Current behavior to set DSCP EF code point by default is harmful
matt at theaddisons.us
matt at theaddisons.us
Sat Apr 4 03:24:51 AEDT 2026
Apologies for formatting issues, been a hot minute since I’ve been active on mailing lists.
The current default behavior (changed in 10.1) to mark traffic EF by default is harmful, and contrary RFC guidance. I would urge you to reconsider this default, and either set the default to CS2(interactive)/CS0(bulk), or just leave the default at CS0 such that operators that can benefit from it can configure it explicitly.
Harmful:
Networks may filter ingress EF traffic, as recommended in RFC3246 section 3, security considerations:
> To protect itself against denial of service attacks, the edge of a DS
> domain SHOULD strictly police all EF marked packets to a rate
> negotiated with the adjacent upstream domain. Packets in excess of
> the negotiated rate SHOULD be dropped. If two adjacent domains have
> not negotiated an EF rate, the downstream domain SHOULD use 0 as the
> rate (i.e., drop all EF marked packets).
This has been observed recently on this list with Oliver Freyermuth’s posts starting from October of 2025. His provider eventually resolved this, presumably by bleaching DSCP at ingress which is relatively common but not guaranteed (RFC9435, section 4).
More evidence of the harm can be found by consulting Google search results, where the “IPQoS 0x00” resolution is so common it’s made its way into Debian’s OpenSSH wiki as a resolution for SSH connection hangs (and this was mostly from the previous default behavior to use af21, using ef will exacerbate the problem).
RFC Contrary:
The EF code point is intended for realtime, low delay, *low jitter* traffic (i.e. telephony). Since OAM traffic like SSH is not jitter sensitive, the RFC guidance is that OAM traffic (including SNMP and SSH) belongs in CS2. These are defined in RFC4594 sections 4.1 and 3.3 respectively.
RFC3246: https://datatracker.ietf.org/doc/html/rfc3246 (An Expedited Forwarding PHB (Per-Hop Behavior))
RFC4594: https://datatracker.ietf.org/doc/html/rfc4594 (Configuration Guidelines for DiffServ Service Classes)
RFC9435: https://datatracker.ietf.org/doc/html/rfc9435 (Considerations for Assigning a New Recommended Differentiated Services Code Point (DSCP))
More information about the openssh-unix-dev
mailing list