[Bug 1773157] Re: procps outdated network options, old syncookies, new ecn update please.

Simon Iremonger ubuntu at iremonger.me.uk
Tue May 29 08:30:59 UTC 2018 

It would appear that the path-of-least-resistance at present, is
systemd, poettering which is what is (for systemd-booters) where
fq_codel is getting turned-on in ubuntu.

This raises a wider-issue about bringing systemd-provided sysctl-
defaults into procps more widely [systemd has introduced many of these
in its' own repository, but version in ubuntu-bionic has few, see
/usr/lib/sysctl.d/ on a bionic system...

ALSO I have discovered there are facts to be checked about "BBR" as
default TCP congestion-control, which will also be desirable, but MAY
still have immature/issues when ECN is used on a TCP connection as well
[one suggestion BBR doesn't react to ECN notifications]...   I'm trying
to get 'evidence' and 'facts' in that regard, which seem to be sparse
and hard-to-find ...

I'm going to (try) to get more facts before suggesting patches with reasons/evidence a few places.
Agree entirely debian and upstream worth trying to ask, etc.
HOWEVER its' often very useful to have had a change introduced in a 'non-lts' or 'testing' distibution like ubuntu-non-LTS releases so you can say how it works and had some testing/exposure somewhere first...  It may be I come back to you and suggest a delta in ubuntu "for now" for good reason.  We will see.

Thankyou for helpful and promising-sounding response!.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1773157

Title:
  procps outdated network options, old syncookies, new ecn update
  please.

Status in procps package in Ubuntu:
  Confirmed

Bug description:
  The ubuntu version of procps carries it's own  /etc/sysctl.d/10
  -network-security.conf  file explicitly that appears not to be part of
  debian procps version.

  
  Firstly, the section about "# Turn on SYN-flood protections." (came from LP #57091 ) is now entirely outdated, upstream kernel has long since turned on syncookies by default, so setting this flag explicitly in 10-network-security.conf is entirely redundant likely since before ubuntu-14.04 .
  I would like the ubuntu-maintainer to remove that section entirely in cosmic onwards.

  [I am going to report debian the similarly outdated syncookies
  comments in sysctl.conf itself].

  
  Secondly, I propose a new 10-network-tuning.conf with:-
  ==============================================================================
  # Allow ECN for outgoing connections.  Starting with 4.2, there is an adaptive
  # fallback [enabled by default tcp_ecn_fallback option] preventing connection
  # loss even with ecn enabled, also ecn-intolerance is increasingly very rare.
  net.ipv4.tcp_ecn=1
  ==============================================================================

  I know there is a (small) chance of issues/regressions with ECN
  enabled by default on outgoing but I'm quite sure the issue is very
  rare, like others notice [ref: 1 and 2 below].  Apple's selective
  enablements etc. show this works just as much as my own use for years
  and many similar reports.

  ECN actually being used for outgoing connections really helps with
  latency-reduction with modern routers (both core and edge) using
  queuing disciplines fq_codel or otherwise, able to mark rather than
  drop packets on ECN-enabled flows [helps latency and realtime
  applications].  Now we are just past LTS release is in my view the
  'right time' to finally enable ECN [and obviously easy to revert!].
  If this is disputed, in ANY case I strongly suggest at the very least
  a commented-out ECN section should be included, but 'defaults
  matter'!.

  I was going to suggest a non-default section about
  net.core.default_qdisc [ LP #1436945 ] but this appears to have been
  fixed upstream similarly.

  [1] https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf
  [2] http://seclists.org/nanog/2015/Jun/675

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1773157/+subscriptions

More information about the foundations-bugs mailing list