[Bug 3972] New: When using ProxyJump, set tunnel connection DSCP to cs0 or none for scp sessions

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jun 24 03:52:54 AEST 2026


https://bugzilla.mindrot.org/show_bug.cgi?id=3972

            Bug ID: 3972
           Summary: When using ProxyJump, set tunnel connection DSCP to
                    cs0 or none for scp sessions
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: david+openssh at dbark.co.uk

Since 10.1p1-1, DSCP is set to EF for interactive sessions. scp (and
rsync) sessions are marked cs0 (or the host OS default). However, when
using scp to transfer files to a host behind a bastion host using
ProxyJump (e.g. scp -J bastion file.tmp target:/tmp/file.tmp), the
outer tunnel session is marked EF. On some networks (like BT, in the
UK), DSCP EF is heavily managed and the resulting transfer is extremely
slow. The cause of a very slow scp to a host behind a bastion host (on
such a DSCP-observant network) is not obvious without extensive
debugging.

scp'ing directly to the bastion host (without ProxyJump) operates with
the expected performance.

Setting "IPQoS cs0" in .ssh/config for the bastion host resolves the
issue but means that all traffic is marked cs0 rather than the intended
EF for other (interactive) sessions.

My proposal would be to mark the tunnel (ProxyJump/bastion) IPQoS cs0
or none for scp-like sessions to reflect what I believe would the
intended behaviour of the DSCP changes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list