Re: ECN for servers ?

Alan Cox (alan@lxorguk.ukuu.org.uk)
Wed, 14 Feb 2001 21:09:39 +0000 (GMT)


> > Con: people behind broken firewalls can't connect.
>
> Since you can use ICMP to tunnel data, a lot of security ppl are
> reluctant to stop filtering ICMP :/

ICMP isnt the problem. Some of the load balancers and proxy setups didnt
allow ECN frames through. ICMP blocking just breaks path mtu discovery and
accessing the site via IPsec, via mobile ip and a few other things.

And you can tunnel data over ack sequence spaces, IP over http is trivial.
There are reasons proper proxy setups have passwords outgoing and do not let
any control data/header info across untouched

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/