Re: [PATCH -next 0/2] net: allow setting ecn via routing table

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: David Miller <davem@davemloft.net>
Cc: fw@strlen.de, netdev@vger.kernel.org
Subject: Re: [PATCH -next 0/2] net: allow setting ecn via routing table
Date: Thu, 30 Oct 2014 21:52:04 +0100	[thread overview]
Message-ID: <20141030205204.GE10069@breakpoint.cc> (raw)
In-Reply-To: <20141030.155958.156984068627586090.davem@davemloft.net>

David Miller <davem@davemloft.net> wrote:
> From: Florian Westphal <fw@strlen.de>
> Date: Wed, 29 Oct 2014 13:23:07 +0100
> 
> > We could do that, if you prefer.
> > 
> > I tried to come up with a scenario though, where sysctl_tcp_ecn=0, and
> > then we want to enable 'passive' ecn for incoming connections only on
> > a particular route without announcing ecn to the peer. I haven't been
> > able to find any -- I think if you deem 'route to x' safe for ecn it
> > might as well be enabled for both initiator and responder.  The original
> > patch would be sufficient for that.
> > 
> > IOW, is 'ecn from a to b but not b to a' a sensible requirement?
> 
> I think you have to apply the same logic for the sysctl (there's a
> reason to only support ECN passively) as you do for the route feature
> because you can logically look at the sysctl as applying to the
> default route.

Agreed, sysctl is comparable to default route.
And I think 'passive ecn' makes perfect sense for a default route.

But for a specific host/network?

Either I know that path to $x is ecn-safe (i.e. turn it on for both ends)
or I don't, in which case the global 'passive' default ("if peer requests
it they probably know what they're doing") is fine.

> > default at one point (almost no routers set CE bit at this time, perhaps
> > that would change if ecn usage is more widespread).
> 
> Now you're talking.
> 
> So, either passive ECN support makes sense or it does not.  To me, no
> matter what the argument, it doesn't matter what realm (whole system,
> specific routes) you apply that argument to.

The passive mode was added 5 years ago via

commit 255cac91c3c9ce7dca7713b93ab03c75b7902e0e
(tcp: extend ECN sysctl to allow server-side only ECN), and I think the
commit log rationale makes sense.

So, what about changing the default to 1 in net-next?

We could add automatic 'no-ecn' to retransmitted syns to avoid
ecn blackholes (Daniel Borkmann has a patch for this), and, in case
ecn=1 causes too much breakage we can always revert (and re-consider ecn
per route settings as an intermediate step).

What do you think?

Thanks,
Florian

next prev parent reply	other threads:[~2014-10-30 20:52 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-25 22:38 [PATCH -next 0/2] net: allow setting ecn via routing table Florian Westphal
2014-10-25 22:38 ` [PATCH -next 1/2] syncookies: remove ecn_ok validation when decoding option timestamp Florian Westphal
2014-10-25 22:38 ` [PATCH -next 2/2] net: allow setting ecn via routing table Florian Westphal
2014-10-28 20:57 ` [PATCH -next 0/2] " David Miller
2014-10-29 12:23   ` Florian Westphal
2014-10-30 19:59     ` David Miller
2014-10-30 20:52       ` Florian Westphal [this message]
2014-10-30 21:07         ` Eric Dumazet
2014-10-30 22:15           ` Florian Westphal
2014-10-30 23:05             ` Eric Dumazet
2014-10-30 23:16               ` Florian Westphal
2014-10-30 23:30                 ` Eric Dumazet
2014-10-31  3:49                   ` David Miller
2014-10-31  9:24               ` Daniel Borkmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141030205204.GE10069@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.