Thanks for the kind words Yannis!

 

Yes, the sharing ratio was less a technical decision, and more a regulatory one.

 

Linux’s Netfilter SNAT target will use the same external source port that as the internal port, if possible, and more importantly it will re-use the external source port if the 5-tuple is different; you can actually get away with far fewer ports than you’d think.

 

However SNAT rules with specific external source port ranges, don’t gracefully fall open when the conntrack limit is hit and all ports in that port range are consumed.  The connlimit module helps with that, by limiting the number of flows that match that entry, but it only supports matching on daddr or saddr.  Broadcom patched the connlimit module for us in their SDK, to match both daddr & dport for better sport usage efficiency.

 

This is actually the bug I mentioned in my slides, that OpenWRT has introduced when they migrated from iptables (which used to use connlimit as above), to nftables.  The bug means that only the first port range can be used, and then all subsequent flows will fail once full.

 

-Rich

 

From: Yannis Nikolopoulos via ipv6-wg <ipv6-wg@ripe.net>
Date: Wednesday, 30 October 2024 at 11:23
To: ipv6-wg@ripe.net <ipv6-wg@ripe.net>
Subject: [EXTERNAL] [ipv6-wg] IPv4 sharing ratio (for IPv6-only deployments)

Hello,

I was (off-line) watching Richard Patterson's presentation about Sky
UK's MAP-T deployment. By the way, this is the kind of presentations we
should be seeing more of in RIPE meetings.

So anyway, I was taken aback by the IPv4 sharing ratio and I had to do a
double take. Richard mentioned that they're using 1:16 in Italy and 1:8
in the UK. In a similar size deployment in Greece (in my previous
employer), a few years ago, we had decided on 1:64 (~1000 ports per
subscriber) and I'm now wondering if it is outdated or not.

Cheers,
Yannis


-----
To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/
As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings.
More details at: https://www.ripe.net/membership/mail/mailman-3-migration/

--------------------------------------------------------------------
This email is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. Phishing attempts can be reported by using the report message button in Outlook or sending them as an attachment to phishing@sky.uk. Thank you
--------------------------------------------------------------------

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky Limited and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075), Sky Subscribers Services Limited (Registration No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD