise Linux Today, and the
ECN-under-Linux Unofficial Vendor Support Page
for a discussion of the problems with non-ECN-compatible equipment,
a list of fixes from vendors, and a list of vendors with broken equipment
that have not yet published fixes.
Inappropriate TCP Resets Considered Harmful,
RFC 3360, August 2002.
ECN has been
enabled on the main Linux kernel hub,
so sites behind broken firewalls could have
problems accessing this site.
2001 FreeBSD Security Advisory reported that the IP packet filtering
facility ipfw incorrectly treats all TCP packets with the ECE flag set as
being part of an established TCP connection. The impact is that with
older versions of FreeBSD, remote attackers could take advantage of
this to circumvent the firewall.
Go to the
ECN Web Page or the
TBIT Web Page.
Last modified: November 2002.