[Bug 3972] New: When using ProxyJump, set tunnel connection DSCP to cs0 or none for scp sessions
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Jun 24 03:52:54 AEST 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3972
Bug ID: 3972
Summary: When using ProxyJump, set tunnel connection DSCP to
cs0 or none for scp sessions
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: david+openssh at dbark.co.uk
Since 10.1p1-1, DSCP is set to EF for interactive sessions. scp (and
rsync) sessions are marked cs0 (or the host OS default). However, when
using scp to transfer files to a host behind a bastion host using
ProxyJump (e.g. scp -J bastion file.tmp target:/tmp/file.tmp), the
outer tunnel session is marked EF. On some networks (like BT, in the
UK), DSCP EF is heavily managed and the resulting transfer is extremely
slow. The cause of a very slow scp to a host behind a bastion host (on
such a DSCP-observant network) is not obvious without extensive
debugging.
scp'ing directly to the bastion host (without ProxyJump) operates with
the expected performance.
Setting "IPQoS cs0" in .ssh/config for the bastion host resolves the
issue but means that all traffic is marked cs0 rather than the intended
EF for other (interactive) sessions.
My proposal would be to mark the tunnel (ProxyJump/bastion) IPQoS cs0
or none for scp-like sessions to reflect what I believe would the
intended behaviour of the DSCP changes.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list