Avatar of sunhux
sunhux

asked on 

adverse Impact of disabling Tcp_timestamps in Xolaris

Planning to disable it for security reason but have heard F5 advise against it for F5 .


https://docs.oracle.com/cd/E19455-01/806-6779/6jfmsfr8a/index.html
Url above also has some indication

Q1:
What's "Commitment Level" unstable?


https://www.ietf.org/rfc/rfc1323.txt
Url above also indicates something:
...working with TCP's that do not implement the extensions.  The timestamps are used for 2 distinct mechanisms:
   RTTM (Round Trip Time Measurement) and PAWS (Protect Against Wrapped Sequences).

Q2:
Does any Web applications & Solaris 10 x86 VMs need/use RTTM & PAWS ?

Q3:
Can I safely say that disabling Tcp_timestamps is only a concern on congested networks
esp WAN but on Gigabit LAN, its performance impact is negligible?
Network SecurityNetwork OperationsUnix OS

Avatar of undefined
Last Comment
btan
SOLUTION
Avatar of gheist
gheist
Flag of Belgium image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of sunhux
sunhux

ASKER

I'm using Solaris x86, thanks Gheist for pointing out it's  tcp_tstamp_always.

So will that be
"echo 0 > /proc/sys/net/ipv4/tcp_tstamp_always"  
     OR
"echo 0 > /proc/sys/net/ipv4/tcp_timestamps"   ??
Avatar of sunhux
sunhux

ASKER

In the link given by BTan, it's
sudo ndd -set /dev/tcp tcp_tstamp_if_wscale 1

& this parameter tcp tcp_tstamp_if_wscale (or is it tcp_tstamp_always ?)
 is set at /etc/system
Avatar of sunhux
sunhux

ASKER

after doing "ndd -set ..." do we need to restart Oracle Web Server or Apache ?
SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of gheist
gheist
Flag of Belgium image

solaris does not have sysctl or /proc filesystem
usually you find linux guide next to solaris guides, especially when you try glassfish or oracle rdbms documentation.

I find it wierd that F5 requests you to change some parameter, because it is negotiable TCP option which they could as well clear on their connections and no other onnecting party will ever even try to use that.
Avatar of sunhux
sunhux

ASKER

Our F5 support chaps has got reply from F5 that there will be adverse
performance impact when Tcp Timestamp is disabled on the LTM,
thus was recommended not to turn it off
Avatar of sunhux
sunhux

ASKER

Only managed to beg someone to login to a Solaris x86.

# ndd /dev/tcp \?  |grep -i stamp

gives tcp_tstamp_if_wscale (it's 0) & tcp_tstamp_always (already 1)
so it must be the former

There's /proc but no /proc/sys  fs

Yes, no /etc/sysctl.conf  only /etc/system
SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of sunhux
sunhux

ASKER

Last question:

how do I verify/check that my web servers are affected by:
"when accurate measurement of round-trip time (RTT) and TCP sequence number wrap-around is needed"
Avatar of sunhux
sunhux

ASKER

Hi BTan, can provide the link again where you found statement below:
"if getting an accurate measurement of round-trip time (RTT) and TCP
  sequence number wraparound is a problem, enable this parameter."
SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of sunhux
sunhux

ASKER

how do I verify/check that my web servers are affected by:
"when accurate measurement of round-trip time (RTT) and TCP sequence number wrap-around is needed" :

So to verify for retransmission errors, do I issue "netstat -i" ("netstat -es" in
Windows) in the Solaris servers & check if the  Retransmission errors count
increase over period of time when there's traffic load?
Avatar of sunhux
sunhux

ASKER

Or would repeated "ifconfig NIC_interface"  give better outputs?
Which specific parameter/counter should I look out for?
Tcp_Retrans_Seg?  In Windows, there's this "Segments Retransmitted"

Numerous counters were given in
https://dansysadm.com/solaris-netstat-tcp-protocol-statistics-explained.html

 $ nestat -s -P tcp
 TCP
    tcpRtoAlgorithm     =     4     tcpRtoMin           =   400
    tcpRtoMax           = 60000     tcpMaxConn          =    -1
    tcpActiveOpens      =7624114    tcpPassiveOpens     =7084624
    tcpAttemptFails     =1896763    tcpEstabResets      =193326
    tcpCurrEstab        =    74     tcpOutSegs          =21843389688
    tcpOutDataSegs      =3328351751 tcpOutDataBytes     =3235412917
    tcpRetransSegs      =41967918   tcpRetransBytes     =2212890976
    tcpOutAck           =853704065  tcpOutAckDelayed    =247961090
    tcpOutUrg           =     1     tcpOutWinUpdate     =477772
    tcpOutWinProbe      = 12412     tcpOutControl       =33045410
    tcpOutRsts          =5285917    tcpOutFastRetrans   =  8210
    tcpInSegs           =11491393189
    tcpInAckSegs        =1158661729 tcpInAckBytes       =1102332654
    tcpInDupAck         =142544351  tcpInAckUnsent      =     0
    tcpInInorderSegs    =1884725886 tcpInInorderBytes   =1286627563
    tcpInUnorderSegs    =1912668    tcpInUnorderBytes   =2409325298
    tcpInDupSegs        =34780066   tcpInDupBytes       =1415828491
    tcpInPartDupSegs    =  3626     tcpInPartDupBytes   =1693311
    tcpInPastWinSegs    =2269167    tcpInPastWinBytes   =126796354
    tcpInWinProbe       =  1057     tcpInWinUpdate      = 11758
    tcpInClosed         =3426232    tcpRttNoUpdate      =445365299
    tcpRttUpdate        =706469685  tcpTimRetrans       =1305409
    tcpTimRetransDrop   =  2328     tcpTimKeepalive     = 75510
    tcpTimKeepaliveProbe= 28677     tcpTimKeepaliveDrop =   193
    tcpListenDrop       =    11     tcpListenDropQ0     =     0
    tcpHalfOpenDrop     =     0     tcpOutSackRetrans   =40485027
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of gheist
gheist
Flag of Belgium image

Our F5 support chaps has got reply from F5 that there will be adverse
performance impact when Tcp Timestamp is disabled on the LTM,
thus was recommended not to turn it off 

Open in new window


It is off by default. to avoid adverse performance impact you actually have to enable tcp timestamps.
Ask them in your language and skip translations.
Avatar of sunhux
sunhux

ASKER

> It is off by default
For some historical reason, it was enabled in all our F5: don't know when
& who enabled it.

So Gheist, you felt it should be safe to disable on F5 as it was off by default?
Avatar of gheist
gheist
Flag of Belgium image

Why should you care?
If solaris has TCP extension disabled F5 will never have a chance to use it.

Your text says that DISABLING timestamps has performance impact. since it was never enabled impact is in full force.
Do some network measurements - if it saturates wire - no need to change.
Avatar of btan
btan

default is implicitly what provider recommends unless they are ignorance. eventually they are also running an OS themselves and you concern should be in the server rather than the intermediary. F5 serves as LB and ADC nothing else.
Unix OS
Unix OS

Unix is a multitasking, multi-user computer operating system originally developed in 1969 at Bell Labs. Today, it is a modern OS with many commercial flavors and licensees, including FreeBSD, Hewlett-Packard’s UX, IBM AIX and Apple Mac OS-X. Apart from its command-line interface, most UNIX variations support the standardized X Window System for GUIs, with the exception of the Mac OS, which uses a proprietary system.

33K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo