280 lines
7.7 KiB
Groff
280 lines
7.7 KiB
Groff
.\" $NetBSD: gif.4,v 1.26 2004/03/24 12:09:21 wiz Exp $
|
|
.\" $KAME: gif.4,v 1.24 2001/02/20 12:54:01 itojun Exp $
|
|
.\"
|
|
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd March 24, 2004
|
|
.Dt GIF 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm gif
|
|
.Nd generic tunnel interface
|
|
.Sh SYNOPSIS
|
|
.Cd "pseudo-device gif"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
interface is a generic tunneling pseudo device for IPv4 and IPv6.
|
|
It can tunnel IPv[46] traffic over IPv[46].
|
|
Therefore, there can be four possible configurations.
|
|
The behavior of
|
|
.Nm
|
|
is mainly based on RFC 2893 IPv6-over-IPv4 configured tunnel.
|
|
.Nm
|
|
can also tunnel ISO traffic over IPv[46] using EON encapsulation.
|
|
.Pp
|
|
To use
|
|
.Nm gif ,
|
|
the administrator must first create the interface
|
|
and then configure protocol and addresses used for the outer
|
|
header.
|
|
This can be done by using
|
|
.Xr ifconfig 8
|
|
.Sq create
|
|
and
|
|
.Sq tunnel
|
|
subcommands, or
|
|
.Dv SIOCIFCREATE
|
|
and
|
|
.Dv SIOCSIFPHYADDR
|
|
ioctls.
|
|
Also, administrator needs to configure protocol and addresses used for the
|
|
inner header, by using
|
|
.Xr ifconfig 8 .
|
|
Note that IPv6 link-local address
|
|
.Pq those start with Li fe80::
|
|
will be automatically configured whenever possible.
|
|
You may need to remove IPv6 link-local address manually using
|
|
.Xr ifconfig 8 ,
|
|
when you would like to disable the use of IPv6 as inner header
|
|
.Pq like when you need pure IPv4-over-IPv6 tunnel .
|
|
Finally, use routing table to route the packets toward
|
|
.Nm
|
|
interface.
|
|
.Pp
|
|
.Nm
|
|
can be configured to be ECN friendly.
|
|
This can be configured by
|
|
.Dv IFF_LINK1 .
|
|
.Ss ECN friendly behavior
|
|
.Nm
|
|
can be configured to be ECN friendly, as described in
|
|
.Dv draft-ietf-ipsec-ecn-02.txt .
|
|
This is turned off by default, and can be turned on by
|
|
.Dv IFF_LINK1
|
|
interface flag.
|
|
.Pp
|
|
Without
|
|
.Dv IFF_LINK1 ,
|
|
.Nm
|
|
will show a normal behavior, like described in RFC 2893.
|
|
This can be summarized as follows:
|
|
.Bl -tag -width "Ingress" -offset indent
|
|
.It Ingress
|
|
Set outer TOS bit to
|
|
.Dv 0 .
|
|
.It Egress
|
|
Drop outer TOS bit.
|
|
.El
|
|
.Pp
|
|
With
|
|
.Dv IFF_LINK1 ,
|
|
.Nm
|
|
will copy ECN bits
|
|
.Dv ( 0x02
|
|
and
|
|
.Dv 0x01
|
|
on IPv4 TOS byte or IPv6 traffic class byte)
|
|
on egress and ingress, as follows:
|
|
.Bl -tag -width "Ingress" -offset indent
|
|
.It Ingress
|
|
Copy TOS bits except for ECN CE
|
|
(masked with
|
|
.Dv 0xfe )
|
|
from
|
|
inner to outer.
|
|
set ECN CE bit to
|
|
.Dv 0 .
|
|
.It Egress
|
|
Use inner TOS bits with some change.
|
|
If outer ECN CE bit is
|
|
.Dv 1 ,
|
|
enable ECN CE bit on the inner.
|
|
.El
|
|
.Pp
|
|
Note that the ECN friendly behavior violates RFC 2893.
|
|
This should be used in mutual agreement with the peer.
|
|
.Ss Packet format
|
|
Every inner packet is encapsulated in an outer packet.
|
|
The inner packet may be IPv4, IPv6, or ISO CLNP.
|
|
The outer packet may be IPv4 or IPv6, and has all the
|
|
usual IP headers, including a protocol field that identifies the
|
|
type of inner packet.
|
|
.Pp
|
|
When the inner packet is IPv4, the protocol field of the outer packet
|
|
is 4
|
|
.Dv ( IPPROTO_IPV4 ) .
|
|
When the inner packet is IPv6, the protocol field of the outer packet
|
|
is 41
|
|
.Dv ( IPPROTO_IPV6 ) .
|
|
When the inner packet is ISO CNLP, the protocol field of the outer packet
|
|
is 80
|
|
.Dv ( IPPROTO_EON ) .
|
|
.Ss Security
|
|
Malicious party may try to circumvent security filters by using
|
|
tunneled packets.
|
|
For better protection,
|
|
.Nm
|
|
performs martian filter and ingress filter against outer source address,
|
|
on egress.
|
|
Note that martian/ingress filters are no way complete.
|
|
You may want to secure your node by using packet filters.
|
|
Ingress filter can be turned off by
|
|
.Dv IFF_LINK2
|
|
bit.
|
|
.\"
|
|
.Sh EXAMPLES
|
|
Configuration example:
|
|
.Bd -literal
|
|
Host X--NetBSD A ----------------tunnel---------- cisco D------Host E
|
|
\\ |
|
|
\\ /
|
|
+-----Router B--------Router C---------+
|
|
|
|
.Ed
|
|
On
|
|
.Nx
|
|
system A
|
|
.Ns ( Nx ) :
|
|
.Bd -literal
|
|
# route add default B
|
|
# ifconfig gifN create
|
|
# ifconfig gifN A netmask 0xffffffff tunnel A D up
|
|
# route add E 0
|
|
# route change E -ifp gif0
|
|
.Ed
|
|
.Pp
|
|
On Host D (Cisco):
|
|
.Bd -literal
|
|
Interface TunnelX
|
|
ip unnumbered D ! e.g. address from Ethernet interface
|
|
tunnel source D ! e.g. address from Ethernet interface
|
|
tunnel destination A
|
|
ip route C <some interface and mask>
|
|
ip route A mask C
|
|
ip route X mask tunnelX
|
|
.Ed
|
|
.Pp
|
|
or on Host D
|
|
.Ns ( Nx ) :
|
|
.Bd -literal
|
|
# route add default C
|
|
# ifconfig gifN D A
|
|
.Ed
|
|
.Pp
|
|
If all goes well, you should see packets flowing.
|
|
.Pp
|
|
If you want to reach Host A over the tunnel (from the Cisco D), then
|
|
you have to have an alias on Host A for e.g. the Ethernet interface like:
|
|
.Ic ifconfig Ar <etherif> alias Y
|
|
and on the cisco
|
|
.Ic ip Ar route Y mask tunnelX .
|
|
.Sh SEE ALSO
|
|
.Xr inet 4 ,
|
|
.Xr inet6 4 ,
|
|
.Xr ifconfig 8
|
|
.Rs
|
|
.%A C. Perkins
|
|
.%B RFC 2003
|
|
.%T IP Encapsulation within IP
|
|
.%D October 1996
|
|
.%O ftp://ftp.isi.edu/in-notes/rfc2003.txt
|
|
.Re
|
|
.Rs
|
|
.%A R. Gilligan
|
|
.%A E. Nordmark
|
|
.%B RFC 2893
|
|
.%T Transition Mechanisms for IPv6 Hosts and Routers
|
|
.%D August 2000
|
|
.%O ftp://ftp.isi.edu/in-notes/rfc2893.txt
|
|
.Re
|
|
.Rs
|
|
.%A Sally Floyd
|
|
.%A David L. Black
|
|
.%A K. K. Ramakrishnan
|
|
.%T "IPsec Interactions with ECN"
|
|
.%D December 1999
|
|
.%O draft-ietf-ipsec-ecn-02.txt
|
|
.Re
|
|
.Rs
|
|
.%A F. Baker
|
|
.%A P. Savola
|
|
.%B RFC 3704
|
|
.%T Ingress Filtering for Multihomed Networks
|
|
.%D March 2004
|
|
.%O ftp://ftp.isi.edu/in-notes/rfc3704.txt
|
|
.Re
|
|
.\"
|
|
.Sh STANDARDS
|
|
IPv4 over IPv4 encapsulation is compatible with RFC 2003.
|
|
IPv6 over IPv4 encapsulation is compatible with RFC 2893.
|
|
.\"
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
device first appeared in WIDE hydrangea IPv6 kit.
|
|
.\"
|
|
.Sh BUGS
|
|
There are many tunneling protocol specifications,
|
|
defined differently from each other.
|
|
.Nm
|
|
may not interoperate with peers which are based on different specifications,
|
|
and are picky about outer header fields.
|
|
For example, you cannot usually use
|
|
.Nm
|
|
to talk with IPsec devices that use IPsec tunnel mode.
|
|
.Pp
|
|
The current code does not check if the ingress address
|
|
.Pq outer source address
|
|
configured to
|
|
.Nm
|
|
makes sense.
|
|
Make sure to configure an address which belongs to your node.
|
|
Otherwise, your node will not be able to receive packets from the peer,
|
|
and your node will generate packets with a spoofed source address.
|
|
.Pp
|
|
If the outer protocol is IPv6, path MTU discovery for encapsulated packet
|
|
may affect communication over the interface.
|
|
.Pp
|
|
In the past,
|
|
.Nm
|
|
had a multi-destination behavior, configurable via
|
|
.Dv IFF_LINK0
|
|
flag.
|
|
The behavior was obsoleted and is no longer supported.
|