Subject: Re: IPF state and spurious blocks
To: Wolfgang Rupprecht <wolfgang@wsrcc.com>
From: Alan Barrett <apb@iafrica.com>
List: tech-net
Date: 05/28/1999 09:44:04
> Does anyone here use IPF with the TCP state option? This set of rules
> works most of the time. Every once in a while the state generated at
> "out @2" seems to fail. I'm assuming its a timing issue is some sort.
> Anyone else seeing this?
Yes. The scenario I have seen goes something like this:
connection is alive with a window of 2048 bytes and expected
next TCP sequence number N
a data packet (TCP sequence number N, payload length 1400 bytes)
gets delayed or dropped in the network
the next data packet arrives (TCP sequence number N+1400, payload
length 1400 bytes)
- ipf permits this packet to go through to the TCP layer
- ipf now believes that the next expected TCP sequence
number is N+2800 and the window is 2048.
a delayed or retransmitted copy of the lost packet arrives (TCP
sequence number N, payload length 1400 bytes)
- ipf would be willing to accept TCP sequence numbers between
(N+2800-2048) and (N+2800+2048), but this packet fails the
test, so ipf blocks this packet.
more copies of the blocked packet keep arriving, because the
sender thinks they are being lost in the network.
- ipf keeps on blocking them.
--apb (Alan Barrett)