* [LARTC] ssh versus scp
@ 2002-11-25 19:12 Sebastian 'spax' Pape
2002-11-25 21:27 ` Ramin Alidousti
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Sebastian 'spax' Pape @ 2002-11-25 19:12 UTC (permalink / raw)
To: lartc
hi!
I'd like to priorize ssh traffic, but of course I don't like scp to
get priorized, too. In the "actual script" of the howto priorization
is done with this:
| # TOS Minimum Delay (ssh, NOT scp) in 1:10:
| tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
| match ip tos 0x10 0xff flowid 1:10
I'm not sure if I got all of it, but it seems to me, that there is no
port match - it seems to me that this rule matches all packets with a
Minimize-Delay 16 (0x10) TOS value.
I watched some packets with tcpdump and it also seems that scp packets
all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure
ssh" packets have Normal-Service 0 (0x00). It's no problem to match
these packets with iptables (just drop me a note if you want to have
the iptables syntax). But the question I have is:
Are these TOS-values standard for ssh and scp or do all
ssh/scp-clients use the values they like? I searched the net, but
haven't found anything usefull, yet.
best regards
Sebastian
--
Sebastian 'spax' Pape | A diplomat is someone who can tell you to go
mailto: sebastian@p-a-p-e.de | to hell in such a way that you will look
gpg: http://p-a-p-e.de/gpg.asc | forward to the trip.
--- Do you want to know more? http://www.p-a-p-e.de/ ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] ssh versus scp
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
@ 2002-11-25 21:27 ` Ramin Alidousti
2002-11-25 21:44 ` Robert Penz
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Ramin Alidousti @ 2002-11-25 21:27 UTC (permalink / raw)
To: lartc
Hi,
You are out of luck here. There is no distinction between ssh and scp
at IP, TCP or the application layer for that matter. Basically scp is
a wrapper which uses ssh as the transfer method...
Ramin
On Mon, Nov 25, 2002 at 08:12:07PM +0100, Sebastian 'spax' Pape wrote:
> hi!
>
> I'd like to priorize ssh traffic, but of course I don't like scp to
> get priorized, too. In the "actual script" of the howto priorization
> is done with this:
>
> | # TOS Minimum Delay (ssh, NOT scp) in 1:10:
> | tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
> | match ip tos 0x10 0xff flowid 1:10
>
> I'm not sure if I got all of it, but it seems to me, that there is no
> port match - it seems to me that this rule matches all packets with a
> Minimize-Delay 16 (0x10) TOS value.
>
> I watched some packets with tcpdump and it also seems that scp packets
> all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure
> ssh" packets have Normal-Service 0 (0x00). It's no problem to match
> these packets with iptables (just drop me a note if you want to have
> the iptables syntax). But the question I have is:
>
> Are these TOS-values standard for ssh and scp or do all
> ssh/scp-clients use the values they like? I searched the net, but
> haven't found anything usefull, yet.
>
> best regards
>
> Sebastian
>
> --
> Sebastian 'spax' Pape | A diplomat is someone who can tell you to go
> mailto: sebastian@p-a-p-e.de | to hell in such a way that you will look
> gpg: http://p-a-p-e.de/gpg.asc | forward to the trip.
> --- Do you want to know more? http://www.p-a-p-e.de/ ---
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] ssh versus scp
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
2002-11-25 21:27 ` Ramin Alidousti
@ 2002-11-25 21:44 ` Robert Penz
2002-11-25 22:11 ` Martin A. Brown
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Robert Penz @ 2002-11-25 21:44 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 25 November 2002 20:12, Sebastian 'spax' Pape wrote:
> I watched some packets with tcpdump and it also seems that scp packets
> all have the Maximize-Throughput 8 (0x08) TOS value, but all "pure
> ssh" packets have Normal-Service 0 (0x00). It's no problem to match
> these packets with iptables (just drop me a note if you want to have
> the iptables syntax). But the question I have is:
could you please tell me how you match ssh and not scp with iptables?
- --
Regards,
Robert
- ----------------
Robert Penz
robert.penz AT outertech.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE94pmo8tTsQqJDUBMRAkIuAJ44N5sKyIchhtR4Lz9AdwilasreqwCeLwNn
Cmu0zd+LZhgKLnK88jOwlSY=
=ix/M
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] ssh versus scp
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
2002-11-25 21:27 ` Ramin Alidousti
2002-11-25 21:44 ` Robert Penz
@ 2002-11-25 22:11 ` Martin A. Brown
2002-11-25 22:28 ` M.F. PSIkappa
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Martin A. Brown @ 2002-11-25 22:11 UTC (permalink / raw)
To: lartc
For posterity:
Data gathered with the following tcpdump command:
# tcpdump -nnqti eth0 port 22 and host y.y.y.y
ssh session:
<session setup snipped, no special ToS value; normal>
x.x.x.x.48101 > y.y.y.y.22: tcp 48 (DF) [tos 0x10]
y.y.y.y.22 > x.x.x.x.48101: tcp 0 (DF)
y.y.y.y.22 > x.x.x.x.48101: tcp 48 (DF) [tos 0x10]
y.y.y.y.22 > x.x.x.x.48101: tcp 80 (DF) [tos 0x10]
x.x.x.x.48101 > y.y.y.y.22: tcp 0 (DF) [tos 0x10]
scp session:
<session setup snipped, no special ToS value; normal>
y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF)
x.x.x.x.48103 > y.y.y.y.22: tcp 64 (DF) [tos 0x8]
y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8]
x.x.x.x.48103 > y.y.y.y.22: tcp 0 (DF) [tos 0x8]
y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8]
So, one *should* be able to do something like this:
# iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain
# iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
I haven't done it.....Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] ssh versus scp
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
` (2 preceding siblings ...)
2002-11-25 22:11 ` Martin A. Brown
@ 2002-11-25 22:28 ` M.F. PSIkappa
2002-11-25 22:34 ` Sebastian 'spax' Pape
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: M.F. PSIkappa @ 2002-11-25 22:28 UTC (permalink / raw)
To: lartc
Hello,
It's nice but ...
When I make ssh connection, it has tos 0x10. It's Ok.
When I use ssh with any commands, than tos is 0x8. (e.i ssh user@host su)
And little trick to end...
When I make ssh tunnel, it has tos 0x10 and so I can push data with
minimum delay tos.
I think that there is only possibility to use bytecount patch.
On Mon, 25 Nov 2002, Martin A. Brown wrote:
> For posterity:
>
> Data gathered with the following tcpdump command:
>
> # tcpdump -nnqti eth0 port 22 and host y.y.y.y
>
> ssh session:
> <session setup snipped, no special ToS value; normal>
>
> x.x.x.x.48101 > y.y.y.y.22: tcp 48 (DF) [tos 0x10]
> y.y.y.y.22 > x.x.x.x.48101: tcp 0 (DF)
> y.y.y.y.22 > x.x.x.x.48101: tcp 48 (DF) [tos 0x10]
> y.y.y.y.22 > x.x.x.x.48101: tcp 80 (DF) [tos 0x10]
> x.x.x.x.48101 > y.y.y.y.22: tcp 0 (DF) [tos 0x10]
>
> scp session:
> <session setup snipped, no special ToS value; normal>
>
> y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF)
> x.x.x.x.48103 > y.y.y.y.22: tcp 64 (DF) [tos 0x8]
> y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8]
> x.x.x.x.48103 > y.y.y.y.22: tcp 0 (DF) [tos 0x8]
> y.y.y.y.22 > x.x.x.x.48103: tcp 48 (DF) [tos 0x8]
>
> So, one *should* be able to do something like this:
>
> # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain
> # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain
>
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
> I haven't done it.....Good luck,
>
> -Martin
--
`)_|_(' PSIkappa
I k psi _at_ talker.sk
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] ssh versus scp
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
` (3 preceding siblings ...)
2002-11-25 22:28 ` M.F. PSIkappa
@ 2002-11-25 22:34 ` Sebastian 'spax' Pape
2002-11-25 22:42 ` Sebastian 'spax' Pape
2002-11-26 4:15 ` Kenneth Porter
6 siblings, 0 replies; 8+ messages in thread
From: Sebastian 'spax' Pape @ 2002-11-25 22:34 UTC (permalink / raw)
To: lartc
On Mon, 25 Nov 2002, Robert Penz wrote:
> could you please tell me how you match ssh and not scp with iptables?
I did almost the same as Martin suggested:
| So, one *should* be able to do something like this:
|
| # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain
| # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain
# (ssh)
# $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \
# -m tos ! --tos Maximize-Throughput \
# -j MARK --set-mark 2
# (scp)
# $IPTABLES -A PREROUTING -t mangle -p tcp --dport 22 \
# -m tos --tos Maximize-Throughput \
# -j MARK --set-mark 8
it works for me but I'm not sure if it is in general correct.
greetings
Sebastian
--
Sebastian 'spax' Pape | "Things should be as simple as possible, but
mailto: sebastian@p-a-p-e.de | not simpler." -- Albert Einstein
gpg: http://p-a-p-e.de/gpg.asc |
--- Do you want to know more? http://www.p-a-p-e.de/ ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] ssh versus scp
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
` (4 preceding siblings ...)
2002-11-25 22:34 ` Sebastian 'spax' Pape
@ 2002-11-25 22:42 ` Sebastian 'spax' Pape
2002-11-26 4:15 ` Kenneth Porter
6 siblings, 0 replies; 8+ messages in thread
From: Sebastian 'spax' Pape @ 2002-11-25 22:42 UTC (permalink / raw)
To: lartc
hi Martin,
I found almost the same except that my ssh-packets didn't have their
TOS-value set.
> So, one *should* be able to do something like this:
>
> # iptables -t filter -A FORWARD -m tos --tos 0x08 -j scpchain
> # iptables -t filter -A FORWARD -m tos --tos 0x10 -j sshchain
That's almost the same idea as in the "actual script" from the HOWTO.
So it seems my ssh-client doesn't like to set tos-values :o
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
*bookmarked* ;)
greetings
Sebastian
--
Sebastian 'spax' Pape | "Things should be as simple as possible, but
mailto: sebastian@p-a-p-e.de | not simpler." -- Albert Einstein
gpg: http://p-a-p-e.de/gpg.asc |
--- Do you want to know more? http://www.p-a-p-e.de/ ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [LARTC] ssh versus scp
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
` (5 preceding siblings ...)
2002-11-25 22:42 ` Sebastian 'spax' Pape
@ 2002-11-26 4:15 ` Kenneth Porter
6 siblings, 0 replies; 8+ messages in thread
From: Kenneth Porter @ 2002-11-26 4:15 UTC (permalink / raw)
To: lartc
--On Monday, November 25, 2002 8:12 PM +0100 Sebastian 'spax' Pape
<pape@rbg.informatik.tu-darmstadt.de> wrote:
> Are these TOS-values standard for ssh and scp or do all
> ssh/scp-clients use the values they like? I searched the net, but
> haven't found anything usefull, yet.
Good question. In general, is there a Linux API for setting TOS on a
connection? Or for UDP? For example, what would be the "right" values for
UDP game packets, which suffer if dropped or delayed?
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2002-11-26 4:15 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-25 19:12 [LARTC] ssh versus scp Sebastian 'spax' Pape
2002-11-25 21:27 ` Ramin Alidousti
2002-11-25 21:44 ` Robert Penz
2002-11-25 22:11 ` Martin A. Brown
2002-11-25 22:28 ` M.F. PSIkappa
2002-11-25 22:34 ` Sebastian 'spax' Pape
2002-11-25 22:42 ` Sebastian 'spax' Pape
2002-11-26 4:15 ` Kenneth Porter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.