[squid-users] Connection Refused & Explicit Congestion Notification

From: <rriehle@dont-contact.us>
Date: Fri, 06 Apr 2001 15:48:17 -0500 (CDT)

Squid seems unable to access a number of sites including:
 www.intel.com
 www.chicagotribune.com
 www.computerworld.com
 www.techrepublic.com
 www.zdnet.com
  ...and the list goes on.

These sites are most likely using an IDS system that is triggered by
TCP/IP stacks that implement ECN (Explicit Congestion Notification).
This is not a problem with Squid, but rather an apparent failure on
behalf of some IDS vendors to comply with RFCs and properly recognize
ECN. One workaround is to disable ECN within the TCP/IP stacks of
machines running Squid. On Linux this is easy.

SAMPLE ERROR MESSAGE RETURNED BY SQUID TO A BROWSER

 ERROR

 The requested URL could not be retrieved
 -----------------------------------------------------------
 While trying to retrieve the URL: http://www.intel.com/

 The following error was encountered:

      Connection Failed

 The system returned:

     (111) Connection refused

 The remote host or network may be down. Please try the request again.

 Your cache administrator is cache-admin@luc.edu.
 -----------------------------------------------------------
 Generated Fri, 06 Apr 2001 19:10:10 GMT by squid.it.luc.edu
(Squid/2.3.STABLE4)

DETAILED PROBLEM DESCRIPTION

 Date: Mon, 11 Sep 2000 17:16:14 -0500 (CDT)
 From: B. Galliart <bgallia@orion.it.luc.edu>
 Subject: Castor's use of "ECN" shut-off

 Last week, as a work-around to problems with the Loyola network, we
 upgraded Castor (one of our mail servers) to Linux kernel version
 2.4.0-test7. This kernel, by default, includes an implementation of
 ECN (Explicit Congestion Notification), also known as RFC 2481 [1].
 ECNis also promoted by Cisco in their _Internet_Protocol_Journal_ as
 a method of improving TCP performance [2]. However, some IDS and
 firewall systems appear to expect strict adherence to RFC 793 [3]
 which state that the bits used for ECN "must be zero" (since they
 where reserved for future use). Among these products includes Cisco's
 own PIX firewall and while Cisco's IPJ promotes the support of ECN,
 there is nothing in release notes for PIX IOS 5.1 or IOS 5.2 that
 indicate that Cisco itself is supporting ECN. The maintainers of the
 Linux kernel seem to be aware of the problem and discussion has already
 been underway on the kernel developer's mailing list [6]. In the mean
 time, support of ECN/RFC 2481 will remain turned off on Castor. Also,
 there is no reason at this time to believe that someone comprised the
 administrative access needed to forge their own non-standard TCP header
 from Castor.

 Ben Galliart
 bgallia@luc.edu
 Information Technologies
 Loyola University Chicago

 References:
 [1] http://www.faqs.org/rfcs/rfc2481.html
 [2] http://www.cisco.com/warp/public/759/ipj_3-2/ipj_3-2_tcp.html
 [3] http://www.faqs.org/rfcs/rfc793.html
 [4]
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/pixrn512.htm
 [5]
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrn521.htm#xtocid133580
 [6]
http://www.uwsg.indiana.edu/hypermail/linux/kernel/0009.1/index.html

WORKAROUND

On a machine with a Linux 2.4 kernel, issue the following command as root:

# echo 0 > /proc/sys/net/ipv4/tcp_ecn

Regards,
Richard Riehle
rriehle@luc.edu
Received on Fri Apr 06 2001 - 14:49:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:10 MST