Re: FC2 test1 network issue

On Mon, Feb 16, 2004 at 12:22:26AM -0300, Pedro Fernandes Macedo wrote:
> They said that their firewall blocked everything when ECN was enabled 
> and they wouldnt ever think about disabling it, because of security 
> concerns...

Good job they hired you

> Is this really a security issue or just some sysadmin that needs to read 
> a bit more about ECN? From what I've read about ECN , it is supposed to 
> help...

ECN is an internet standard for congestion handling improvements. See
RFC3168. Its basically using two previously reserved bit flags to
indicate congestion versus lost packets and gives good performance
improvements in uncongested but lossy networks.

A few years ago there were several commercial firewall products that 
incorrectly checked the reserved bits were zero and blocked the packets
that had ECN on them. Most got fixed, and indeed most of the ones that
block ECN by default nowdays are very old installations that have never
been properly configured. 


