ECN Problems

• The ECN Hall of Shame, with recent results.
• Dax Kelson, 8% of the Internet unreachable!, Sept. 10, 2000. Email to the linux-kernel mailing list showing that 8.3% of websites tested were unreachable from an ECN capable client.
• See the TBIT test results for a list of web servers not accessible to ECN-capable clients. In the December 2000 tests, 2,151 of 24,030 web servers were not accessible to ECN-capable clients. The TBIT results also show the March 2002 results including 203 addresses for which an ECN-setup SYN packet is followed by a RST, and 420 addresses for which ECN-setup SYN packets appear to be dropped.
• RFC 3168 incorporates a procedure as a work-around for this broken, non-ECN-compatible equipment (as in earlier email). This is illustrated in Examples of TCP Initialization with ECN. This was discussed in the end2end-interest mailing list under the subject heading "Negotiating ECN-Capability in a TCP connection".
• See Why Can't My 2.4 Kernel See Some Web Sites?, Scott Courtney, April 17, 2001, Enterprise Linux Today, and the followup discussion.
  
• See the ECN-under-Linux Unofficial Vendor Support Page for a discussion of the problems with non-ECN-compatible equipment, a list of fixes from vendors, and a list of vendors with broken equipment that have not yet published fixes.
• Inappropriate TCP Resets Considered Harmful, S. Floyd, RFC 3360, August 2002.
• ECN has been enabled on the main Linux kernel hub, so sites behind broken firewalls could have problems accessing this site.

A 2001 FreeBSD Security Advisory reported that the IP packet filtering facility ipfw incorrectly treats all TCP packets with the ECE flag set as being part of an established TCP connection. The impact is that with older versions of FreeBSD, remote attackers could take advantage of this to circumvent the firewall.