diff options
author | job@openbsd.org <job@openbsd.org> | 2018-04-04 15:12:17 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-04-06 14:20:33 +1000 |
commit | 5ee8448ad7c306f05a9f56769f95336a8269f379 (patch) | |
tree | fac0e97f27145aeef62714ac0f50651ef4621df9 | |
parent | 424b544fbda963f973da80f884717c3e0a513288 (diff) |
upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP AF21 for
interactive and CS1 for bulk
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181
-rw-r--r-- | readconf.c | 6 | ||||
-rw-r--r-- | servconf.c | 6 | ||||
-rw-r--r-- | ssh_config.5 | 10 | ||||
-rw-r--r-- | sshd_config.5 | 10 |
4 files changed, 18 insertions, 14 deletions
diff --git a/readconf.c b/readconf.c index 88051db57..f69b46547 100644 --- a/readconf.c +++ b/readconf.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: readconf.c,v 1.283 2018/02/23 15:58:37 markus Exp $ */ | 1 | /* $OpenBSD: readconf.c,v 1.284 2018/04/04 15:12:17 job Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1998,9 +1998,9 @@ fill_default_options(Options * options) | |||
1998 | if (options->visual_host_key == -1) | 1998 | if (options->visual_host_key == -1) |
1999 | options->visual_host_key = 0; | 1999 | options->visual_host_key = 0; |
2000 | if (options->ip_qos_interactive == -1) | 2000 | if (options->ip_qos_interactive == -1) |
2001 | options->ip_qos_interactive = IPTOS_LOWDELAY; | 2001 | options->ip_qos_interactive = IPTOS_DSCP_AF21; |
2002 | if (options->ip_qos_bulk == -1) | 2002 | if (options->ip_qos_bulk == -1) |
2003 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 2003 | options->ip_qos_bulk = IPTOS_DSCP_CS1; |
2004 | if (options->request_tty == -1) | 2004 | if (options->request_tty == -1) |
2005 | options->request_tty = REQUEST_TTY_AUTO; | 2005 | options->request_tty = REQUEST_TTY_AUTO; |
2006 | if (options->proxy_use_fdpass == -1) | 2006 | if (options->proxy_use_fdpass == -1) |
diff --git a/servconf.c b/servconf.c index 0f0d09068..4a508f138 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.326 2018/03/01 20:32:16 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.327 2018/04/04 15:12:17 job Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -372,9 +372,9 @@ fill_default_server_options(ServerOptions *options) | |||
372 | if (options->permit_tun == -1) | 372 | if (options->permit_tun == -1) |
373 | options->permit_tun = SSH_TUNMODE_NO; | 373 | options->permit_tun = SSH_TUNMODE_NO; |
374 | if (options->ip_qos_interactive == -1) | 374 | if (options->ip_qos_interactive == -1) |
375 | options->ip_qos_interactive = IPTOS_LOWDELAY; | 375 | options->ip_qos_interactive = IPTOS_DSCP_AF21; |
376 | if (options->ip_qos_bulk == -1) | 376 | if (options->ip_qos_bulk == -1) |
377 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 377 | options->ip_qos_bulk = IPTOS_DSCP_CS1; |
378 | if (options->version_addendum == NULL) | 378 | if (options->version_addendum == NULL) |
379 | options->version_addendum = xstrdup(""); | 379 | options->version_addendum = xstrdup(""); |
380 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) | 380 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
diff --git a/ssh_config.5 b/ssh_config.5 index 71705cabd..010bca479 100644 --- a/ssh_config.5 +++ b/ssh_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: ssh_config.5,v 1.268 2018/02/23 07:38:09 jmc Exp $ | 36 | .\" $OpenBSD: ssh_config.5,v 1.269 2018/04/04 15:12:17 job Exp $ |
37 | .Dd $Mdocdate: February 23 2018 $ | 37 | .Dd $Mdocdate: April 4 2018 $ |
38 | .Dt SSH_CONFIG 5 | 38 | .Dt SSH_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -984,9 +984,11 @@ If one argument is specified, it is used as the packet class unconditionally. | |||
984 | If two values are specified, the first is automatically selected for | 984 | If two values are specified, the first is automatically selected for |
985 | interactive sessions and the second for non-interactive sessions. | 985 | interactive sessions and the second for non-interactive sessions. |
986 | The default is | 986 | The default is |
987 | .Cm lowdelay | 987 | .Cm af21 |
988 | .Ar (Low-Latency Data) | ||
988 | for interactive sessions and | 989 | for interactive sessions and |
989 | .Cm throughput | 990 | .Cm cs1 |
991 | .Ar (Lower Effort) | ||
990 | for non-interactive sessions. | 992 | for non-interactive sessions. |
991 | .It Cm KbdInteractiveAuthentication | 993 | .It Cm KbdInteractiveAuthentication |
992 | Specifies whether to use keyboard-interactive authentication. | 994 | Specifies whether to use keyboard-interactive authentication. |
diff --git a/sshd_config.5 b/sshd_config.5 index e3c7c3936..0b7e396fd 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.263 2018/02/16 02:40:45 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.264 2018/04/04 15:12:17 job Exp $ |
37 | .Dd $Mdocdate: February 16 2018 $ | 37 | .Dd $Mdocdate: April 4 2018 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -816,9 +816,11 @@ If one argument is specified, it is used as the packet class unconditionally. | |||
816 | If two values are specified, the first is automatically selected for | 816 | If two values are specified, the first is automatically selected for |
817 | interactive sessions and the second for non-interactive sessions. | 817 | interactive sessions and the second for non-interactive sessions. |
818 | The default is | 818 | The default is |
819 | .Cm lowdelay | 819 | .Cm af21 |
820 | .Ar (Low-Latency Data) | ||
820 | for interactive sessions and | 821 | for interactive sessions and |
821 | .Cm throughput | 822 | .Cm cs1 |
823 | .Ar (Lower Effort) | ||
822 | for non-interactive sessions. | 824 | for non-interactive sessions. |
823 | .It Cm KbdInteractiveAuthentication | 825 | .It Cm KbdInteractiveAuthentication |
824 | Specifies whether to allow keyboard-interactive authentication. | 826 | Specifies whether to allow keyboard-interactive authentication. |