Amaranten Firewall and ECN - Explicit Congestion Notification

    This Knowledge Base article applies to:
      Amaranten Firewall, all versions

Background

Explicit Congestion Notification is a relatively new mechanism in TCP. Its purpose is to provide an early
warning system to TCP stacks: "one or more routers are almost out of buffers; slow down, or you will lose
packets". Of course, TCP handles packet loss gracefully and will retransmit after a delay, but the thinking in
ECN is that slowing down gradually rather than timing out after a lost packet will provide smoother operation for the individual user as well as for the Internet as a whole.

The reason for this document is to describe how the advent of ECN affects firewalls in general and
Amaranten Firewall in particular, and changes in packet consistency checks and default settings brought on by it. It is of special interest to users of versions earlier than 8.00.07 / 8.10.02 / 8.20.00.

If a firewall drops a packet because of any of these new flags being used, the result will be that new TCP
stacks will not be able to communicate through such a firewall.

ECN in the forward direction - changes to the IP header

When a router is nearing capacity, it will start marking IP datagrams that travel through it, using two
previously unused flags in the IP header. 

       0                   1                   2                   3   
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Version|  IHL  |    DSCP   |ECN|          Total Length         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         Identification        |Flags|      Fragment Offset    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Time to Live |    Protocol   |         Header Checksum       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    Destination Address                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

This lets the receiver know that things are about to go south, but the sender does not yet know that it should slow down.

TCP ECN before may 2003

When the receiver learns of congestion for a TCP packet, it transmits this information back to the original
sender via the TCP header.

From RFC 3168: 

        0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
      |               |                       | U | A | P | R | S | F |
      | Header Length |        Reserved       | R | C | S | S | Y | I |
      |               |                       | G | K | H | T | N | N |
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+

      Figure 3: The old definition of bytes 13 and 14 of the TCP
                header.


        0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
      |               |               | C | E | U | A | P | R | S | F |
      | Header Length |    Reserved   | W | C | R | C | S | S | Y | I |
      |               |               | R | E | G | K | H | T | N | N |
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+

      Figure 4: The new definition of bytes 13 and 14 of the TCP
                Header.

The ECE and CWR flags were commonly referred to as "XMAS" and "YMAS" before the advent of ECN.
These expressions originate in the term "lamp test segment" or "christmas-tree packet": a packet with all
flags set.

TCP ECN after May 2003

In May 2003, IANA (Internet Assigned Numbers Authority) assigned an additional flag of the reserved field
for a new extension to ECN: the "Nonce Sum"; a scheme for additional reliability in the ECN mechanism itself. 

        0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
      |               |           | N | C | E | U | A | P | R | S | F |
      | Header Length |  Reserved | S | W | C | R | C | S | S | Y | I |
      |               |           |   | R | E | G | K | H | T | N | N |
      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
History of Amaranten Firewall in respect to ECN

There are three things a firewall can do if it detects that ECN-related flags are set:
  »   Ignore them and pass the packet through. This allows ECN to function fully,
but may also expose bugs in new ECN-related code, and will definitely allow
easier fingerprinting of ECN-capable hosts.
  »   Strip the ECN-related bits and pass the packet through. This disables ECN
functionality, but allows TCP to function normally.
  »   Drop the packet. This will break TCP for all ECN-capable hosts.

Also, with the new NS flag being used in the newest TCP stacks, it is important that it is treated the same
way that the ECE and CWR flags are.

The following is a list of changes done to Amaranten Firewall over the years in respect to ECN:
  »   Before version 6.0, Amaranten Firewall was not ECN-aware.
It had a setting named "TCPXMAS", which controlled the ECE and CWR flags. This setting defaulted to "DropLog", meaning that it broke TCP for ECN-capable
hosts.
The NS flag is included in the "TCPRF" setting, which also defaulted to
"DropLog".
Recommended action: Change TCPXMAS and TCPRF to "Strip".
  »   As of version 6.00, the TCPXMAS setting has been replaced by "TCPECN",
which defaults to "Strip". This means that ECN is disabled, but TCP functions normally.
The NS flag is included in the "TCPRF" setting, which still defaults to
"DropLog".
Recommended action: Change TCPRF to "Strip". Verify that TCPECN is set to
"Strip".
  »   As of version 8.00.00, the TCPRF setting defaults to "Strip", which
gracefully disables the Nonce Sum extension.
Recommended action: Verify that TCPRF and TCPECN are set to "Strip".
  »   As of version 8.10.00 and 8.20.00 (summer 2003), the Nonce Sum bit is
treated according to the TCPECN setting rather than the TCPRF setting.
Recommended action: Verify that TCPECN is set to "Strip".
At some point in the future, when ECN implementations have matured, we will begin recommending that
TCPECN be set to "Ignore" so that ECN signalling can pass through the firewall unimpeded.

More resources

  »   ECN is described in RFC 3168.
  »   The ICIR ECN site has all research data regarding ECN and more links.
  »   The ECN problems page at ICIR.