Current behavior to set DSCP EF code point by default is harmful

Sat Apr 11 01:46:30 AEST 2026

On Apr 10, 2026, at 10:32 AM, Stuart Henderson <stu at spacehopper.org> wrote:
> 
> On 2026/04/10 09:45, matt at theaddisons.us wrote:
>>                                  Leaving this as a default is going
>> to force more operators to either bleach traffic (which is what’s
>> likely happened in every case where a user complains, because as an
>> operator it’s *far* easier to just wipe all your DSCP markings
>> if you’re not paying me to do anything with them),
> 
> this seems *exactly* what a network should be doing for traffic coming
> from somewhere that they don't want to trust about codepoints.

As an operator, I’d much prefer to leave the DSCP codepoint alone, but if
someone’s abusing it and causing a problem (historically it was the gamers
doing this), you can bet it’s going to get bleached and make it less useful for
*everyone*. Including the people using OTT SIP services you’re about to mention.

Within the corporate and enterprise environment you have lots of station ports
where you do want to trust DSCP, desktop phones, SIP softphones, applications
abusing EF is causing more headaches and more complicated configuration to
prevent network resource misuse.

>>                                                   or implement
>> changes which end up in SSH traffic being dropped (which is what’s
>> likely happening before people complain and they bleach, because
>> they’re applying strict priority to the traffic going into EF, so
>> if your destination isn’t in their VoIP termination networks and
>> you’re marked with EF you get dropped because you’re misusing
>> their network).
> 
> so, if some ISP customer has a voip setup with a provider other
> than that ISP, which results in emergency calls being marked EF (which
> seems extremely unlikely to me, but let's go with it) - someone with
> that policy would be dropping those calls.

This traffic would have already been dropped, but more people abusing EF is
indeed going to lead to some people who previously were able to use EF, not
being able to depending on how their provider responds to the increase in
traffic. Especially when it causes problems for the provider's hosted VoIP
service. Lots of residential access providers also provide voice and video
services, well-behaved EF traffic may have benefited from this in the past.
More people abusing it as OpenSSH is now doing ruins it for *everyone*.

> it could be argued that OpenSSH flushing this out before something
> more critical is a very good thing.

OpenSSH adding to an existing problem and causing operators to bleach traffic
when it otherwise hasn’t been necessary isn’t a good thing.