>> There are a lot of really dumb, dumb, dumb firewall authors out there, >> that's why.... > >Actually, Sally Floyd's explanation makes a lot more sense. > >The dumb authors, I think, are those who built Linux implementations >that doggedly attempt to negotiate ECN and are unprepared for cases >where it does not work Actually, to be clear, what I said is that there are both firewall authors and TCP implementors who do dumb things. From the last paragraph of my email: One might hope that Linux implementors would make a better decision next time around. And that firewall designers would not be so quick to block some new functionality just because it is used in the latest port-scanning tool. But I wouldn't count on it... >From RFC 3360: One lesson appears to be that anyone can effectively "attack" a new TCP function simply by using that function in their publicly- available port-scanning tool, thus causing middleboxes of all kinds to block the use of that function. - Sally http://www.icir.org/floyd/