IPQoS EF packets blocked by some provider(s) / Login to OpenSSH >= 10.1 servers stuck in preauth

[Oliver Freyermuth]

Hi,

Am 19.10.25 um 21:23 schrieb Oliver Freyermuth:
> Hi,
> 
> Am 19.10.25 um 21:06 schrieb Gert Doering:
>> Hi,
>>
>> On Mon, Oct 13, 2025 at 09:56:36PM +0200, Oliver Freyermuth via openssh-unix-dev wrote:
>>> Since my provider serves >1.5 million customers here in Germany, I presume this might hit others out there (maybe even with other providers). Sadly, getting through their first level support is almost impossible, so I have only a small hope of them fixing it.
>>
>> Name and shame... so who is this?  There's enough people on the list
>> that have good ties into the ISP world, so maybe the message can be
>> relayed to "proper level support" :-)
> 
> sure, that would be nice and much appreciated — that's Deutsche Glasfaser Wholesale GmbH (AS60294) here in Germany.
> Since I spent two months without IPv6 (likely a forgotten route somewhere in the provider infrastructure) until they fixed it not due to my many tickets which got stuck in first level, but likely since their technicians noticed it, I am rather pessimistic about reaching the correct service level myself.
> 
> I tried pinging (ping -Q 184) my way through my route from outside, and can reach the last visible hop before my router with EF packets, but once I try to ping the WAN IP of my router, I have full packet loss and see no packets arriving on the outside of the device (one of the Fritz! devices common in Germany, directly connected to the fibre, which allows tcpdumping on the WAN interface).
> 
> Funnily enough, I can reach some other addresses (should be CPEs) in the WAN subnet — which could imply EF packets are not dropped for all customers (maybe only those who are not leasing a router from the provider are affected?).
> 
> To make doubly sure my router is not silently dropping them, since I have the honour of having two subscriptions with this provider, I checked that I can successfully ping with EF packets from one router to the other. It seems only filtered on provider level when the packets come from "outside".
> 
> While of course dropping all EF packets silently is something I consider broken, I still wonder whether openssh could handle this better (e.g. fallback to non-EF packets if all packets are lost), as the RFC linked in my last mail suggests this might happen in some network environments (adjacent domains without negotiated EF rate).

I have good news to share: I rebooted both routers due to a firmware update today, which of course triggered a full reconnect of the fibre link.
It seems the provider has changed their configuration sometime within the last month — now, "ping -Q 184" and naturally also SSH with default config works fine, EF packets path in and out!

Of course, it could in theory have been fixed by the router firmware update, but that seems extremely unlikely (I made doubly sure as described before: packets with EF marking coming from "outside" were not visible with a packet dump on the outside interface before, but pinging between the routers worked, i.e. packets only got lost if they came from "outside" through the provider network, and then never arrived in a pcap).

So in short: OpenSSH >= 10.1 works fine for me now behind AS60294!
Of course, configuration rollout might be region-dependent.

Cheers,
	Oliver