Skip to main content
Delphix

TB064 Linux TCP SACK Impact on Network Performance

 

 

Alert Type

Availability / Performance

Impact

To mitigate several recently published security vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479), some customers are disabling a performance feature of the TCP communication protocol known as Selective Acknowledgement (SACK).

Delphix environments using Linux source or target hosts may see degraded network performance if the TCP SACK feature is disabled. The severity of the performance impact will depend on the varying degrees of packet loss, duplicate packets, out of order packets present on the network (which TCP SACK specifically optimizes). Degraded network performance may in turn result in:

  • Degraded read/write performance of Virtual Databases (VDBs)
  • Degraded performance of Provision, Rewind, Refresh, SnapSync, and Replication jobs

 

Contributing Factors

This article applies to all versions of the Delphix Engine:

Major Release

All Sub Releases

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

4.3

4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0

4.2

4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1

4.1

4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0

 


Note that TCP SACK is a standard TCP protocol feature, and is enabled by default on all main Linux distributions. Use of this functionality is not a Delphix-specific requirement but is a feature which affects network traffic and could therefore affect any Delphix release. 

Symptoms

There may be a significant drop in throughput compared to what was seen prior to disabling TCP SACK.

Resolution

Patches are available from major Linux vendors. Patches are the preferred mitigation of the security vulnerabilities as they do not risk performance degradation, unlike disabling the TCP SACK feature.


Additional Information

To determine if the TCP Sack option has been disabled on a particular Linux system, one may use the command:

sysctl net.ipv4.tcp_sack 

The command output will be similar to:

[root@mysystem ~]# sysctl net.ipv4.tcp_sack
net.ipv4.tcp_sack = 1
[root@mysystem ~]# 

If the value of net.ipv4.tcp_sack is 1, as in the above example, the TCP SACK feature is enabled.  If the value is 0, the feature has been disabled

CVE References:

CVE-2019-11477 (external)

CVE-2019-11478 (external)

CVE-2019-11479 (external)

Other References

RFC 2018 - TCP Selective Acknowledgement Options (external)