Re: Pathological TCP behavior running ls(1) over SSH

To: David Young <dyoung%pobox.com@localhost>
Subject: Re: Pathological TCP behavior running ls(1) over SSH
From: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Date: Mon, 28 Jan 2008 00:35:58 +0000

On Sun, 27 Jan 2008 18:06:46 -0600
David Young <dyoung%pobox.com@localhost> wrote:

> On Sun, Jan 27, 2008 at 11:34:10PM +0200, Andreas Gustafsson wrote:
> > Aside from the question of whether sshd should set TCP_NODELAY or
> > not, could someone explain why the server waits almost a whole
> > second to retransmit the segment starting at octet 417; why don't
> > the 38 duplicate ACKs cause a fast retransmit?
> 
> Does the server run a packet filter of any kind?  I was astonished to
> find that PF was filtering duplicate ACKs unless I told it otherwise
> with, e.g., the 'flags A/A' rule, below:
> 
> # pfctl -a gateway -s rules
> No ALTQ support in kernel
> ALTQ related functions disabled
> pass out log-all quick on ath0 route-to gre2 from <cuwin> to !
> <cuwin> flags A/A pass out log-all quick on ath0 route-to gre2 from
> <cuwin> to ! <cuwin> keep state (if-bound)
> 
Frankly, that strikes me as a bug in PF -- there are TCP semantics for
duplicate ACKs.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb

Follow-Ups:
- Re: Pathological TCP behavior running ls(1) over SSH
  - From: Daniel Carosone

References:
- Pathological TCP behavior running ls(1) over SSH
  - From: Andreas Gustafsson
- Re: Pathological TCP behavior running ls(1) over SSH
  - From: David Young

Prev by Date: Re: Pathological TCP behavior running ls(1) over SSH
Next by Date: Re: Pathological TCP behavior running ls(1) over SSH
Previous by Thread: Re: Pathological TCP behavior running ls(1) over SSH
Next by Thread: Re: Pathological TCP behavior running ls(1) over SSH
Indexes:

Home | Main Index | Thread Index | Old Index