On Tue, 6 Jul 2004 20:40:34 +0100 Jamie Lokier <jamie@shareable.org> wrote: > If a firewall strips the window scaling option in both directions, > then window scaling is disabled (RFC 1323 section 2.2). > > Are you saying there are broken firewalls which strip TCP options in > one direction only? It is this specific case: 1) SYN packet contains window scale option of ZERO. This says two things, that the system will use a window scale of ZERO and that it SUPPORTS send and receive window scaling. If the firewall were to delete this, we'd be OK, but it does not. It leaves the option with zero in there. 2) SYN+ACK goes back out with non-zero window scale option. Note that because of #1, it is impossible for the system which sent the SYN packet to "refuse" the window scale option sent in the SYN+ACK. Here is where we have problems. If the firewall patches the scale to zero, which is what some of these things are doing, it is then the firewall's responsibility to scale the window to make it appear to be zero-scaled. And this is not being done by these broken firewalls. BTW, this is why it is so important to get tcpdump traces at both ends of the connection to analyze problems like this. If you look at only one side with dumps, you might not get the side that is getting packets edited by a firewall or other device. These machines are so broken that I absolutely refuse to change how we behave to work around them. If they want window scaling to be effectively disabled, they should patch out the window scale option in the "SYN" packet, this prevents the SYN+ACK sending system from advertising any window scaling support. What these broken devices are doing is effectively making window scaling unusable on the internet, and I refuse to swallow such crap. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
