Differences between ECN and ECN plus - rajitaaa/ECN-plus-algorithm-in-ns3 GitHub Wiki

Drawbacks of ECN

Absence of ECN indications in TCP control packets can dramatically hinder system performance. Applying ECN to TCP SYN-ACK packets can significantly improve system performance without introducing any novel security or stability side-effects.

ECN+

The main difference between ECN and ECN+ is that ECN+ allows endpoints to set the ECT bit in the IP header of SYN-ACK packets and not SYN packet.

Why not TCP SYN and why TCP SYN-ACK?

1. There is no guarantee that the other endpoint (web server in our scenario) is ECN-capable, or that it would be able to understand and react if the ECN/CE bits were set by a congested router.
2. The ECT field in TCP SYN packets may be misused by malicious clients and congest the web server’s listen queue by sending a large number of TCP SYN packets. By setting the ECT bit in TCP SYN packet’s headers, a malicious client would be able to easily inject a large number of TCP SYN packets through a potentially congested ECN-enabled router.

But,when the web server receives a TCP SYN packet with the ECN-Echo bit set,

1. It indicates that the client is ECN-capable. Hence, if the server is also ECN-capable, there are no obstacles to immediately applying ECN, and setting the ECT bit in the SYN ACK packet.
2. Setting the ECT bit in SYN ACK packets does not raise novel security vulnerabilities.

Hence,ECT bit is set in the IP headers of TCP SYN-ACK packets and not TCP SYN packet.