The window scaling problem
Many firewalls check that a TCP segment falls within the expected window. If window scaling is in use but the firewall does not support it, it will discard packets which go beyond the unscaled window to avoid out-of-window attacks. For example, with window size of 46 bytes and scaling factor=7 (real window being 5760 bytes), the firewall only accepts 46 bytes at a time. This results in a very low performance.
The problem is more insidious than blackholes with ExplicitCongestionNotification as the session can be established but the user may not suspect that the performance should be much better.
The issue has been reported a number of times on public fora, for example:
- LWN Article, "TCP window scaling and broken routers", on July 7, 2004
- Kerneltrap article, "Linux: Window Scaling on the Internet", on June 14, 2006
It seems likely that almost all stateful firewalls may be or have been impacted, as the list of affected devices is growing rapidly. So, if the device is not listed below, it may still be impacted!
Issues with specific products
Below is a probably incomplete list of middleboxes where problems have been noticed.
Cisco IOS Firewall TCP Inspection
When Cisco IOS firewall has TCP inspection enabled (e.g.,
ip inspect name FOO tcp or =ip inspect name FOO ftp=), performance drops to ~10-20 Kbytes/sec. Disabling inspection works around this problem.
The root cause appears to be that Cisco IOS Firewall does not support TCP Window Scaling since recently. In software trains where this support exists (see
CSCef65365 , as of Oct/2006: =12.4(0.2), 12.3(14.5), 12.4(1.8)T=), this is not a problem.
Another issue is with non-compliant window scaling implementations (which ones isn't specified)(see
CSCsc37281 which are supported in some more recent software versions).
Some versions of IOS firewall also have a similar low-performance problem with IPv6 TCP inspection (first found in 12.4(21)M). More details can be found in case
The solution is to disable Window Scaling on hosts (which may have significant performance impact), disable TCP inspection (which may have security implications) or upgrade software.
Cisco has made a tech note on this: IOS Firewall and Microsoft Windows Vista TCP Window Scaling.
Cisco PIX Window Scaling bug
Some time ago there has also been a reported bug in Cisco PIX wrt. TCP sessions that use window scaling (
CSCdy29514=). This is reportedly fixed since =6.3(1), 6.2(3), 6.1(5), 6.1(4.102), 6.2(2.106) . It is not clear whether non-6. PIX versions were affected.
Cisco has made a tech note on this: PIX Security Appliance and Microsoft Windows Vista TCP Window Scaling Troubleshooting.
JUNOS stateful firewall
BSD pf can be configured incorrectly
Ipfilter (ipf) issues
A number of ipf versions have had some problems with Window Scaling option. Recently, a particular problem was noted with ipf's FTP proxy module, but the problem was likely afffecting some other services as well. More information on the ipf mailing list (December 19 through December 24, 2006).
Zyxel and GTA GB-nnn[n] firewalls
More information (e.g., models, versions) is not yet available..
– Main.PekkaSavola - 10 Oct 2006
-- Main.PekkaSavola - 07 Nov 2006, 23 Nov 2006, 24 Dec 2006