Public bug reported: The ubuntu version of procps carries it's own /etc/sysctl.d/10-network- security.conf file explicitly that appears not to be part of debian procps version.
Firstly, the section about "# Turn on SYN-flood protections." (came from LP #57091 ) is now entirely outdated, upstream kernel has long since turned on syncookies by default, so setting this flag explicitly in 10-network-security.conf is entirely redundant likely since before ubuntu-14.04 . I would like the ubuntu-maintainer to remove that section entirely in cosmic onwards. [I am going to report debian the similarly outdated syncookies comments in sysctl.conf itself]. Secondly, I propose a new 10-network-tuning.conf with:- ============================================================================== # Allow ECN for outgoing connections. Starting with 4.2, there is an adaptive # fallback [enabled by default tcp_ecn_fallback option] preventing connection # loss even with ecn enabled, also ecn-intolerance is increasingly very rare. net.ipv4.tcp_ecn=1 ============================================================================== I know there is a (small) chance of issues/regressions with ECN enabled by default on outgoing but I'm quite sure the issue is very rare, like others notice [ref: 1 and 2 below]. Apple's selective enablements etc. show this works just as much as my own use for years and many similar reports. ECN actually being used for outgoing connections really helps with latency-reduction with modern routers (both core and edge) using queuing disciplines fq_codel or otherwise, able to mark rather than drop packets on ECN-enabled flows [helps latency and realtime applications]. Now we are just past LTS release is in my view the 'right time' to finally enable ECN [and obviously easy to revert!]. If this is disputed, in ANY case I strongly suggest at the very least a commented-out ECN section should be included, but 'defaults matter'!. I was going to suggest a non-default section about net.core.default_qdisc [ LP #1436945 ] but this appears to have been fixed upstream similarly. [1] https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf [2] http://seclists.org/nanog/2015/Jun/675 ** Affects: procps (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1773157 Title: procps outdated network options, old syncookies, new ecn update please. Status in procps package in Ubuntu: New Bug description: The ubuntu version of procps carries it's own /etc/sysctl.d/10 -network-security.conf file explicitly that appears not to be part of debian procps version. Firstly, the section about "# Turn on SYN-flood protections." (came from LP #57091 ) is now entirely outdated, upstream kernel has long since turned on syncookies by default, so setting this flag explicitly in 10-network-security.conf is entirely redundant likely since before ubuntu-14.04 . I would like the ubuntu-maintainer to remove that section entirely in cosmic onwards. [I am going to report debian the similarly outdated syncookies comments in sysctl.conf itself]. Secondly, I propose a new 10-network-tuning.conf with:- ============================================================================== # Allow ECN for outgoing connections. Starting with 4.2, there is an adaptive # fallback [enabled by default tcp_ecn_fallback option] preventing connection # loss even with ecn enabled, also ecn-intolerance is increasingly very rare. net.ipv4.tcp_ecn=1 ============================================================================== I know there is a (small) chance of issues/regressions with ECN enabled by default on outgoing but I'm quite sure the issue is very rare, like others notice [ref: 1 and 2 below]. Apple's selective enablements etc. show this works just as much as my own use for years and many similar reports. ECN actually being used for outgoing connections really helps with latency-reduction with modern routers (both core and edge) using queuing disciplines fq_codel or otherwise, able to mark rather than drop packets on ECN-enabled flows [helps latency and realtime applications]. Now we are just past LTS release is in my view the 'right time' to finally enable ECN [and obviously easy to revert!]. If this is disputed, in ANY case I strongly suggest at the very least a commented-out ECN section should be included, but 'defaults matter'!. I was going to suggest a non-default section about net.core.default_qdisc [ LP #1436945 ] but this appears to have been fixed upstream similarly. [1] https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf [2] http://seclists.org/nanog/2015/Jun/675 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1773157/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
