openssh unix dev - Feb 2014 - IPQoS

Real networks use either PREC (as it maps 1:1 to 802.1p and MPLS TC) or DSCP.
Interactive SSH uses PREC 0x0, which is just best-effort and DSCP 0x4 which
has no standard meaning (found network where DSCP 0x4 was dropped, completely,
as it didn't hit any defined/allowed QoS class, obviously misconfig, BE
class
should eat anything not already defined)

Should interactive use TOS value which has highest chance for priority
behaviour? If so, then PREC 5 == DSCP CS5 is best bet.

-- 
  ++ytti

Hi Saku,

On Thu, 13 Feb 2014, Saku Ytti wrote:
> Real networks use either PREC (as it maps 1:1 to 802.1p and MPLS TC) or 
> DSCP. Interactive SSH uses PREC 0x0, which is just best-effort and DSCP 
> 0x4 which has no standard meaning (found network where DSCP 0x4 was 
> dropped, completely, as it didn't hit any defined/allowed QoS class, 
> obviously misconfig, BE class should eat anything not already defined)
>
> Should interactive use TOS value which has highest chance for priority 
> behaviour? If so, then PREC 5 == DSCP CS5 is best bet.
To my knowledge, DSCP code points have no predefined global 
interpretation. Their actual interpretation depends on network policy of 
the network where they are found. The only way to set a sensible DSCP on 
SSH packets is to make the actual code point configurable, so that admins 
can configure it according to their site policy.

Because of that, there is no universal agreement (and can never be) on the 
meanings of TOS flags or DSCP code points when packets move between 
networks. One must understand the DSCP/TOS assignment of each network that 
one connects to, and remap inbound packets to conform to one's own policy.

Since this is a complete and utter nightmare of impossibility, virtually 
nobody has actually done it. I've never seen a packet tagged with a DSCP 
code point inbound to my networks. Admittedly I haven't been looking very 
hard, but I do use TOS bits extensively.

Because, since DSCP is useless between networks, an informal ad-hoc 
"standard" based on the old TOS values has evolved and is in
widespread
use (but certainly not universal), despite the IETF's best (not very good) 
effort to "kill it off" by redefining the bits with incompatible
meanings
in DSCP and ECN.

OpenSSH is conforming to this "informal standard", and with its huge 
installed user base, helping to define it as well. It already does set a 
high-priority TOS flag on interactive sessions, and low-priority on 
non-interactive ones:

* https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1067522
* http://www.gossamer-threads.com/lists/openssh/dev/48410

Until the ability to set a user-defined DSCP is implemented, you would 
need to remap outgoing packets on your SSH clients and servers to change 
the TOS flags into DSCP code points according to your site policies.

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <chris+sig at qwirx.com> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |