IPQoS EF packets blocked by some provider(s) / Login to OpenSSH >= 10.1 servers stuck in preauth

Oliver Freyermuth o.freyermuth at googlemail.com
Mon Oct 20 06:23:55 AEDT 2025 

Hi,

Am 19.10.25 um 21:06 schrieb Gert Doering:
> Hi,
> 
> On Mon, Oct 13, 2025 at 09:56:36PM +0200, Oliver Freyermuth via openssh-unix-dev wrote:
>> Since my provider serves >1.5 million customers here in Germany, I presume this might hit others out there (maybe even with other providers). Sadly, getting through their first level support is almost impossible, so I have only a small hope of them fixing it.
> 
> Name and shame... so who is this?  There's enough people on the list
> that have good ties into the ISP world, so maybe the message can be
> relayed to "proper level support" :-)

sure, that would be nice and much appreciated — that's Deutsche Glasfaser Wholesale GmbH (AS60294) here in Germany.
Since I spent two months without IPv6 (likely a forgotten route somewhere in the provider infrastructure) until they fixed it not due to my many tickets which got stuck in first level, but likely since their technicians noticed it, I am rather pessimistic about reaching the correct service level myself.

I tried pinging (ping -Q 184) my way through my route from outside, and can reach the last visible hop before my router with EF packets, but once I try to ping the WAN IP of my router, I have full packet loss and see no packets arriving on the outside of the device (one of the Fritz! devices common in Germany, directly connected to the fibre, which allows tcpdumping on the WAN interface).

Funnily enough, I can reach some other addresses (should be CPEs) in the WAN subnet — which could imply EF packets are not dropped for all customers (maybe only those who are not leasing a router from the provider are affected?).

To make doubly sure my router is not silently dropping them, since I have the honour of having two subscriptions with this provider, I checked that I can successfully ping with EF packets from one router to the other. It seems only filtered on provider level when the packets come from "outside".

While of course dropping all EF packets silently is something I consider broken, I still wonder whether openssh could handle this better (e.g. fallback to non-EF packets if all packets are lost), as the RFC linked in my last mail suggests this might happen in some network environments (adjacent domains without negotiated EF rate).

Cheers and thanks,
	Oliver

More information about the openssh-unix-dev mailing list