TB064 Linux TCP SACK Impact on Network Performance
Alert Type
Availability / Performance
Impact
To mitigate several recently published security vulnerabilities (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479), some customers are disabling a performance feature of the TCP communication protocol known as Selective Acknowledgement (SACK).
Delphix environments using Linux source or target hosts may see degraded network performance if the TCP SACK feature is disabled. The severity of the performance impact will depend on the varying degrees of packet loss, duplicate packets, out of order packets present on the network (which TCP SACK specifically optimizes). Degraded network performance may in turn result in:
- Degraded read/write performance of Virtual Databases (VDBs)
- Degraded performance of Provision, Rewind, Refresh, SnapSync, and Replication jobs
Contributing Factors
This article applies to all versions of the Delphix Engine:
Major Release |
All Sub Releases |
5.3 |
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 |
5.2 |
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1 |
5.1 |
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0 |
5.0 |
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4 |
4.3 |
4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0 |
4.2 |
4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1 |
4.1 |
4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0 |
Note that TCP SACK is a standard TCP protocol feature, and is enabled by default on all main Linux distributions. Use of this functionality is not a Delphix-specific requirement but is a feature which affects network traffic and could therefore affect any Delphix release.
Symptoms
There may be a significant drop in throughput compared to what was seen prior to disabling TCP SACK.
Resolution
Patches are available from major Linux vendors. Patches are the preferred mitigation of the security vulnerabilities as they do not risk performance degradation, unlike disabling the TCP SACK feature.
Additional Information
To determine if the TCP Sack option has been disabled on a particular Linux system, one may use the command:
sysctl net.ipv4.tcp_sack
The command output will be similar to:
[root@mysystem ~]# sysctl net.ipv4.tcp_sack net.ipv4.tcp_sack = 1 [root@mysystem ~]#
If the value of net.ipv4.tcp_sack is 1, as in the above example, the TCP SACK feature is enabled. If the value is 0, the feature has been disabled.
Original Netflix security advisory:
Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities (external)
RedHat Reference:
TCP SACK PANIC - Kernel vulnerabilities - CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479 (external)
Ubuntu References:
SACK Panic and Other TCP Denial of Service Issues (external)
Ubuntu updates for TCP SACK Panic vulnerabilities (external)