From: Corey Hickey <bugfood-ml@fatooh.org>
To: Christoph Paasch <christoph.paasch@uclouvain.be>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Linux Netdev List <netdev@vger.kernel.org>,
netfilter-devel@vger.kernel.org
Subject: Re: NAT stops forwarding ACKs after PMTU discovery
Date: Mon, 19 Aug 2013 11:22:30 -0700 [thread overview]
Message-ID: <52126266.70007@fatooh.org> (raw)
In-Reply-To: <20130819123314.GC3583@cpaasch-mac>
On 2013-08-19 05:33, Christoph Paasch wrote:
> Hello,
>
> I would say, the problem is due to a sequence-number rewriting
> middlebox, who does not correctly handle the SACK-blocks.
>
> In remote.pcap, you see:
> Packet#10: A Dup-ACK: ACK 1005503816, SACK: 1005505184-1005505648
> The SACK actually covers Packet#9
>
> In tun0.pcap, you have:
> Packet#9: The one that is SACK'ed: SEQ: 3514869772
> Packet#11: The Dup-ACK: ACK: 3514868404, SACK: 3570452498-3570452962
>
> You can see that the SACK-block is not really aligned with the ACK-numbers.
>
> Netfilter is probably dropping the Dup-ACK, because the SACK-block is
> acknowledging unseen data.
>
>
> There are middleboxes out there that randomize the sequence numbers, due to
> an old bug in Windows, where the initial sequence number was not
> sufficiently randomized. There are some of these middleboxes, who simply do
> not support SACK, thus modify only the sequence numbers of the TCP-header
> (https://supportforums.cisco.com/docs/DOC-12668#TCP_Sequence_Number_Randomization_and_SACK).
>
> This results in a TCP retransmission timeout on the sender, because of
> the invalid SACK-blocks, the duplicate ACKs are not accounted. This
> completly kills the performance, as you can see in our presentation given at
> IETF87: http://tools.ietf.org/agenda/87/slides/slides-87-tcpm-11.pdf
This makes good sense. I normally look at these in wireshark with
relative sequence numbers turned on, and I see in bad/tun0.pcap that the
SACK values are very high, but are normal in bad/remote.pcap.
I see the same thing in good/tun0.pcap, though, so I don't fully
understand what is making it work sometimes and not others.
I will show this thread and the Cisco docs to the network engineer at
work, and maybe we can get the SEQ randomization turned off (or at least
test it).
> We have a patch that accounts DUP-ACKs with invalid SACK-blocks effectively
> as duplicate acknowledgments. I can send the patches, if the
> netdev-community is interested in accepting these upstream.
I'll keep my eye out and test them if they come up.
Thanks,
Corey
prev parent reply other threads:[~2013-08-19 18:22 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-18 5:55 NAT stops forwarding ACKs after PMTU discovery Corey Hickey
2013-08-18 15:24 ` Eric Dumazet
2013-08-18 16:59 ` Corey Hickey
2013-08-18 21:23 ` Jozsef Kadlecsik
2013-08-19 0:00 ` Eric Dumazet
2013-08-19 0:03 ` Eric Dumazet
2013-08-19 8:43 ` Corey Hickey
2013-08-19 12:33 ` Christoph Paasch
2013-08-19 13:24 ` Eric Dumazet
2013-08-19 13:49 ` Christoph Paasch
2013-08-19 13:58 ` Eric Dumazet
2013-08-19 14:35 ` Phil Oester
2013-08-19 15:32 ` Eric Dumazet
2013-08-19 15:33 ` Christoph Paasch
2013-08-19 16:00 ` Eric Dumazet
2013-08-19 17:15 ` Christoph Paasch
2013-08-19 18:00 ` Phil Oester
2013-08-19 18:10 ` Eric Dumazet
2013-08-19 19:29 ` [RFC 0/2] Account for duplicate ACKs with invalid SACK-blocks Christoph Paasch
2013-08-19 19:29 ` [RFC 1/2] Use acked_out for reno-style ack acounting instead of sacked_out Christoph Paasch
2013-08-19 19:29 ` [RFC 2/2] Account acked_out in sack, if the sack is invalid Christoph Paasch
2013-08-19 21:22 ` [RFC 0/2] Account for duplicate ACKs with invalid SACK-blocks Corey Hickey
2013-08-20 7:36 ` Christoph Paasch
2013-08-22 3:32 ` David Miller
2013-08-22 4:15 ` Corey Hickey
2013-08-19 14:43 ` NAT stops forwarding ACKs after PMTU discovery Christoph Paasch
2013-08-19 20:13 ` Jozsef Kadlecsik
2013-08-19 20:43 ` Christoph Paasch
2013-08-19 21:08 ` Eric Dumazet
2013-08-19 22:07 ` Jozsef Kadlecsik
2013-08-20 4:18 ` Corey Hickey
2013-08-19 18:22 ` Corey Hickey [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52126266.70007@fatooh.org \
--to=bugfood-ml@fatooh.org \
--cc=christoph.paasch@uclouvain.be \
--cc=eric.dumazet@gmail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).