"CE" - Where's the snot?

"CE" - Where's the snot?

[David Cary Hart]

I"m a struggling neophyte. 

I'm seeing quite a few of these in the (input filter) logs lately. Is.
our server causing the print or is it the sender - and why? Should I be
doing something about this? 

BTW, I am using the TARPIT chain on all TCP drops which probably adds to
the issue

Thanks. I notice that you folks are not only knowledgeable but,
generally, pretty patient.

Re: "CE" - Where's the snot?

[Antony Stone]

On Saturday 24 July 2004 4:15 pm, David Cary Hart wrote:

> I"m a struggling neophyte.
>
> I'm seeing quite a few of these in the (input filter) logs lately.

Excuse me, but *what* are you seeing?

I can see the subject of this posting, but it means nothing to me.

Please explain the problem so we can understand what it is.

Regards,

Antony.

-- 
Ramdisk is not an installation procedure.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: "CE" - Where's the snot?

[David Cary Hart]

On Sat, 2004-07-24 at 11:44, Antony Stone wrote:

> Excuse me, but *what* are you seeing?
> 
> I can see the subject of this posting, but it means nothing to me.
> 
> Please explain the problem so we can understand what it is.
> 
Jul 24 16:21:01 mail kernel: - Firewall:  IN=eth0 OUT=
MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00  SRC=68.236.163.19 D
ST=192.168.0.31 LEN=41 TOS=00 PREC=0x00 TTL=126 ID=59477 CE DF PROTO=TCP
SPT=4694 DPT=135 SEQ=4252944646 ACK=3536024229 WIND
OW=64320 ACK URGP=0

Note the "CE" just in front of "DF" = Congestion Experienced

> Regards,
> 
> Antony.

Re: "CE" - Where's the snot?

[Antony Stone]

On Saturday 24 July 2004 9:22 pm, David Cary Hart wrote:

> On Sat, 2004-07-24 at 11:44, Antony Stone wrote:
> > Excuse me, but *what* are you seeing?
> >
> > I can see the subject of this posting, but it means nothing to me.
> >
> > Please explain the problem so we can understand what it is.
>
> Jul 24 16:21:01 mail kernel: - Firewall:  IN=eth0 OUT=
> MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00  SRC=68.236.163.19 D
> ST=192.168.0.31 LEN=41 TOS=00 PREC=0x00 TTL=126 ID=59477 CE DF PROTO=TCP
> SPT=4694 DPT=135 SEQ=4252944646 ACK=3536024229 WIND
> OW=64320 ACK URGP=0
>
> Note the "CE" just in front of "DF" = Congestion Experienced

It seems that the CE bit is set by some router in the path of the packets, 
therefore this is unlikely to be a problem on your network or firewall 
(unless you have your own routers perhaps).

http://www.zvon.org/tmRFC/RFC2884/Output/chapter3.html

A Google search for TCP and Congestion Experienced should give you a good 
background into why this bit may get set, however I don't think there's a way 
to find out which router set it.

Is it causing you any problems?

Regards,

Antony.

-- 
"The problem with television is that the people must sit and keep their eyes 
glued on a screen; the average American family hasn't time for it."

 - New York Times, following a demonstration at the 1939 World's Fair.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: "CE" - Where's the snot?

[David Cary Hart]

On Sat, 2004-07-24 at 16:37, Antony Stone wrote:

> It seems that the CE bit is set by some router in the path of the packets, 
> therefore this is unlikely to be a problem on your network or firewall 
> (unless you have your own routers perhaps).
> 
Just one.

> http://www.zvon.org/tmRFC/RFC2884/Output/chapter3.html
> 
> Is it causing you any problems?
> 
That's the point. I don't know.

Re: "CE" - Where's the snot?

[Antony Stone]

On Saturday 24 July 2004 9:55 pm, David Cary Hart wrote:

> On Sat, 2004-07-24 at 16:37, Antony Stone wrote:
> > It seems that the CE bit is set by some router in the path of the
> > packets, therefore this is unlikely to be a problem on your network or
> > firewall (unless you have your own routers perhaps).
>
> Just one.
>
> > http://www.zvon.org/tmRFC/RFC2884/Output/chapter3.html
> >
> > Is it causing you any problems?
>
> That's the point. I don't know.

Well, are you getting less bandwidth than your ISP says you should have, or do 
you lose packets if you try ping tests whilst transferring other traffic?

If not, then I wouldn't worry about it.

Regards,

Antony.

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

                                                     Please reply to the list;
                                                           please don't CC me.

Re: "CE" - Where's the snot?

[Bob Hockney]

David Cary Hart wrote:

> On Sat, 2004-07-24 at 11:44, Antony Stone wrote:
> Jul 24 16:21:01 mail kernel: - Firewall:  IN=eth0 OUT=
> MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00  SRC=68.236.163.19 D
> ST=192.168.0.31 LEN=41 TOS=00 PREC=0x00 TTL=126 ID=59477 CE DF PROTO=TCP
> SPT=4694 DPT=135 SEQ=4252944646 ACK=3536024229 WIND
> OW=64320 ACK URGP=0
> 
> Note the "CE" just in front of "DF" = Congestion Experienced

Just curious, what kernel version are you using?

-Bob

Re: "CE" - Where's the snot?

[James Sneeringer]

On Sat, Jul 24, 2004 at 04:22:44PM -0400, David Cary Hart wrote:
> Jul 24 16:21:01 mail kernel: - Firewall:  IN=eth0 OUT=
> MAC=00:4f:4e:12:f9:93:00:09:5b:c9:37:54:08:00  SRC=68.236.163.19 D
> ST=192.168.0.31 LEN=41 TOS=00 PREC=0x00 TTL=126 ID=59477 CE DF PROTO=TCP
> SPT=4694 DPT=135 SEQ=4252944646 ACK=3536024229 WIND
> OW=64320 ACK URGP=0
> 
> Note the "CE" just in front of "DF" = Congestion Experienced

Sounds like ECN, Explicit Congestion Notification.  CE is one of the bits
it can set.  Linux has had support for it for some time, but it's a 
compile-time option that's disabled by default because not all firewalls 
understand it, and many won't deal with ECN negotiation properly.  If you 
have a /proc/sys/net/ipv4/tcp_ecn, then your kernel supports ECN.  If 
tcp_ecn is set to 1, it's turned on (which is the default if you compile 
it in).

The remote source, 68.236.163.19, is either the host you were speaking to, 
or some router along the way, and it was trying to notify you that the 
path between you and them might be congested.

http://www.faqs.org/rfcs/rfc2481.html
http://www.faqs.org/rfcs/rfc3168.html

It's complicated, but if this was traffic you were going to drop anyway, 
it's not worth worrying about.  If ECN caused you to incorrectly drop the 
packet, there's an ECN match and target in the stock kernel you might find 
useful, though you might need to recompile to get them 
(CONFIG_IP_NF_MATCH_ECN and CONFIG_IP_NF_TARGET_ECN).

-James