[Bug 1773157] [NEW] procps outdated network options, old syncookies, new ecn update please.

Simon Iremonger ubuntu at iremonger.me.uk
Thu May 24 11:59:58 UTC 2018 

Public bug reported:

The ubuntu version of procps carries it's own  /etc/sysctl.d/10-network-
security.conf  file explicitly that appears not to be part of debian
procps version.


Firstly, the section about "# Turn on SYN-flood protections." (came from LP #57091 ) is now entirely outdated, upstream kernel has long since turned on syncookies by default, so setting this flag explicitly in 10-network-security.conf is entirely redundant likely since before ubuntu-14.04 .
I would like the ubuntu-maintainer to remove that section entirely in cosmic onwards.

[I am going to report debian the similarly outdated syncookies comments
in sysctl.conf itself].


Secondly, I propose a new 10-network-tuning.conf with:-
==============================================================================
# Allow ECN for outgoing connections.  Starting with 4.2, there is an adaptive
# fallback [enabled by default tcp_ecn_fallback option] preventing connection
# loss even with ecn enabled, also ecn-intolerance is increasingly very rare.
net.ipv4.tcp_ecn=1
==============================================================================

I know there is a (small) chance of issues/regressions with ECN enabled
by default on outgoing but I'm quite sure the issue is very rare, like
others notice [ref: 1 and 2 below].  Apple's selective enablements etc.
show this works just as much as my own use for years and many similar
reports.

ECN actually being used for outgoing connections really helps with
latency-reduction with modern routers (both core and edge) using queuing
disciplines fq_codel or otherwise, able to mark rather than drop packets
on ECN-enabled flows [helps latency and realtime applications].  Now we
are just past LTS release is in my view the 'right time' to finally
enable ECN [and obviously easy to revert!].  If this is disputed, in ANY
case I strongly suggest at the very least a commented-out ECN section
should be included, but 'defaults matter'!.

I was going to suggest a non-default section about
net.core.default_qdisc [ LP #1436945 ] but this appears to have been
fixed upstream similarly.

[1] https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf
[2] http://seclists.org/nanog/2015/Jun/675

** Affects: procps (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1773157

Title:
  procps outdated network options, old syncookies, new ecn update
  please.

Status in procps package in Ubuntu:
  New

Bug description:
  The ubuntu version of procps carries it's own  /etc/sysctl.d/10
  -network-security.conf  file explicitly that appears not to be part of
  debian procps version.

  
  Firstly, the section about "# Turn on SYN-flood protections." (came from LP #57091 ) is now entirely outdated, upstream kernel has long since turned on syncookies by default, so setting this flag explicitly in 10-network-security.conf is entirely redundant likely since before ubuntu-14.04 .
  I would like the ubuntu-maintainer to remove that section entirely in cosmic onwards.

  [I am going to report debian the similarly outdated syncookies
  comments in sysctl.conf itself].

  
  Secondly, I propose a new 10-network-tuning.conf with:-
  ==============================================================================
  # Allow ECN for outgoing connections.  Starting with 4.2, there is an adaptive
  # fallback [enabled by default tcp_ecn_fallback option] preventing connection
  # loss even with ecn enabled, also ecn-intolerance is increasingly very rare.
  net.ipv4.tcp_ecn=1
  ==============================================================================

  I know there is a (small) chance of issues/regressions with ECN
  enabled by default on outgoing but I'm quite sure the issue is very
  rare, like others notice [ref: 1 and 2 below].  Apple's selective
  enablements etc. show this works just as much as my own use for years
  and many similar reports.

  ECN actually being used for outgoing connections really helps with
  latency-reduction with modern routers (both core and edge) using
  queuing disciplines fq_codel or otherwise, able to mark rather than
  drop packets on ECN-enabled flows [helps latency and realtime
  applications].  Now we are just past LTS release is in my view the
  'right time' to finally enable ECN [and obviously easy to revert!].
  If this is disputed, in ANY case I strongly suggest at the very least
  a commented-out ECN section should be included, but 'defaults
  matter'!.

  I was going to suggest a non-default section about
  net.core.default_qdisc [ LP #1436945 ] but this appears to have been
  fixed upstream similarly.

  [1] https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf
  [2] http://seclists.org/nanog/2015/Jun/675

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1773157/+subscriptions

More information about the foundations-bugs mailing list