[Ecn-sane] Issue with negotiating ECN with Cloudflare hosts?

[Ecn-sane] Issue with negotiating ECN with Cloudflare hosts?

[Toke Høiland-Jørgensen]

Is anyone else experiencing problems negotiating ECN when connecting to
Cloudflare? I see this for most sites protected by Cloudflare (such as
bufferbloat.net), but only when using IPv4:

# sysctl -w net.ipv4.tcp_ecn=1
net.ipv4.tcp_ecn = 1
# curl -v 1.1.1.1
*   Trying 1.1.1.1:80...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer


# sysctl -w net.ipv4.tcp_ecn=0
net.ipv4.tcp_ecn = 0
# curl -v 1.1.1.1
*   Trying 1.1.1.1:80...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 19 Sep 2019 17:42:22 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: https://1.1.1.1/
< Served-In-Seconds: 0.000
< CF-Cache-Status: HIT
< Age: 4442
< Expires: Thu, 19 Sep 2019 21:42:22 GMT
< Cache-Control: public, max-age=14400
< Server: cloudflare
< CF-RAY: 518d5b13fcfcd43f-HAM
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>cloudflare-lb</center>
</body>
</html>
* Connection #0 to host 1.1.1.1 left intact


I've opened a support request with my ISP, but thought I'd ask if anyone
else was seeing this? (Is anyone else running with ECN enabled?)

-Toke

Re: [Ecn-sane] Issue with negotiating ECN with Cloudflare hosts?

[Jeremy Harris]

On 19/09/2019 18:50, Toke Høiland-Jørgensen wrote:
> Is anyone else experiencing problems negotiating ECN when connecting to
> Cloudflare? I see this for most sites protected by Cloudflare (such as
> bufferbloat.net), but only when using IPv4:

> I've opened a support request with my ISP, but thought I'd ask if anyone
> else was seeing this? (Is anyone else running with ECN enabled?)

Works for me:

[jgh@lap ~]$ cat /proc/sys/net/ipv4/tcp_ecn
1
[jgh@lap ~]$ curl -v 1.1.1.1
*   Trying 1.1.1.1:80...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/7.65.3
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 19 Sep 2019 18:23:34 GMT
...


-- 
Cheers,
  Jeremy

Re: [Ecn-sane] [Bloat] Issue with negotiating ECN with Cloudflare hosts?

[Jesper Dangaard Brouer]

On Thu, 19 Sep 2019 19:50:45 +0200 Toke Høiland-Jørgensen <toke@toke.dk> wrote:

> Is anyone else experiencing problems negotiating ECN when connecting to
> Cloudflare? I see this for most sites protected by Cloudflare (such as
> bufferbloat.net), but only when using IPv4:
> 
> # sysctl -w net.ipv4.tcp_ecn=1
> net.ipv4.tcp_ecn = 1
> # curl -v 1.1.1.1
> *   Trying 1.1.1.1:80...
> * TCP_NODELAY set
> * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> > GET / HTTP/1.1
> > Host: 1.1.1.1
> > User-Agent: curl/7.66.0
> > Accept: */*
> >   
> * Recv failure: Connection reset by peer
> * Closing connection 0
> curl: (56) Recv failure: Connection reset by peer

It works for me when repeating your experiment:

$ sysctl -w net.ipv4.tcp_ecn=1
net.ipv4.tcp_ecn = 1

$ curl -v 1.1.1.1
* Rebuilt URL to: 1.1.1.1/
*   Trying 1.1.1.1...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 1.1.1.1
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 20 Sep 2019 07:19:48 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: https://1.1.1.1/
< Served-In-Seconds: 0.000
< CF-Cache-Status: HIT
< Age: 5944
< Expires: Fri, 20 Sep 2019 11:19:48 GMT
< Cache-Control: public, max-age=14400
< Server: cloudflare
< CF-RAY: 519208830aced891-CPH
[...]
 
 
> # sysctl -w net.ipv4.tcp_ecn=0
> net.ipv4.tcp_ecn = 0
> # curl -v 1.1.1.1
> *   Trying 1.1.1.1:80...
> * TCP_NODELAY set
> * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> > GET / HTTP/1.1
> > Host: 1.1.1.1
> > User-Agent: curl/7.66.0
> > Accept: */*
> >   
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 301 Moved Permanently
> < Date: Thu, 19 Sep 2019 17:42:22 GMT
> < Content-Type: text/html
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Location: https://1.1.1.1/
> < Served-In-Seconds: 0.000
> < CF-Cache-Status: HIT
> < Age: 4442
> < Expires: Thu, 19 Sep 2019 21:42:22 GMT
> < Cache-Control: public, max-age=14400
> < Server: cloudflare
> < CF-RAY: 518d5b13fcfcd43f-HAM
> < 
> <html>
> <head><title>301 Moved Permanently</title></head>
> <body bgcolor="white">
> <center><h1>301 Moved Permanently</h1></center>
> <hr><center>cloudflare-lb</center>
> </body>
> </html>
> * Connection #0 to host 1.1.1.1 left intact
> 
> 
> I've opened a support request with my ISP, but thought I'd ask if anyone
> else was seeing this? (Is anyone else running with ECN enabled?)

I'm not seeing it, so it might be your ISP?

-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  LinkedIn: http://www.linkedin.com/in/brouer

Re: [Ecn-sane] [Bloat] Issue with negotiating ECN with Cloudflare hosts?

[Marek Majkowski]

We definitely don't do anything fancy about ECN on our side. It must
be some middle-box or intermediate router.

Could you share your source IP, traceroute, and ideally "traceroute
-S" (tcp/SYN mode).

On Fri, Sep 20, 2019 at 9:24 AM Jesper Dangaard Brouer
<brouer@redhat.com> wrote:
>
>
> On Thu, 19 Sep 2019 19:50:45 +0200 Toke Høiland-Jørgensen <toke@toke.dk> wrote:
>
> > Is anyone else experiencing problems negotiating ECN when connecting to
> > Cloudflare? I see this for most sites protected by Cloudflare (such as
> > bufferbloat.net), but only when using IPv4:
> >
> > # sysctl -w net.ipv4.tcp_ecn=1
> > net.ipv4.tcp_ecn = 1
> > # curl -v 1.1.1.1
> > *   Trying 1.1.1.1:80...
> > * TCP_NODELAY set
> > * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> > > GET / HTTP/1.1
> > > Host: 1.1.1.1
> > > User-Agent: curl/7.66.0
> > > Accept: */*
> > >
> > * Recv failure: Connection reset by peer
> > * Closing connection 0
> > curl: (56) Recv failure: Connection reset by peer
>
> It works for me when repeating your experiment:
>
> $ sysctl -w net.ipv4.tcp_ecn=1
> net.ipv4.tcp_ecn = 1
>
> $ curl -v 1.1.1.1
> * Rebuilt URL to: 1.1.1.1/
> *   Trying 1.1.1.1...
> * TCP_NODELAY set
> * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> > GET / HTTP/1.1
> > Host: 1.1.1.1
> > User-Agent: curl/7.61.1
> > Accept: */*
> >
> < HTTP/1.1 301 Moved Permanently
> < Date: Fri, 20 Sep 2019 07:19:48 GMT
> < Content-Type: text/html
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Location: https://1.1.1.1/
> < Served-In-Seconds: 0.000
> < CF-Cache-Status: HIT
> < Age: 5944
> < Expires: Fri, 20 Sep 2019 11:19:48 GMT
> < Cache-Control: public, max-age=14400
> < Server: cloudflare
> < CF-RAY: 519208830aced891-CPH
> [...]
>
>
> > # sysctl -w net.ipv4.tcp_ecn=0
> > net.ipv4.tcp_ecn = 0
> > # curl -v 1.1.1.1
> > *   Trying 1.1.1.1:80...
> > * TCP_NODELAY set
> > * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
> > > GET / HTTP/1.1
> > > Host: 1.1.1.1
> > > User-Agent: curl/7.66.0
> > > Accept: */*
> > >
> > * Mark bundle as not supporting multiuse
> > < HTTP/1.1 301 Moved Permanently
> > < Date: Thu, 19 Sep 2019 17:42:22 GMT
> > < Content-Type: text/html
> > < Transfer-Encoding: chunked
> > < Connection: keep-alive
> > < Location: https://1.1.1.1/
> > < Served-In-Seconds: 0.000
> > < CF-Cache-Status: HIT
> > < Age: 4442
> > < Expires: Thu, 19 Sep 2019 21:42:22 GMT
> > < Cache-Control: public, max-age=14400
> > < Server: cloudflare
> > < CF-RAY: 518d5b13fcfcd43f-HAM
> > <
> > <html>
> > <head><title>301 Moved Permanently</title></head>
> > <body bgcolor="white">
> > <center><h1>301 Moved Permanently</h1></center>
> > <hr><center>cloudflare-lb</center>
> > </body>
> > </html>
> > * Connection #0 to host 1.1.1.1 left intact
> >
> >
> > I've opened a support request with my ISP, but thought I'd ask if anyone
> > else was seeing this? (Is anyone else running with ECN enabled?)
>
> I'm not seeing it, so it might be your ISP?
>
> --
> Best regards,
>   Jesper Dangaard Brouer
>   MSc.CS, Principal Kernel Engineer at Red Hat
>   LinkedIn: http://www.linkedin.com/in/brouer

Re: [Ecn-sane] [Bloat] Issue with negotiating ECN with Cloudflare hosts?

[Toke Høiland-Jørgensen]

Marek Majkowski <marek@cloudflare.com> writes:

> We definitely don't do anything fancy about ECN on our side. It must
> be some middle-box or intermediate router.

Yeah, didn't figure you guys were, at least not on purpose... :)

> Could you share your source IP, traceroute, and ideally "traceroute
> -S" (tcp/SYN mode).

Sure, I'll send you that off-list.

-Toke

Re: [Ecn-sane] [Bloat] Issue with negotiating ECN with Cloudflare hosts?

[Toke Høiland-Jørgensen]

Jesper Dangaard Brouer <brouer@redhat.com> writes:

> On Thu, 19 Sep 2019 19:50:45 +0200 Toke Høiland-Jørgensen <toke@toke.dk> wrote:
>
>> Is anyone else experiencing problems negotiating ECN when connecting to
>> Cloudflare? I see this for most sites protected by Cloudflare (such as
>> bufferbloat.net), but only when using IPv4:
>> 
>> # sysctl -w net.ipv4.tcp_ecn=1
>> net.ipv4.tcp_ecn = 1
>> # curl -v 1.1.1.1
>> *   Trying 1.1.1.1:80...
>> * TCP_NODELAY set
>> * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
>> > GET / HTTP/1.1
>> > Host: 1.1.1.1
>> > User-Agent: curl/7.66.0
>> > Accept: */*
>> >   
>> * Recv failure: Connection reset by peer
>> * Closing connection 0
>> curl: (56) Recv failure: Connection reset by peer
>
> It works for me when repeating your experiment:
>
> $ sysctl -w net.ipv4.tcp_ecn=1
> net.ipv4.tcp_ecn = 1
>
> $ curl -v 1.1.1.1
> * Rebuilt URL to: 1.1.1.1/
> *   Trying 1.1.1.1...
> * TCP_NODELAY set
> * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
>> GET / HTTP/1.1
>> Host: 1.1.1.1
>> User-Agent: curl/7.61.1
>> Accept: */*
>> 
> < HTTP/1.1 301 Moved Permanently
> < Date: Fri, 20 Sep 2019 07:19:48 GMT
> < Content-Type: text/html
> < Transfer-Encoding: chunked
> < Connection: keep-alive
> < Location: https://1.1.1.1/
> < Served-In-Seconds: 0.000
> < CF-Cache-Status: HIT
> < Age: 5944
> < Expires: Fri, 20 Sep 2019 11:19:48 GMT
> < Cache-Control: public, max-age=14400
> < Server: cloudflare
> < CF-RAY: 519208830aced891-CPH
> [...]
>  
>  
>> # sysctl -w net.ipv4.tcp_ecn=0
>> net.ipv4.tcp_ecn = 0
>> # curl -v 1.1.1.1
>> *   Trying 1.1.1.1:80...
>> * TCP_NODELAY set
>> * Connected to 1.1.1.1 (1.1.1.1) port 80 (#0)
>> > GET / HTTP/1.1
>> > Host: 1.1.1.1
>> > User-Agent: curl/7.66.0
>> > Accept: */*
>> >   
>> * Mark bundle as not supporting multiuse
>> < HTTP/1.1 301 Moved Permanently
>> < Date: Thu, 19 Sep 2019 17:42:22 GMT
>> < Content-Type: text/html
>> < Transfer-Encoding: chunked
>> < Connection: keep-alive
>> < Location: https://1.1.1.1/
>> < Served-In-Seconds: 0.000
>> < CF-Cache-Status: HIT
>> < Age: 4442
>> < Expires: Thu, 19 Sep 2019 21:42:22 GMT
>> < Cache-Control: public, max-age=14400
>> < Server: cloudflare
>> < CF-RAY: 518d5b13fcfcd43f-HAM
>> < 
>> <html>
>> <head><title>301 Moved Permanently</title></head>
>> <body bgcolor="white">
>> <center><h1>301 Moved Permanently</h1></center>
>> <hr><center>cloudflare-lb</center>
>> </body>
>> </html>
>> * Connection #0 to host 1.1.1.1 left intact
>> 
>> 
>> I've opened a support request with my ISP, but thought I'd ask if anyone
>> else was seeing this? (Is anyone else running with ECN enabled?)
>
> I'm not seeing it, so it might be your ISP?

Yeah, guess I'll get to see if my ISP support knows what ECN is...
Should be fun :P

-Toke