On Tue, 6 Jul 2004 11:47:41 -0700 Stephen Hemminger <shemminger@osdl.org> wrote: > The problem is that when > we propose window scaling, we expect that the other side receives the same initial > SYN request that we sent. If there is corrupting firewalls that strip it then > the window we send is not correctly scaled; so the other side thinks there is not > enough space to send. Inaccurate analysis Stephen. If the window option is edited out from the SYN by the firewall, it is impossible for the receiving system to respond with any window scaling option in the SYN+ACK packet. If a window scale option is not present in the SYN, it means that it does not support window scaling at all. What must be really happening, therefore, is that the firewall is patching the scale factor in the option, not deleting it outright. And then it isn't properly rescaling the window field in the TCP headers for the rest of the connection's lifetime. That would explain all of this. We can confirm this by getting a trace at both ends of a sick connection, and seeing if a non-zero window scale option gets patched to some other value by the time it reaches the receiving system. Then we will be aware of two bugs: 1) Cisco IOS, when NAT'ing, can mis-adjust SACK block options such that the sequence numbers are corrupt. 2) Some firewalls patch non-zero window scale options to be zero ones yet do not properly adjust the window field in TCP headers for the rest of the connection. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html