[Bug 1773157] Re: procps outdated network options, old syncookies, new ecn update please.

Toke Høiland-Jørgensen 1773157 at bugs.launchpad.net
Fri May 25 11:11:16 UTC 2018 

I've been running with tcp_ecn=1 for years with no issue. Since ECN
marking is making its way into more and more places, enabling it by
default makes sense. In particular, it would go well with the recent
addition of FQ-CoDel as the default queue management algorithm :)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1773157

Title:
  procps outdated network options, old syncookies, new ecn update
  please.

Status in procps package in Ubuntu:
  Confirmed

Bug description:
  The ubuntu version of procps carries it's own  /etc/sysctl.d/10
  -network-security.conf  file explicitly that appears not to be part of
  debian procps version.

  
  Firstly, the section about "# Turn on SYN-flood protections." (came from LP #57091 ) is now entirely outdated, upstream kernel has long since turned on syncookies by default, so setting this flag explicitly in 10-network-security.conf is entirely redundant likely since before ubuntu-14.04 .
  I would like the ubuntu-maintainer to remove that section entirely in cosmic onwards.

  [I am going to report debian the similarly outdated syncookies
  comments in sysctl.conf itself].

  
  Secondly, I propose a new 10-network-tuning.conf with:-
  ==============================================================================
  # Allow ECN for outgoing connections.  Starting with 4.2, there is an adaptive
  # fallback [enabled by default tcp_ecn_fallback option] preventing connection
  # loss even with ecn enabled, also ecn-intolerance is increasingly very rare.
  net.ipv4.tcp_ecn=1
  ==============================================================================

  I know there is a (small) chance of issues/regressions with ECN
  enabled by default on outgoing but I'm quite sure the issue is very
  rare, like others notice [ref: 1 and 2 below].  Apple's selective
  enablements etc. show this works just as much as my own use for years
  and many similar reports.

  ECN actually being used for outgoing connections really helps with
  latency-reduction with modern routers (both core and edge) using
  queuing disciplines fq_codel or otherwise, able to mark rather than
  drop packets on ECN-enabled flows [helps latency and realtime
  applications].  Now we are just past LTS release is in my view the
  'right time' to finally enable ECN [and obviously easy to revert!].
  If this is disputed, in ANY case I strongly suggest at the very least
  a commented-out ECN section should be included, but 'defaults
  matter'!.

  I was going to suggest a non-default section about
  net.core.default_qdisc [ LP #1436945 ] but this appears to have been
  fixed upstream similarly.

  [1] https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf
  [2] http://seclists.org/nanog/2015/Jun/675

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1773157/+subscriptions

More information about the foundations-bugs mailing list