Hi Saku,
On Thu, 13 Feb 2014, Saku Ytti wrote:
Real networks use either PREC (as it maps 1:1 to 802.1p and MPLS TC) or
DSCP. Interactive SSH uses PREC 0x0, which is just best-effort and DSCP
0x4 which has no standard meaning (found network where DSCP 0x4 was
dropped, completely, as it didn't hit any defined/allowed QoS class,
obviously misconfig, BE class should eat anything not already defined)
Should interactive use TOS value which has highest chance for priority
behaviour? If so, then PREC 5 == DSCP CS5 is best bet.
To my knowledge, DSCP code points have no predefined global
interpretation. Their actual interpretation depends on network policy of
the network where they are found. The only way to set a sensible DSCP on
SSH packets is to make the actual code point configurable, so that admins
can configure it according to their site policy.
Because of that, there is no universal agreement (and can never be) on the
meanings of TOS flags or DSCP code points when packets move between
networks. One must understand the DSCP/TOS assignment of each network that
one connects to, and remap inbound packets to conform to one's own policy.
Since this is a complete and utter nightmare of impossibility, virtually
nobody has actually done it. I've never seen a packet tagged with a DSCP
code point inbound to my networks. Admittedly I haven't been looking very
hard, but I do use TOS bits extensively.
Because, since DSCP is useless between networks, an informal ad-hoc
"standard" based on the old TOS values has evolved and is in widespread
use (but certainly not universal), despite the IETF's best (not very good)
effort to "kill it off" by redefining the bits with incompatible meanings
in DSCP and ECN.
OpenSSH is conforming to this "informal standard", and with its huge
installed user base, helping to define it as well. It already does set a
high-priority TOS flag on interactive sessions, and low-priority on
non-interactive ones:
* https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1067522
* http://www.gossamer-threads.com/lists/openssh/dev/48410
Until the ability to set a user-defined DSCP is implemented, you would
need to remap outgoing packets on your SSH clients and servers to change
the TOS flags into DSCP code points according to your site policies.
Cheers, Chris.
--
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <chris+sig@xxxxxxxxx> Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer |
\__/_/_/_//_/___/ | We are GNU : free your mind & your software |
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
