Re: [Softwires] RFC7597/9 MAP and iptables/netfilter
Richard Patterson <richard@helix.net.nz> Fri, 16 February 2018 18:07 UTC
Return-Path: <richard@helix.net.nz>
X-Original-To: softwires@ietfa.amsl.com
Delivered-To: softwires@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE03128C0A for <softwires@ietfa.amsl.com>; Fri, 16 Feb 2018 10:07:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=helix-net-nz.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ceAl_W3rpWti for <softwires@ietfa.amsl.com>; Fri, 16 Feb 2018 10:07:49 -0800 (PST)
Received: from mail-io0-x241.google.com (mail-io0-x241.google.com [IPv6:2607:f8b0:4001:c06::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4624D1200C1 for <softwires@ietf.org>; Fri, 16 Feb 2018 10:07:48 -0800 (PST)
Received: by mail-io0-x241.google.com with SMTP id m11so4983045iob.2 for <softwires@ietf.org>; Fri, 16 Feb 2018 10:07:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=helix-net-nz.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=MLdZ5kr8IB0qkwiOFBdjQh8eOwmp4ziIEw2TrzBYfJI=; b=QVVeYzgQFnokb8pDUaKncuDcvdfNmJADpti0WrvIoE9HgN4sDuMPj/x23jRDYEnssH h3DaJX6ROvwlU2fjXW9xsq16cv4UnfXsDepbYL/UGBIws9KAnrc8/0nQb/3rufW72f+P CD28iw2kMCoFeR5eUTEJzKU/64ibHyzcY/OrGarO2IfD7F5HmecoctenRC1NF7EMu4ef N0gXixj99NF/AL8eUUdagi2E3ZGn5CyXl/Fc22VK/zeXEb4n13ajsoiMUNV8dHD7RMZx xdmM7WievCrAgNSRzNk3oLKWIwhAeNzD+S6E7L9Wn3s6e7fXM/MBi4k8Lmyo9+2wCj6q BTew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=MLdZ5kr8IB0qkwiOFBdjQh8eOwmp4ziIEw2TrzBYfJI=; b=kGzSUT6TTb45mOO2GlfNNLAKZIF1VvlqtQXRWI4nY0woJ1IcHAiDI5UCZLmanYzG+N cIX1z26OTKwZBMwsm6pFzIOyrB65DcA+AADeL+HnPgKPUnLsYYVHiK2yqjzifUjZd6iC 4AT1FKWvaiK8/oAjmMiOETeOsV5ia8nyylovqXPOiIxf5UuuEKSkM7m6iwB51HbueOtH VS97Y2dY0vY1aFtyfcBhR791iLuvefPMMPn+RHt0kQXHO8fNNlGZ/vfJeKcTI50CkFCI 0kV90w3ysm/2jj7cBO2EBNPPit8Mdk821JQZbiOL8zhS2Bq/82aI/WeRLKRcIXwstIkb g0JQ==
X-Gm-Message-State: APf1xPD3tl7Q9MrSH1gsO6IbggrxSDXzebyIvOZIo3Xj96ozOGmSXoit nEjVQ8Voa/I+3you/ZuPg2M9veMU
X-Google-Smtp-Source: AH8x227/56p7IAqL10hVjruPvza7jfV8kJauF7qPj3EHLZu0A/Rt3xeaGk/9J1hi/csMc8OPrvbuSA==
X-Received: by 10.107.139.77 with SMTP id n74mr2724841iod.109.1518804468139; Fri, 16 Feb 2018 10:07:48 -0800 (PST)
Received: from mail-it0-f45.google.com (mail-it0-f45.google.com. [209.85.214.45]) by smtp.gmail.com with ESMTPSA id i78sm19049673ioe.45.2018.02.16.10.07.47 for <softwires@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Feb 2018 10:07:47 -0800 (PST)
Received: by mail-it0-f45.google.com with SMTP id p204so2724161itc.4 for <softwires@ietf.org>; Fri, 16 Feb 2018 10:07:47 -0800 (PST)
X-Received: by 10.36.64.216 with SMTP id n207mr8880292ita.130.1518804467139; Fri, 16 Feb 2018 10:07:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.114.25 with HTTP; Fri, 16 Feb 2018 10:07:26 -0800 (PST)
In-Reply-To: <6472C183-643D-4848-A2C4-46DD7093685F@gmx.com>
References: <CAHL_VyAoqskzu+iZSmUtVaO0poX7-Y-9NY_Hy_1KHnaX4bZCFQ@mail.gmail.com> <6472C183-643D-4848-A2C4-46DD7093685F@gmx.com>
From: Richard Patterson <richard@helix.net.nz>
Date: Fri, 16 Feb 2018 18:07:26 +0000
X-Gmail-Original-Message-ID: <CAHL_VyCxAmTJHnRr=TJW3Eq+Zekp1zPDjfksxV54wAuFX4WV4w@mail.gmail.com>
Message-ID: <CAHL_VyCxAmTJHnRr=TJW3Eq+Zekp1zPDjfksxV54wAuFX4WV4w@mail.gmail.com>
To: softwires@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/softwires/LIquT7sdjoT8CV5GjpXLiVbcUUA>
Subject: Re: [Softwires] RFC7597/9 MAP and iptables/netfilter
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/softwires/>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 18:07:52 -0000
On 16 February 2018 at 11:18, Ian Farrer <ianfarrer@gmx.com> wrote: > > [if - A driver for PSID mechanism is the ability to algorithmically exclude ports 0-1023 from allocation to a client. A BMR that defines a single port range has ‘offset=0’, and so PSID=0 will contain all (or a portion, depending on sharing ratio) of the well-known ports. If this is not a problem for your clients, then this could be a solution. > > Another possibility to make this work would be if it is possible to prevent the v6 prefix which maps to PSID=0 for each IPv6 address from allocation to a client (e.g. via the DHCPv6 server). > > One final suggestion here is that depending on what you’re available address blocks and desired sharing ratios are, you could define the map domain to try and maximise the value of M (RFC7597 Appendix), while keeping the offset a-bits at 6. This will give clients the largest possible contiguous block of ports to use for snat, but the overhead in wasted (either excluded from use by the algorithm, or not being used due to the problem you describe) is going to be high.] The first option is what I'm currently leaning towards, although your final suggestion isn't a bad idea either. If we can dimension the blocks sufficiently at the required ratio, and just overlook the wastage. I did notice something else interesting in the Netfilter/iptables documentaiton today though. It appears as though up to kernel 2.6.11-rc1, it did have the ability to utilise multiple SNAT source address ranges (and presumably ports): """ In Kernels up to 2.6.10, you can add several --to-source options. For those kernels, if you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these addresses. Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore. """ Might see if I can track that commit down to find out what happened. -Richard
- [Softwires] RFC7597/9 MAP and iptables/netfilter Richard Patterson
- Re: [Softwires] RFC7597/9 MAP and iptables/netfil… Ian Farrer
- Re: [Softwires] RFC7597/9 MAP and iptables/netfil… Richard Patterson