Hacker News new | ask | show | jobs
by syn0byte 2554 days ago
No, not "any system". Besides needing SACK enabled (which is by default) you also need segment offloading and non-shite networking hardware that will respect and preserve stupid MSS fields in packets.

pending a patch simply disable SACK: ~$ echo 0 > /proc/sys/net/ipv4/tcp_sack

and/or disable segmentation offloading: ~$ ethtool -K eth? tso off

TCP and Checksum offloading still aren't super standard on customer grade NICs or virtual machines. I'd assume less than half of the internet's linux hosts are actually at risk.
4 comments
acdha 2554 days ago
> TCP and Checksum offloading still aren't super standard on customer grade NICs or virtual machines.

I thought VMware shipped that at least decade ago — is there some specific sub-feature you had in mind? Similarly, at least Apple's consumer hardware had checksum offloading back in the early 2000s and segmentation support shipped in 10.6 (2009) so it seems like it should be relatively mainstream since they tended to use commodity NIC hardware.

link
syn0byte 2554 days ago
No doubt check summing support's been around for a while, ASIC Md5 is dirt cheap. Yes VMware shipped with it about a decade ago in ESXi but that was dependent on host NIC support. OSX may ship with the driver support but I'm having trouble finding hardware specs to verify hardware support. I said "not super standard" and "customer grade" I didn't say it wasn't supported at all.

As to the specific subset; TCP Segmentation Offload. As was mentioned in the article.

link
acdha 2554 days ago
> As was mentioned in the article.

Yes, I know. I was asking for clarification on the off chance that you were describing something which didn’t ship a decade ago. I first used TSO on servers in the early 2000s and by 2010 even the consumer-grade hardware I was seeing had it.

link
foofc7c8 2554 days ago
Can't find anywhere prerequisite on segment offloading, any link on this?
link
syn0byte 2554 days ago
The link to the article....

"When Segmentation offload is on and SACK mechanism is also enabled, due to packet loss and selective retransmission of some packets, SKB could end up holding multiple packets, counted by ‘tcp_gso_segs’."

Segmentation offload in linux is dependent on checksum offloads per here:

https://www.kernel.org/doc/Documentation/networking/segmenta...

link
foofc7c8 2554 days ago
Thank you, syn0byte.
link
oasisbob 2554 days ago
Isn't TSO enabled on EC2? Their bulletin implies it at least, I seem to remember the same.
link
loeg 2554 days ago
Enabled on Azure Ubuntu, FWIW:

  $ ethtool -k eth0 | grep tcp-seg
  tcp-segmentation-offload: on
link
syn0byte 2554 days ago
It may well be, I don't use EC2 much at all. Checking is easy enough: ~$ ethtool -k ethX

Also on the virtualization side, VMWare VMXNet adapters also support offloading for guests.

link
dsp 2554 days ago
Disabling tso alone would not be enough. You also need to disable gso if you go that route.
link