>Minerva, the ISP of ISOC has been alerted and are working on the problem >but cannot locate exactly where is the problem, if you have any >information on where ECN packets are discarded please provide this >information to support@minerva.net add [HelpDeskTicket=12181] at the end >of the subject. > >I think you may have more tools htan me to locate the faulty >router/firewall/host? > >Thanks for helping locate the problem. The "ECN-under-Linux Unofficial Vendor Support Page" web page at "http://gtf.org/garzik/ecn/"; lists the known vendor equipment that has problems, with pointers to the bug-fixes provided by those vendors. There is also an internet-draft about this problem, "Inappropriate TCP Resets Considered Harmful", at "http://www.ietf.org/internet-drafts/draft-floyd-tcp-reset-04.txt";. This was approved to become a BCP on June 11. - Sally http://www.icir.org/floyd/ >From draft-floyd-tcp-reset-04.txt, for background history: Unfortunately, misconceived security concerns are one of the reasons for the problems described in this document in the first place. An August, 2000, article on "Intrusion Detection Level Analysis of Nmap and Queso" described the port-scanning tool Queso as sending SYN packets with the last two Reserved bits in the TCP header set, and said the following: "[QUESO] is easy to identify, if you see [these two Reserved bits and the SYN bit] set in the 13th byte of the TCP header, you know that someone has malicious intentions for your network." As is documented on the TBIT Web Page, the middleboxes that block SYNs using the two ECN-related Reserved flags in the TCP header do not block SYNs using other Reserved flags in the TCP header. One lesson appears to be that anyone can effectively ``attack'' a new TCP function simply by using that function in their publicly- available port-scanning tool, thus causing middleboxes of all kinds to block the use of that function.
