The window scaling problem

Many firewalls check that a TCP segment falls within the expected window. If window scaling is in use but the firewall does not support it, it will discard packets which go beyond the unscaled window to avoid out-of-window attacks. For example, with window size of 46 bytes and scaling factor=7 (real window being 5760 bytes), the firewall only accepts 46 bytes at a time. This results in a very low performance.

The problem is more insidious than blackholes with ExplicitCongestionNotification as the session can be established but the user may not suspect that the performance should be much better.

The issue has been reported a number of times on public fora, for example:

It seems likely that almost all stateful firewalls may be or have been impacted, as the list of affected devices is growing rapidly. So, if the device is not listed below, it may still be impacted!

Issues with specific products

Below is a probably incomplete list of middleboxes where problems have been noticed.

Cisco IOS Firewall TCP Inspection

When Cisco IOS firewall has TCP inspection enabled (e.g., ip inspect name FOO tcp or ip inspect name FOO ftp), performance drops to ~10-20 Kbytes/sec. Disabling inspection works around this problem.

The root cause appears to be that Cisco IOS Firewall does not support TCP Window Scaling since recently. In software trains where this support exists (see CSCef65365, as of Oct/2006: 12.4(0.2), 12.3(14.5), 12.4(1.8)T), this is not a problem. Another issue is with non-compliant window scaling implementations (which ones isn't specified)(see CSCsc37281 which are supported in some more recent software versions).

Some versions of IOS firewall also have a similar low-performance problem with IPv6 TCP inspection (first found in 12.4(21)M). More details can be found in case CSCtb10776.

The solution is to disable Window Scaling on hosts (which may have significant performance impact), disable TCP inspection (which may have security implications) or upgrade software.

Cisco has made a tech note on this: IOS Firewall and Microsoft Windows Vista TCP Window Scaling.

Cisco PIX Window Scaling bug

Some time ago there has also been a reported bug in Cisco PIX wrt. TCP sessions that use window scaling (CSCdy29514). This is reportedly fixed since 6.3(1), 6.2(3), 6.1(5), 6.1(4.102), 6.2(2.106). It is not clear whether non-6.[123] PIX versions were affected.

Cisco has made a tech note on this: PIX Security Appliance and Microsoft Windows Vista TCP Window Scaling Troubleshooting.

JUNOS stateful firewall

Kernel network issue with Juniper JUNOS stateful firewall, on fedora-devel-list, August 23, 2006

BSD pf can be configured incorrectly

"Re: RFC1323 Window Scaling Issues", July 1, 2006

Ipfilter (ipf) issues

A number of ipf versions have had some problems with Window Scaling option. Recently, a particular problem was noted with ipf's FTP proxy module, but the problem was likely afffecting some other services as well. More information on the ipf mailing list (December 19 through December 24, 2006).

Zyxel and GTA GB-nnn[n] firewalls

More information (e.g., models, versions) is not yet available..

-- PekkaSavola - 10 Oct 2006
-- PekkaSavola - 07 Nov 2006, 23 Nov 2006, 24 Dec 2006

Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2009-10-15 - PekkaSavola
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2004-2009 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.