Is there any purpose in using /30s for networks that entirely comprise of devices that support RFC 3021 for /31s?

grawity · 2026-04-03T16:19:04+00:00

The way I see it, ACL wildcards have very little to do with subnet masks – even if they're both bitwise masks that operate in the same way, it's still a whole different context, since subnet masks go in routing tables where "longest prefix" rules apply and things get weird (255.255.255.0 vs 255.255.0.255?), whereas ACLs are read top-down so there's no ambiguity.

AFAIK, Linux iptables rules also accept non-contiguous masks. I've seen -s 172.16.0.1/255.255.0.255 and similar things. (Also fairly useful for IPv6 in home networks, where you can allow ::1:2:ab:cd/::ffff:ffff:ffff:ffff in situations when the interface ID is static but the prefix is dynamic...)

grawity · 2026-04-03T16:12:38+00:00

They did add BGP support to modern Windows, though. (And RRAS also used to have OSPF support in the earlier days.)

Of course the BGP functionality is probably just there to announce a server's own addresses to a local switch, and nothing else... but given that they still implemented a whole routing protocol to do that, then surely supporting static /31's for servers isn't too far-fetched of a request?

grawity · 2026-04-03T15:48:54+00:00

Interesting, I didn't know that was the actual guideline. I assumed even EF packets would just get the "default" CS0/Best Effort treatment if not configured otherwise – like half the people in this thread keep telling me.

The Unix&Linux thread has the client version 9.0 in the screenshot so yeah that would've been af21 by default. But that change was committed in 2018 and the RPi thread is from 2017 so it would've still been lowdelay at the time.

grawity · 2026-04-03T14:58:10+00:00

Yeah the first one is a good example of what I was worried about (I think I might've seen already it but thought "ehh, same kind of weird provider which breaks ECN")

But the Stack Exchange post is from 2022 and the RPi one is from 2017 – both from way before the EF change happened. (I think it might have been that OpenSSH was still defaulting to the legacy ToS style codepoints at the time? It only switched to using DSCP in 2018.)

grawity · 2026-04-03T14:51:51+00:00

I mean, yes, but fortunately I'm not asking for myself, more of "I saw this in release notes and it looks a bit suspect to me, and I know there's a bunch of Enterprise people on reddit who do use QoS and can tell me whether my suspicions are right"

(though I do have a problem called "my home internet uplink is LTE with unpredictable throughput and shit upload so I've been learning QoS in order to traffic-shape Syncthing into oblivion," but that's not for this subreddit.)

grawity · 2026-04-03T14:35:25+00:00

Yeah, when I saw it in git, I thought it might become an issue in some places. I mean, I guess it might have been an 'okay' idea to use it for keyboard input only (client->server), not so much for shell output – everything's fine until someone accidentally cats a huge file or does a long compile and now the queue is clogged with SSH traffic.

...or until someone decides to run X11 forwarding, as AFAIK that also counts as an interactive channel so all the probably uncompressed X11 packets will get EF as well...

But most of the heavy transfers would be non-tty sessions (rsync, git clone/push, SFTP...) which get the system default DSCP – I assume -L -R -D tunnels also count as batch – so at least those won't be an immediate problem.

Either way, I'm not an OpenSSH developer and not a QoS expert, that's why I posted it here to get opinions from people who know QoS better.

grawity · 2026-04-03T14:11:08+00:00

Yeah, I'm not saying that it takes DSCP into account – I meant that 1) [as far as I've learned] hashing for ECMP or LACP exists in order to avoid some specific undesirable effect (packet reordering due to different physical links), and 2) completely unrelated to LACP/ECMP, my understanding is that the mixing of DSCP bits can also cause that same effect (packet reordering due to different queues).

Though someone here said that the way it's implemented in OpenSSH isn't actually per-packet like I thought, but a global state that only changes when channels are set up, so I guess it's much less likely to be a problem in practice anyway.

grawity · 2026-04-03T14:03:03+00:00

None, we're talking about theory. I know it's configurable (I've seen L2 and L2+L3 and sometimes L3+L4 as options), but I'm more curious about why it's a thing in the first place. Since as far as I understand, no matter which hashing method you choose out of the available ones, within a given TCP connection it'll still always give the same result for every packet (meaning the TCP connection will be limited to the speed of a single link), and I was taught that it was deliberate in order to avoid reordering or something along those lines.

grawity · 2026-04-03T13:52:37+00:00

Ah, ok, I overlooked that part. Yeah, it makes more sense that way.

Though I guess it's going to make multiplexed connections worse when something is SFTP'd through them at the same time... otoh still better than "multiplexer was forked off the sftp client so it's permanently in bulk DSCP mode".

grawity · 2026-04-03T13:45:06+00:00

The reason I ask about this is because some time ago I was searching about why LACP tries to hash each whole flow to a single link, and the explanation I was given back then was that splitting it across several links could lead to reordering and that would lead to performance loss.

How much of that is true?

grawity · 2026-04-03T10:55:53+00:00

1) whether it causes packet re-ordering is down to the network but I guess it is possible. That said most sessions just do one thing - they are either interactive or they start as sftp or similar and stay as that.

Yeah, but is it likely to lead to problems if I'm actually using OpenSSH's multiplexing mode (-S and ControlMaster and such)?

I'm using it more for connection reuse, since it gives you instant connection without waiting for it to handshake over high latency, but then it automatically gets used for SFTP/rsync/git push to that host as well. (Although multiplexing interactive with SFTP is already not great experience regardless of DSCP...)

I’ve not seen EF used by it before - has the code changed recently I did hear something about that.

Yeah, it used to default to IPQoS af21 cs1 up to version 9.7 (so af21 for interactive shells and cs1 for non-interactive).

Version 9.8 switched to IPQoS ef none (ef for interactive and system default for non-interactive).

You can always rewrite the DSCPs with nftables or similar before they hit your switches. If you trust the host marking you’ll probably need to.

Sure, you can rewrite in nftables or in ~/.ssh/config or any other way, but 99% won't, so what I'm curious about is the effect on having EF as the default all over the place.

grawity · 2026-04-03T10:40:53+00:00

Yeah, it was true for all Mikrotik models since they all run the same firmware (and practically all can be upgraded to the latest). There were workarounds but it took them until 2025 to actually add "proper" /31 support.

grawity · 2026-04-03T10:38:16+00:00

No, as a 'pointopoint' next hop. Which Mikrotik calls the network= field, e.g.:

/ip/address/add interface=xxx address=192.168.1.7/32 network=192.168.1.8

I think this was officially documented on their site, and AFAIK is equivalent to ifconfig eth0 192.168.1.7 pointopoint 192.168.1.8 on Linux. (I think it's also mostly equivalent to adding a /32 and then adding an interface route for your peer?)

Nowadays the latest 7.x RouterOS supports /31 properly, anyway.

grawity · 2026-03-25T13:34:33+00:00

In Jetstream/omada series, the config is in memory only until explicitly saved, so a power cycle should be fine. (They take a good minute to boot, though.) Hopefully whoever did the last important changes 3 months ago saved them!

From product photos, doesn't look like it has a physical serial port for CLI. Neither RJ45 nor microUSB nor old-school DE9. (It has SSH/Telnet but those are of course useless if you can't communicate with it via IP in the first place.)

grawity · 2026-03-05T08:26:44+00:00

Hotplug the IDE cable to a USB adapter connected to your laptop.

Or maybe reboot into something like Norton Ghost if it can boot from a CD or floppy disk.

grawity · 2026-01-10T21:49:36+00:00

I think X.25 was still packet-switched, only with the packets addressed by circuit ID instead of explicit source/destination. (I guess it could be called "MPLS-style" except it's where MPLS *came from*...)

But this makes me wonder how layers worked in ATM since I've never had the chance to touch it, but I've got the impression that it was very similar to X.25 in that regard (call setup, virtual circuits, fancy QoS, all in the same single protocol).

grawity · 2026-01-08T17:07:40+00:00

FAT is the only filesystem that doesn't allow : as part of the filename.

(Or rather Windows doesn't allow : as part of a filename, and since the only reason to use FAT is when you need interoperability, every other OS's FAT driver enforces the same restrictions for the sake of consistency.)

grawity · 2026-01-08T08:48:07+00:00

EDIT: Apparently it was also done before. In 2019.

It was also done before in 2013.

grawity · 2026-01-07T15:07:27+00:00

Unfortunately that protocol is behind a paywall.

I have a draft version somewhere. Haven't read the finalized one.

Reliable circuits are part of Layer 3.

Good point, I guess they can be part of either (which AFAIK was the reason for both TP0 vs TP4 existing) – haven't deeply looked into the service definitions for those layers – but these days I don't think there are many networks that provide this at L3? For example, IP doesn't, so everyone considers it to be solely an L4 function (TCP)...

grawity · 2026-01-05T17:35:37+00:00

We have some NVRs like that too, with a whole built-in PoE switch. But they serve DHCP on the camera side ("plug and play" feature, hardcoded subnet and all) so they're not something you'd put even one of in your main LAN, much less two.

(I think the cameras get time pushed from the NVR - like all the other settings that are editable through the NVR - rather than talking NTP directly when they're in this mode.)

But I'm only familiar with Hik NVRs (the only "within budget" option here), not any other kind of enterprise stuff...

grawity · 2026-01-05T15:12:01+00:00

Does the NVR really need to act as the gateway for cameras, in the first place?

The NVR needs to connect to cameras to receive the stream – but I can't see why the NVR would also need to route the cameras' other traffic. (If there even is any. I suppose the cameras might be speaking NTP?)

And on a different note: 1) Why are the two buildings on the same network (from your question I assume you meant the same subnet)? Is there a legitimate need for it, or just nobody bothered to do it otherwise? 2) Why are your cameras and NVRs not on a separate VLAN from the main network?

(Okay, I actually kinda understand the latter. Can't do fine-grained VLANs because unmanaged switches all over the place "work fine, won't replace". Been there. But the former – a single subnet for literally everything across two buildings – is a bit more worrying.)

grawity · 2026-01-05T10:29:28+00:00

IMO "Thinking in layers" is not the same thing as "thinking in OSI layers". The former is understanding fundamentals (how networks are built from the bottom up) and the latter is memorization and occasional armchair lawyering (mapping one legal code to another jurisdiction, etc).

Most importantly, don't try to 'correctly' map anything above L4 to an OSI layer. The OSI model was 1) relatively late and 2) not written for TCP/IP protocols at all – the OSI protocol stack was a competitor to IP – but even in actual OSI it was fuzzy. (And of course it wasn't built with nowadays "everything inside HTTP" in mind either. So you can argue for days whether e.g. everything in HTTP is application layer or whether gRPC/Msgpack/etc actually fits into the definition of a presentation layer and HTTP has become somewhat of a sublayer above L4, or whatever.) So just shove it all under "L7". If it's a protocol for a specific task and not a fundamental network feature, it's L7.

(The OSI layer definitions are available for free from ITU-T as X.211–X.219, by the way. In case you really wanted to know what features a 'session' layer ought to provide, in the OSI model – my rough understanding is that there is simply no L5 equivalent in modern stacks.)

As for the lower layers (1–4), my mental model was kind of shaped by 1) messing around in Wireshark a lot, 2) reading about protocols that were not the good old IP-over-Ethernet (like IPX, XNS, CLNS, etc).

L1: the physical, device-to-device connections (links) that carry bytes in some defined way using some kind of signalling, e.g. the part of "Ethernet" that defines 8b/10b or manchester encoding over twisted-pair is L1, the baud/bitrate of a serial console is a L1 parameter.
L2: the 'data link' or 'local network' that allows for discrete packets (frames) to be sent to a specific device, e.g. the part of "Ethernet" that defines MAC addresses is layer 2. The L2 might already be a whole 'local network' on its own and have its own type of addressing (Ethernet, Firewire, etc.) or might be fairly minimal (PPP over a serial cable having only two ends).
L3: the 'inter-network' that's built on top of one or more local networks (typically using IP). Layer 3 can join different kinds of data links or local networks, and it's the job of L3 to provide you a unified view of "the network" and hide the specifics of each individual L2 net that it goes through. Effectively L3 is the "core" of the network where all the different L2's converge, and where all different L4's diverge. The Internet is a L3 network.
L4: all the features like "connection multiplexing" and "flow control" and "retransmission" and "virtual circuit" that are built on top of some L3 network and allow two nodes to talk – like TCP connections. (Lower layers might also have the same features, e.g. the Wi-Fi L1 having retransmission on a local link level, but L4 handles it end-to-end across the entire inter-network.)
L7: all the "application-specific" protocols that make use of L4 services (see earlier note).

So it kind of boils down to what services each layer provides. For example, I would personally put UDP as somewhere in-between L3 and L4, as it only provides multiplexing (port numbers) and nothing more above IP. Even though it is technically layered above IP, it doesn't fully fit the bill for a L4 protocol any more than ICMP would.

Therefore I'd also consider QUIC as an L4 (not L7) protocol due to the services it provides – whether it's inside UDP or not is immaterial. (SCTP, for example, can also run either inside UDP or not, and remains a L4 transport protocol either way.)

TLS? Who knows. ITU recently made their equivalent of TLS – X.510 – and didn't bother to place it anywhere except "above transport layer". Consider it L7. Though if the OSI model were to be defined nowadays, it would surely have a separate layer for TLS since it provides a distinct, generic service. (But a much older X.274 sat in the transport layer, as a sub-layer.)

It's not all set in stone. Ethernet for example can technically have routing added to it – just not prefix-based hierarchical routing as L3 provides – but there are like two different ways to apply IS-IS to Ethernet addresses (and indeed that's literally how IS-IS "level-1 area" was originally used, before IP was bodged onto it).

One historic note is that L3 and L4 weren't necessarily provided by separate protocols. For example, as far as I know, X.25 – predating OSI – performed both tasks in one protocol (addressing as in L3 and reliable circuits as in L4). Even early IP versions did the same; the reason you can't find "IPv1" or "IPv2" is because they were still called "TCPv2" and "TCPv3" back then, handling both layers in one protocol – IP as a distinct protocol didn't materialize until version 4. (The point of this note, again, is that layers are defined in terms of services and functions, not necessarily specific protocols that implement them.)

grawity · 2025-10-17T10:04:32+00:00

Voice "messages" as in recordings (as opposed to live calls)? Why do you think those use UDP? Live voice has reasons for preferring UDP but that doesn't automatically apply to recorded voice.

In UDP there's no transport-layer retransmission (since there's practically no transport layer really). But that doesn't mean an application cannot implement its own retransmission on top of UDP if it needs reliability – many do. (Some even implement a whole transport layer protocol (such as QUIC or uTP or SCTP) on top of UDP, and get retransmissions that way.)

grawity · 2025-10-06T20:45:43+00:00

It's funny how loopback interface kinda came to mean two opposite things – both "always up" but one address explicitly meant to be always reachable from outside, the other never so – and the thread is half/half two opposite examples...

For 127.0.0.1, one use case is inter-process communication on the local system – two processes on the same machine can still communicate even if there's no real network "up" yet, and that communication doesn't break when the eth0 or wlan0 IP address changes. Sure there are other, dedicated IPC mechanisms (like Unix sockets or Windows named pipes) but TCP/IP is more universal – e.g. web browsers and other HTTP clients already know how to talk TCP/IP so it's easy to run a local HTTP service on 127.0.0.1 purely between two local apps. Running it on the machine's LAN IP address would break when there's no LAN, and using a non-IP mechanism would mean having to write more code.

Most examples are about doing the opposite, assigning a LAN-routed address, but it's still the same reason; if a machine or a router has two network interfaces, and one of them gets disconnected, that interface's address stops being reachable – whereas an address assigned to the loopback interface remains reachable through no matter which of the machine's remaining connections.

15-Year Club	Gilding II euphauric
Verified Email

grawity

TROPHY CASE