[Snort-users] RE: Castor's use of "ECN" shut-off

cider at ...242... cider at ...242...
Fri Sep 15 14:47:16 EDT 2000

On Fri, Sep 15, 2000 at 10:57:30AM -0700, cider at ...242... wrote:
] On Fri, Sep 15, 2000 at 08:49:09AM -0400, Novak, Judy H. wrote:
] ] As far as the false positives for the 2 high-order TCP reserved bits due to
] ] Explicit Congestion Notification (ECN) - looking at RFC 2481, it appears
] ] some validation can be done to determine if this is really ECN traffic and
] ] not "stealth" scanning.  In order for ECN to work, the ECN-Capable Transport
] ] (ECT) bit has to be set by the sender to indicate that the endpoints are ECN
] ] capable.  This bit is found in the TOS byte (0x02 bit - previously minimize
] ] cost bit).  So, when a TCP reserved bit is set, this IP bit should also be
] ] set in order for this to be a valid ECN indication.
] ] 
] i think you may have incorrectly interpreted RFC-2481.  it states:
] 	Bits 6 and 7 in the IPv4 TOS octet are designated as the
] 	ECN field.  Bit 6 is designated as the ECT bit, and bit 7 is
] 	designated as the CE bit.
] both of these bits are unused bits in current TOS implementations for
] IPv4.  TOS is defined as an 8-bit field; only the first five bits have
] any significance; bit 0 must be zero, bits 1-5 are used to indicate one
] of the four valid TOS values, and bits 6 and 7 are undefined (except by
] RFC-2481, for ECN purposes).  the correct values for these bits are 0x40
] and 0x80, not 0x02.

whoops - ignore my last post - looks like judy was right.  she pointed out
to me that in section 19 of RFC-2481, they do bit designation differently
than is "normal", and based on a glance at the linux implementation:

	#define ECT_SET(h) (((h).tos)|=0x02)


applications used to use tos 0x02 to specify "minimize cost" - guess
the ECN folks decided those either aren't still in use, or that they
can overload that bit without consequence.

<cider at ...242...>

More information about the Snort-users mailing list