gif.4 (76175) | gif.4 (78064) |
---|---|
1.\" $FreeBSD: head/share/man/man4/gif.4 76175 2001-05-01 09:15:30Z schweikh $ 2.\" $KAME: gif.4,v 1.17 2000/06/30 18:31:27 itojun Exp $ | 1.\" $FreeBSD: head/share/man/man4/gif.4 78064 2001-06-11 12:39:29Z ume $ 2.\" $KAME: gif.4,v 1.28 2001/05/18 13:15:56 itojun Exp $ |
3.\" 4.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright --- 28 unchanged lines hidden (view full) --- 39.Sh DESCRIPTION 40The 41.Nm 42interface is a generic tunnelling pseudo device for IPv4 and IPv6. 43It can tunnel IPv[46] traffic over IPv[46]. 44Therefore, there can be four possible configurations. 45The behavior of 46.Nm | 3.\" 4.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright --- 28 unchanged lines hidden (view full) --- 39.Sh DESCRIPTION 40The 41.Nm 42interface is a generic tunnelling pseudo device for IPv4 and IPv6. 43It can tunnel IPv[46] traffic over IPv[46]. 44Therefore, there can be four possible configurations. 45The behavior of 46.Nm |
47is mainly based on RFC1933 IPv6-over-IPv4 configured tunnel. | 47is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel. 48On 49.Nx , 50.Nm 51can also tunnel ISO traffic over IPv[46] using EON encapsulation. |
48.Pp 49To use 50.Nm , 51administrator needs to configure protocol and addresses used for the outer 52header. 53This can be done by using 54.Xr gifconfig 8 , 55or --- 9 unchanged lines hidden (view full) --- 65.Xr ifconfig 8 , 66when you would like to disable the use of IPv6 as inner header 67.Pq like when you need pure IPv4-over-IPv6 tunnel . 68Finally, use routing table to route the packets toward 69.Nm 70interface. 71.Pp 72.Nm | 52.Pp 53To use 54.Nm , 55administrator needs to configure protocol and addresses used for the outer 56header. 57This can be done by using 58.Xr gifconfig 8 , 59or --- 9 unchanged lines hidden (view full) --- 69.Xr ifconfig 8 , 70when you would like to disable the use of IPv6 as inner header 71.Pq like when you need pure IPv4-over-IPv6 tunnel . 72Finally, use routing table to route the packets toward 73.Nm 74interface. 75.Pp 76.Nm |
73interface can be configued to perform bidirectional tunnel, or 74multi-destination tunnel. 75This is controlled by 76.Dv IFF_LINK0 77interface flag. 78Also, 79.Nm | |
80can be configured to be ECN friendly. 81This can be configured by 82.Dv IFF_LINK1 . | 77can be configured to be ECN friendly. 78This can be configured by 79.Dv IFF_LINK1 . |
83.\" 84.Ss Bidirectional and multi-destination mode 85Usually, 86.Nm 87implements bidirectional tunnel. 88.Xr gifconfig 8 89should configure a tunnel ingress point 90.Pq this node 91and an egress point 92.Pq tunnel endpoint , 93and 94one 95.Nm 96interface will tunnel to only a single tunnel endpoint, 97and accept from only a single tunnel endpoint. 98Source and destination address for outer IP header is always the 99ingress and the egress point configued by 100.Xr gifconfig 8 . | |
101.Pp | 80.Pp |
102With 103.Dv IFF_LINK0 104interface flag, 105.Nm 106can be configured to implement multi-destination tunnel. 107With 108.Dv IFF_LINK0 , 109it is able to configure egress point to IPv4 wildcard address 110.Pq Li 0.0.0.0 111or IPv6 unspecified address 112.Pq Li 0::0 . 113In this case, destination address for the outer IP header is 114determined based on the routing table setup. 115Therefore, one 116.Nm 117interface can tunnel to multiple destinations. 118Also, 119.Nm 120will accept tunneled traffic from any outer source address. 121.Pp 122When finding a 123.Nm 124interface from the inbound tunneled traffic, 125bidirectional mode interface is preferred than multi-destination mode interface. 126For example, if you have the following three 127.Nm 128interfaces on node A, tunneled traffic from C to A will match the second 129.Nm 130interface, not the third one. 131.Bl -bullet -compact -offset indent 132.It 133bidirectional, A to B 134.It 135bidirectional, A to C 136.It 137multi-destination, A to any 138.El 139.Pp 140Please note that multi-destination mode is far less secure 141than bidirectional mode. 142Multi-destination mode 143.Nm 144can accept tunneled packet from anybody, 145and can be attacked from a malicious node. 146.Pp | |
147.Ss ECN friendly behavior 148.Nm 149can be configured to be ECN friendly, as described in 150.Dv draft-ietf-ipsec-ecn-02.txt . 151This is turned off by default, and can be turned on by 152.Dv IFF_LINK1 153interface flag. 154.Pp 155Without 156.Dv IFF_LINK1 , 157.Nm | 81.Ss ECN friendly behavior 82.Nm 83can be configured to be ECN friendly, as described in 84.Dv draft-ietf-ipsec-ecn-02.txt . 85This is turned off by default, and can be turned on by 86.Dv IFF_LINK1 87interface flag. 88.Pp 89Without 90.Dv IFF_LINK1 , 91.Nm |
158will show a normal behavior, like described in RFC1933. | 92will show a normal behavior, like described in RFC2893. |
159This can be summarized as follows: 160.Bl -tag -width "Ingress" -offset indent 161.It Ingress 162Set outer TOS bit to 163.Dv 0 . 164.It Egress 165Drop outer TOS bit. 166.El --- 22 unchanged lines hidden (view full) --- 189.Dv 0 . 190.It Egress 191Use inner TOS bits with some change. 192If outer ECN CE bit is 193.Dv 1 , 194enable ECN CE bit on the inner. 195.El 196.Pp | 93This can be summarized as follows: 94.Bl -tag -width "Ingress" -offset indent 95.It Ingress 96Set outer TOS bit to 97.Dv 0 . 98.It Egress 99Drop outer TOS bit. 100.El --- 22 unchanged lines hidden (view full) --- 123.Dv 0 . 124.It Egress 125Use inner TOS bits with some change. 126If outer ECN CE bit is 127.Dv 1 , 128enable ECN CE bit on the inner. 129.El 130.Pp |
197Note that the ECN friendly behavior violates RFC1933. | 131Note that the ECN friendly behavior violates RFC2893. |
198This should be used in mutual agreement with the peer. 199.Pp 200.Ss Security 201Malicious party may try to circumvent security filters by using 202tunnelled packets. 203For better protection, 204.Nm 205performs martian filter and ingress filter against outer source address, 206on egress. 207Note that martian/ingress filters are no way complete. 208You may want to secure your node by using packet filters. | 132This should be used in mutual agreement with the peer. 133.Pp 134.Ss Security 135Malicious party may try to circumvent security filters by using 136tunnelled packets. 137For better protection, 138.Nm 139performs martian filter and ingress filter against outer source address, 140on egress. 141Note that martian/ingress filters are no way complete. 142You may want to secure your node by using packet filters. |
209.Pp 210As mentioned above, multi-destination mode 211.Pq Dv IFF_LINK0 212is far less secure than bidirectional mode. | 143Ingress filter can be turned off by 144.Dv IFF_LINK2 145bit. |
213.\" 214.Sh SEE ALSO 215.Xr inet 4 , 216.Xr inet6 4 , 217.Xr gifconfig 8 218.Rs 219.%A R. Gilligan 220.%A E. Nordmark | 146.\" 147.Sh SEE ALSO 148.Xr inet 4 , 149.Xr inet6 4 , 150.Xr gifconfig 8 151.Rs 152.%A R. Gilligan 153.%A E. Nordmark |
221.%B RFC1933 | 154.%B RFC2893 |
222.%T Transition Mechanisms for IPv6 Hosts and Routers | 155.%T Transition Mechanisms for IPv6 Hosts and Routers |
223.%D April 1996 224.%O ftp://ftp.isi.edu/in-notes/rfc1933.txt | 156.%D August 2000 157.%O ftp://ftp.isi.edu/in-notes/rfc2893.txt |
225.Re 226.Rs 227.%A Sally Floyd 228.%A David L. Black 229.%A K. K. Ramakrishnan 230.%T "IPsec Interactions with ECN" 231.%D December 1999 232.%O draft-ietf-ipsec-ecn-02.txt --- 18 unchanged lines hidden (view full) --- 251.Pq outer source address 252configured to 253.Nm 254makes sense. 255Make sure to configure an address which belongs to your node. 256Otherwise, your node will not be able to receive packets from the peer, 257and your node will generate packets with a spoofed source address. 258.Pp | 158.Re 159.Rs 160.%A Sally Floyd 161.%A David L. Black 162.%A K. K. Ramakrishnan 163.%T "IPsec Interactions with ECN" 164.%D December 1999 165.%O draft-ietf-ipsec-ecn-02.txt --- 18 unchanged lines hidden (view full) --- 184.Pq outer source address 185configured to 186.Nm 187makes sense. 188Make sure to configure an address which belongs to your node. 189Otherwise, your node will not be able to receive packets from the peer, 190and your node will generate packets with a spoofed source address. 191.Pp |
259.Xr gif 4 260is an 261.Dv IFF_POINTOPOINT 262device, however, it supports NBMA behavior in multi-destination mode. | 192If the outer protocol is IPv4, 193.Nm 194does not try to perform path MTU discovery for the encapsulated packet 195.Pq DF bit is set to 0 . 196.Pp 197If the outer protocol is IPv6, path MTU discovery for encapsulated packet 198may affect communication over the interface. 199The first bigger-than-pmtu packet may be lost. 200To avoid the problem, you may want to set the interface MTU for 201.Nm 202to 1240 or smaller, when outer header is IPv6 and inner header is IPv4. 203.Pp 204.Nm 205does not translate ICMP messages for outer header into inner header. 206.Pp 207In the past, 208.Nm 209had a multi-destination behavior, configurable via 210.Dv IFF_LINK0 211flag. 212The behavior was obsoleted and is no longer supported. |