There are a lot of really dumb, dumb, dumb firewall authors out there,
that's why....
Actually, Sally Floyd's explanation makes a lot more sense.
The dumb authors, I think, are those who built Linux implementations
that doggedly attempt to negotiate ECN and are unprepared for cases
where it does not work
Actually, to be clear, what I said is that there are both firewall
authors and TCP implementors who do dumb things. From the last
paragraph of my email:
One might hope that Linux implementors would make a better decision
next time around. And that firewall designers would not be so quick
to block some new functionality just because it is used in the
latest port-scanning tool. But I wouldn't count on it...
From RFC 3360:
One lesson appears to be that anyone can effectively "attack" a new
TCP function simply by using that function in their publicly-
available port-scanning tool, thus causing middleboxes of all kinds
to block the use of that function.
- Sally
http://www.icir.org/floyd/