On Tue, Oct 21, 2025 at 10:52:57PM +0100, Stuart Henderson wrote:
> On 2025/10/21 15:33, Theo de Raadt wrote:
> > David Hill <dhill@mindcry.org> wrote:
> > 
> > > This diff adds DSCP EF for ipv6 ntp packets, and switches ipv4 to it
> > > as well.  This also matches
> > > https://github.com/ntp-project/ntp/blob/8a37f9b66d374b164531f0189caba4cbfd68bb61/ntpd/ntp_io.c#L79
> > 
> > I don't actually believe this is a good idea.
> > 
> > If other services on a path abuse the EF tag, that could lead to packets
> > being dropped by a router.  And could have more negative impacts upon
> > ntp communication than the positive effects being theorized (which I
> > suspect are marginal).  I do not think ntp traffic, in particular
> > relating to openntpd on openbsd machines, are sensitive enough to be
> > improved by this tweak, but are more likely harmed by traffic losses.
> > 
> > 
> 
> oh, this is UDP of course, it wouldn't be a huge surprise if some
> networks put tougher policing on it than TCP...
> 
> will be interesting to see how this goes with ntpd (though I guess
> it's not that a big player now - chrony and systemd-timesync are
> probably more important now - chrony allows setting codepoints
> but doesn't do it by dsfault - systemd-timesync does set by default
> and... https://github.com/systemd/systemd/issues/37403
> 

In France, is seems that Orange is putting UDP traffic with certain
DSCP flags to a special "voice" class with maybe a higher priority, but
a limited bandwith (5Mb/s apparently). This is hurting people running
wireguard tunnels :

https://lafibre.infœorange-debit/5g-home-debit-limite-a-5-mbs-avec-les-flux-dscp-0x08/120/

(in french, sorry)

And they also limit TCP trafic this way, and this hurts large
SFTP transfers, but at least in ssh one can change the DSCP flags.

For NTP trafic this would not be an issue, but it shows that ISPs are
playing games with DSCP... 
-- 
Matthieu Herrb