Re: [squid-users] Connection Refused & Explicit Congestion Notification from Joel Jaeggli on 2001-04-06 (squid-users)

From: Joel Jaeggli <joelja@dont-contact.us>
Date: Fri, 6 Apr 2001 14:33:01 -0700 (PDT)

On Fri, 6 Apr 2001, Richard Riehle wrote:

> You're right, Joel: this has been fixed by some IDS vendors via recent software
> releases. The sites I listed are either still running old software or
> un-fixable IDS systems, I haven't tried to determine which. Also, in looking
> back through the squid-users list archives it seems that some sites that
> formerly had symptoms of this problem no longer do. They've probably upgraded
> their IDS. Ether way, there are enough sites out there running bad IDS to force
> me to shut off ECN on my Squid boxes and mail servers and news servers and....

likewise, I'm only running ecn on some test hardware...

joelja

> Cheers, Rick
>
>
> Quoting Joel Jaeggli <joelja@darkwing.uoregon.edu>:
>
> > cisco local-director and pix were big culprit in ecn related issues.
> > but
> > that's fixed in modern releases of the softtware for those platforms.
> > so
> > it might be useful to examine what sites still have this issue in more
> > detail (are they using un-upgraded local-directors or is it boxes from
> > other vedors for which there isn't a fix.
> >
> > joelja
> >
> > On Fri, 6 Apr 2001 rriehle@iris.it.luc.edu wrote:
> >
> > > Squid seems unable to access a number of sites including:
> > > www.intel.com
> > > www.chicagotribune.com
> > > www.computerworld.com
> > > www.techrepublic.com
> > > www.zdnet.com
> > > ...and the list goes on.
> > >
> > > These sites are most likely using an IDS system that is triggered by
> > > TCP/IP stacks that implement ECN (Explicit Congestion Notification).
> > > This is not a problem with Squid, but rather an apparent failure on
> > > behalf of some IDS vendors to comply with RFCs and properly
> > recognize
> > > ECN. One workaround is to disable ECN within the TCP/IP stacks of
> > > machines running Squid. On Linux this is easy.
> > >
>
> [snip]
>

-- 
--------------------------------------------------------------------------
Joel Jaeggli				       joelja@darkwing.uoregon.edu
Academic User Services			     consult@gladstone.uoregon.edu
     PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--------------------------------------------------------------------------
It is clear that the arm of criticism cannot replace the criticism of
arms.  Karl Marx -- Introduction to the critique of Hegel's Philosophy of
the right, 1843.

Received on Fri Apr 06 2001 - 15:33:03 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:10 MST