[Ecn-sane] osx not doing ecn for me

[Ecn-sane] osx not doing ecn for me

[Dave Taht]

sometime in the last three months my osx box stopped attempting ecn negotiation.

It would to verify if its working or not on other osx and ios boxes.

-- 
Make Music, Not War

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-435-0729

Re: [Ecn-sane] osx not doing ecn for me

[Holland, Jake]

Are you sure it's not just temporarily held down?

IIRC Padma said they shut it off for something like an hour or 3
whenever they notice an "anomaly", according to a bunch of heuristics
that can occasionally hit false positives:
https://datatracker.ietf.org/meeting/98/materials/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf

Anyway, my mac still asks for ECN, fwiw.  My sysctls say it like this,
and tweaking them I would imagine would change it around in ways I'd
want to check if I had done anything to them:

net.inet.tcp.ecn_timeout: 60
net.inet.tcp.ecn_setup_percentage: 100
net.inet.tcp.ecn_initiate_out: 2
net.inet.tcp.ecn_negotiate_in: 2 

HTH.

-Jake

On 2020-01-09, 13:18, "Dave Taht" <dave.taht@gmail.com> wrote:

sometime in the last three months my osx box stopped attempting ecn negotiation.

It would to verify if its working or not on other osx and ios boxes.

-- 
Make Music, Not War

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-435-0729
_______________________________________________
Ecn-sane mailing list
Ecn-sane@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/ecn-sane

Re: [Ecn-sane] osx not doing ecn for me

[Pete Heist]

Mine negotiates it, but I’m stuck on 10.13.

This likely isn’t the problem, but I’ve fallen for the trap before that “netstat -sp tcp” needs to be run as root or all counters show 0...

> On Jan 9, 2020, at 10:41 PM, Holland, Jake <jholland@akamai.com> wrote:
> 
> Are you sure it's not just temporarily held down?
> 
> IIRC Padma said they shut it off for something like an hour or 3
> whenever they notice an "anomaly", according to a bunch of heuristics
> that can occasionally hit false positives:
> https://datatracker.ietf.org/meeting/98/materials/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf
> 
> Anyway, my mac still asks for ECN, fwiw.  My sysctls say it like this,
> and tweaking them I would imagine would change it around in ways I'd
> want to check if I had done anything to them:
> 
> net.inet.tcp.ecn_timeout: 60
> net.inet.tcp.ecn_setup_percentage: 100
> net.inet.tcp.ecn_initiate_out: 2
> net.inet.tcp.ecn_negotiate_in: 2 
> 
> HTH.
> 
> -Jake
> 
> On 2020-01-09, 13:18, "Dave Taht" <dave.taht@gmail.com> wrote:
> 
> sometime in the last three months my osx box stopped attempting ecn negotiation.
> 
> It would to verify if its working or not on other osx and ios boxes.
> 
> -- 
> Make Music, Not War
> 
> Dave Täht
> CTO, TekLibre, LLC
> http://www.teklibre.com
> Tel: 1-831-435-0729
> _______________________________________________
> Ecn-sane mailing list
> Ecn-sane@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/ecn-sane
> 
> _______________________________________________
> Ecn-sane mailing list
> Ecn-sane@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/ecn-sane

Re: [Ecn-sane] osx not doing ecn for me

[Dave Taht]

On Thu, Jan 9, 2020 at 3:30 PM Pete Heist <pete@heistp.net> wrote:
>
> Mine negotiates it, but I’m stuck on 10.13.
>
> This likely isn’t the problem, but I’ve fallen for the trap before that “netstat -sp tcp” needs to be run as root or all counters show 0...

No, that was the trap I'd fallen for. I'd seen it not attempt a couple
negotiations (from looking at the packet captures), then ran that, and
panicked!

Thx!!!!
> > On Jan 9, 2020, at 10:41 PM, Holland, Jake <jholland@akamai.com> wrote:
> >
> > Are you sure it's not just temporarily held down?
> >
> > IIRC Padma said they shut it off for something like an hour or 3
> > whenever they notice an "anomaly", according to a bunch of heuristics
> > that can occasionally hit false positives:
> > https://datatracker.ietf.org/meeting/98/materials/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf
> >
> > Anyway, my mac still asks for ECN, fwiw.  My sysctls say it like this,
> > and tweaking them I would imagine would change it around in ways I'd
> > want to check if I had done anything to them:
> >
> > net.inet.tcp.ecn_timeout: 60
> > net.inet.tcp.ecn_setup_percentage: 100
> > net.inet.tcp.ecn_initiate_out: 2
> > net.inet.tcp.ecn_negotiate_in: 2
> >
> > HTH.
> >
> > -Jake
> >
> > On 2020-01-09, 13:18, "Dave Taht" <dave.taht@gmail.com> wrote:
> >
> > sometime in the last three months my osx box stopped attempting ecn negotiation.
> >
> > It would to verify if its working or not on other osx and ios boxes.
> >
> > --
> > Make Music, Not War
> >
> > Dave Täht
> > CTO, TekLibre, LLC
> > http://www.teklibre.com
> > Tel: 1-831-435-0729
> > _______________________________________________
> > Ecn-sane mailing list
> > Ecn-sane@lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/ecn-sane
> >
> > _______________________________________________
> > Ecn-sane mailing list
> > Ecn-sane@lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/ecn-sane
>


-- 
Make Music, Not War

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-435-0729

Re: [Ecn-sane] osx not doing ecn for me

[Michael Welzl]

> On Jan 10, 2020, at 12:45 AM, Dave Taht <dave.taht@gmail.com> wrote:
> 
> On Thu, Jan 9, 2020 at 3:30 PM Pete Heist <pete@heistp.net> wrote:
>> 
>> Mine negotiates it, but I’m stuck on 10.13.
>> 
>> This likely isn’t the problem, but I’ve fallen for the trap before that “netstat -sp tcp” needs to be run as root or all counters show 0...
> 
> No, that was the trap I'd fallen for. I'd seen it not attempt a couple
> negotiations (from looking at the packet captures), then ran that, and
> panicked!

… and I thought that your Mac had discovered that you hate ECN and turned it off just for you  :)

Cheers,
Michael

Re: [Ecn-sane] osx not doing ecn for me

[Pete Heist]

> On Jan 10, 2020, at 9:48 AM, Michael Welzl <michawe@ifi.uio.no> wrote:
> 
>> On Jan 10, 2020, at 12:45 AM, Dave Taht <dave.taht@gmail.com> wrote:
>> 
>> On Thu, Jan 9, 2020 at 3:30 PM Pete Heist <pete@heistp.net> wrote:
>>> 
>>> Mine negotiates it, but I’m stuck on 10.13.
>>> 
>>> This likely isn’t the problem, but I’ve fallen for the trap before that “netstat -sp tcp” needs to be run as root or all counters show 0...
>> 
>> No, that was the trap I'd fallen for. I'd seen it not attempt a couple
>> negotiations (from looking at the packet captures), then ran that, and
>> panicked!
> 
> … and I thought that your Mac had discovered that you hate ECN and turned it off just for you  :)

I’d started on some other good conspiracy theories when it didn’t work for me but Jon set me straight. :)

Re: [Ecn-sane] osx not doing ecn for me

[Dave Taht]

Going back to looking at this my devices... my mac rarely attempts ecn
over ipv4 or ipv6 nowadays. It seems to fall back to not even trying,
frequently. So for example on one rrul test on a local AP, it will
successfuly try for all the connection, but on a subsequent test won't
try at all or only try two or so. I sat down to look at it harder with
the rrul test against various servers, today....

There is a complex heuristic at work here that I do not understand.
It's really hard to do science when you can't force it to always
negotiate, but I guess it explains
some of the complex data I have from the field where the attempts do
not match the size of the deployment in any sane way.

This is osx high sierra 10.13.6.

On Fri, Jan 10, 2020 at 1:41 AM Pete Heist <pete@heistp.net> wrote:
>
>
> > On Jan 10, 2020, at 9:48 AM, Michael Welzl <michawe@ifi.uio.no> wrote:
> >
> >> On Jan 10, 2020, at 12:45 AM, Dave Taht <dave.taht@gmail.com> wrote:
> >>
> >> On Thu, Jan 9, 2020 at 3:30 PM Pete Heist <pete@heistp.net> wrote:
> >>>
> >>> Mine negotiates it, but I’m stuck on 10.13.
> >>>
> >>> This likely isn’t the problem, but I’ve fallen for the trap before that “netstat -sp tcp” needs to be run as root or all counters show 0...
> >>
> >> No, that was the trap I'd fallen for. I'd seen it not attempt a couple
> >> negotiations (from looking at the packet captures), then ran that, and
> >> panicked!
> >
> > … and I thought that your Mac had discovered that you hate ECN and turned it off just for you  :)
>
> I’d started on some other good conspiracy theories when it didn’t work for me but Jon set me straight. :)
>


-- 
Make Music, Not War

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-435-0729

Re: [Ecn-sane] osx not doing ecn for me

[Holland, Jake]

Hi Dave,

On 3/20/20, 9:25 PM, "Dave Taht" <dave.taht@gmail.com> wrote:
> Going back to looking at this my devices... my mac rarely attempts ecn
> over ipv4 or ipv6 nowadays. It seems to fall back to not even trying,
> frequently. So for example on one rrul test on a local AP, it will
> successfuly try for all the connection, but on a subsequent test won't
> try at all or only try two or so. I sat down to look at it harder with
> the rrul test against various servers, today....
>
> There is a complex heuristic at work here that I do not understand.
> It's really hard to do science when you can't force it to always
> negotiate, but I guess it explains
> some of the complex data I have from the field where the attempts do
> not match the size of the deployment in any sane way.

They described at least some of the heuristics at maprg 98, and yes, they're
somewhat complicated:
https://www.youtube.com/watch?v=wKDgVSMUvis&t=32m22s

https://datatracker.ietf.org/meeting/98/materials/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf#page=5

I wouldn't be surprised if rrul tests will hit their thresholds more often
than a normal traffic pattern, that could be messing up your results.

I thought you could turn off the heuristics by fiddling with the right
sysctls, but I haven't tried to nail it down.

> This is osx high sierra 10.13.6.

Catalina has these, fwiw:

$ sysctl -a | grep ecn
net.inet.tcp.ecn_timeout: 60
net.inet.tcp.ecn_setup_percentage: 100
net.inet.tcp.ecn_initiate_out: 2
net.inet.tcp.ecn_negotiate_in: 2
net.inet.ipsec.ecn: 0
net.inet.mptcp.probecnt: 5
net.inet6.ipsec6.ecn: 0

It would not be surprising if they have changed it some since High Sierra.

Best regards,
Jake