diff options
Diffstat (limited to 'static/freebsd/man4/stf.4 3.html')
| -rw-r--r-- | static/freebsd/man4/stf.4 3.html | 226 |
1 files changed, 0 insertions, 226 deletions
diff --git a/static/freebsd/man4/stf.4 3.html b/static/freebsd/man4/stf.4 3.html deleted file mode 100644 index 6dd421ff..00000000 --- a/static/freebsd/man4/stf.4 3.html +++ /dev/null @@ -1,226 +0,0 @@ -<table class="head"> - <tr> - <td class="head-ltitle">STF(4)</td> - <td class="head-vol">Device Drivers Manual</td> - <td class="head-rtitle">STF(4)</td> - </tr> -</table> -<div class="manual-text"> -<section class="Sh"> -<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> -<p class="Pp"><code class="Nm">stf</code> — <span class="Nd">6to4 tunnel - interface</span></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> -<p class="Pp"><code class="Cd">device stf</code></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> -<p class="Pp">The <code class="Nm">stf</code> interface supports - “6to4” and “6rd” IPv6 in IPv4 encapsulation. It - can tunnel IPv6 traffic over IPv4, as specified in - <code class="Li">RFC3056</code> or <code class="Li">RFC5969</code>.</p> -<p class="Pp">For ordinary nodes in a 6to4 or 6RD site, you do not need - <code class="Nm">stf</code> interface. The <code class="Nm">stf</code> - interface is necessary for site border routers (called “6to4 - routers” or “6rd Customer Edge (CE)” in the - specification).</p> -<p class="Pp">Each <code class="Nm">stf</code> interface is created at runtime - using interface cloning. This is most easily done with the - <a class="Xr">ifconfig(8)</a> <code class="Cm">create</code> command or - using the <var class="Va">cloned_interfaces</var> variable in - <a class="Xr">rc.conf(5)</a>.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="6to4"><a class="permalink" href="#6to4">6to4</a></h1> -<p class="Pp">Due to the way 6to4 protocol is specified, - <code class="Nm">stf</code> interface requires certain configuration to work - properly. Single (no more than 1) valid 6to4 address needs to be configured - to the interface. “A valid 6to4 address” is an address which - has the following properties. If any of the following properties are not - satisfied, <code class="Nm">stf</code> raises runtime error on packet - transmission. Read the specification for more details.</p> -<ul class="Bl-bullet"> - <li>matches <code class="Li">2002:xxyy:zzuu::/48</code> where - <code class="Li">xxyy:zzuu</code> is a hexadecimal notation of an IPv4 - address for the node. IPv4 address can be taken from any of interfaces - your node has. Since the specification forbids the use of IPv4 private - address, the address needs to be a global IPv4 address.</li> - <li>Subnet identifier portion (48th to 63rd bit) and interface identifier - portion (lower 64 bits) are properly filled to avoid address - collisions.</li> -</ul> -<p class="Pp">If you would like the node to behave as a relay router, the prefix - length for the IPv6 interface address needs to be 16 so that the node would - consider any 6to4 destination as “on-link”. If you would like - to restrict 6to4 peers to be inside certain IPv4 prefix, you may want to - configure IPv6 prefix length as “16 + IPv4 prefix length”. - <code class="Nm">stf</code> interface will check the IPv4 source address on - packets, if the IPv6 prefix length is larger than 16.</p> -<p class="Pp"><code class="Nm">stf</code> can be configured to be ECN friendly. - This can be configured by <code class="Dv">IFF_LINK1</code>. See - <a class="Xr">gif(4)</a> for details.</p> -<p class="Pp">Please note that 6to4 specification is written as “accept - tunnelled packet from everyone” tunnelling device. By enabling - <code class="Nm">stf</code> device, you are making it much easier for - malicious parties to inject fabricated IPv6 packet to your node. Also, - malicious party can inject an IPv6 packet with fabricated source address to - make your node generate improper tunnelled packet. Administrators must take - caution when enabling the interface. To prevent possible attacks, - <code class="Nm">stf</code> interface filters out the following packets. - Note that the checks are no way complete:</p> -<ul class="Bl-bullet"> - <li>Packets with IPv4 unspecified address as outer IPv4 source/destination - (<code class="Li">0.0.0.0/8</code>)</li> - <li>Packets with loopback address as outer IPv4 source/destination - (<code class="Li">127.0.0.0/8</code>)</li> - <li>Packets with IPv4 multicast address as outer IPv4 source/destination - (<code class="Li">224.0.0.0/4</code>)</li> - <li>Packets with limited broadcast address as outer IPv4 source/destination - (<code class="Li">255.0.0.0/8</code>)</li> - <li>Packets with private address as outer IPv4 source/destination - (<code class="Li">10.0.0.0/8</code>, - <code class="Li">172.16.0.0/12</code>, - <code class="Li">192.168.0.0/16</code>)</li> - <li>Packets with subnet broadcast address as outer IPv4 source/destination. - The check is made against subnet broadcast addresses for all of the - directly connected subnets.</li> - <li>Packets that does not pass ingress filtering. Outer IPv4 source address - must meet the IPv4 topology on the routing table. Ingress filter can be - turned off by <code class="Dv">IFF_LINK2</code> bit.</li> - <li>The same set of rules are applied against the IPv4 address embedded into - inner IPv6 address, if the IPv6 address matches 6to4 prefix.</li> -</ul> -<p class="Pp">It is recommended to filter/audit incoming IPv4 packet with IP - protocol number 41, as necessary. It is also recommended to filter/audit - encapsulated IPv6 packets as well. You may also want to run normal ingress - filter against inner IPv6 address to avoid spoofing.</p> -<p class="Pp">By setting the <code class="Dv">IFF_LINK0</code> flag on the - <code class="Nm">stf</code> interface, it is possible to disable the input - path, making the direct attacks from the outside impossible. Note, however, - there are other security risks exist. If you wish to use the configuration, - you must not advertise your 6to4 address to others.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="6rd"><a class="permalink" href="#6rd">6rd</a></h1> -<p class="Pp">Like “6to4” “6rd” also requires - configuration before it can be used. The required configuration parameters - are:</p> -<ul class="Bl-bullet"> - <li>The IPv6 address and prefix length.</li> - <li>The border router IPv4 address.</li> - <li>The IPv4 WAN address.</li> - <li>The prefix length of the IPv4 WAN address.</li> -</ul> -<p class="Pp">These parameters are all configured through - <a class="Xr">ifconfig(8)</a>.</p> -<p class="Pp">The IPv6 address and prefix length can be configured like any - other IPv6 address. Note that the prefix length is the IPv6 prefix length - excluding the embedded IPv4 address bits. The prefix length of the delegated - network is the sum of the IPv6 prefix length and the IPv4 prefix length.</p> -<p class="Pp">The border router IPv4 address is configured with the - <a class="Xr">ifconfig(8)</a> <code class="Cm">stfv4br</code> command.</p> -<p class="Pp">The IPv4 WAN address and IPv4 prefix length are configured using - the <a class="Xr">ifconfig(8)</a> <code class="Cm">stfv4net</code> - command.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="SYSCTL_VARIABLES"><a class="permalink" href="#SYSCTL_VARIABLES">SYSCTL - VARIABLES</a></h1> -<p class="Pp">The following <a class="Xr">sysctl(8)</a> variables can be used to - control the behavior of the <code class="Nm">stf</code>. The default value - is shown next to each variable.</p> -<dl class="Bl-tag"> - <dt id="net.link.stf.permit_rfc1918"><var class="Va">net.link.stf.permit_rfc1918</var>: - <span class="No">0</span></dt> - <dd>The RFC3056 requires the use of globally unique 32-bit IPv4 addresses. - This sysctl variable controls the behaviour of this requirement. When it - set to not 0, <code class="Nm">stf</code> allows the use of private IPv4 - addresses described in the RFC1918. This may be useful for an Intranet - environment or when some mechanisms of network address translation (NAT) - are used.</dd> -</dl> -</section> -<section class="Sh"> -<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1> -<p class="Pp">Note that <code class="Li">8504:0506</code> is equal to - <code class="Li">133.4.5.6</code>, written in hexadecimals.</p> -<div class="Bd Pp Li"> -<pre># ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 -# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ - prefixlen 16 alias</pre> -</div> -<p class="Pp">The following configuration accepts packets from IPv4 source - <code class="Li">9.1.0.0/16</code> only. It emits 6to4 packet only for IPv6 - destination 2002:0901::/32 (IPv4 destination will match - <code class="Li">9.1.0.0/16</code>).</p> -<div class="Bd Pp Li"> -<pre># ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 -# ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \ - prefixlen 32 alias</pre> -</div> -<p class="Pp">The following configuration uses the <code class="Nm">stf</code> - interface as an output-only device. You need to have alternative IPv6 - connectivity (other than 6to4) to use this configuration. For outbound - traffic, you can reach other 6to4 networks efficiently via - <code class="Nm">stf</code>. For inbound traffic, you will not receive any - 6to4-tunneled packets (less security drawbacks). Be careful not to advertise - your 6to4 prefix to others (<code class="Li">2002:8504:0506::/48</code>), - and not to use your 6to4 prefix as a source.</p> -<div class="Bd Pp Li"> -<pre># ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 -# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ - prefixlen 16 alias deprecated link0 -# route add -inet6 2002:: -prefixlen 16 ::1 -# route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0</pre> -</div> -<p class="Pp">The following example configures a “6rd” tunnel on a - “6rd CE” where the ISP's “6rd” IPv6 prefix is - 2001:db8::/32. The border router is 192.0.2.1. The “6rd CE” - has a WAN address of 192.0.2.2 and the full IPv4 address is embedded in the - “6rd IPv6 address:”</p> -<div class="Bd Pp Li"> -<pre># ifconfig stf0 inet6 2001:db8:c000:0202:: prefixlen 32 up -# ifconfig stf0 stfv4br 192.0.2.1 -# ifconfig stf0 stfv4net 192.0.2.2/32</pre> -</div> -</section> -<section class="Sh"> -<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE - ALSO</a></h1> -<p class="Pp"><a class="Xr">gif(4)</a>, <a class="Xr">inet(4)</a>, - <a class="Xr">inet6(4)</a></p> -<p class="Pp"><cite class="Rs"><span class="RsA">Brian Carpenter</span> and - <span class="RsA">Keith Moore</span>, <span class="RsT">Connection of IPv6 - Domains via IPv4 Clouds</span>, <span class="RsR">RFC</span>, - <span class="RsN">3056</span>, <span class="RsD">February - 2001</span>.</cite></p> -<p class="Pp"><cite class="Rs"><span class="RsA">Jun-ichiro itojun - Hagino</span>, <span class="RsT">Possible abuse against IPv6 transition - technologies</span>, - <span class="RsN">draft-itojun-ipv6-transition-abuse-01.txt</span>, - <span class="RsD">July 2000</span>, <span class="RsO">work in - progress</span>.</cite></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> -<p class="Pp">The <code class="Nm">stf</code> device first appeared in WIDE/KAME - IPv6 stack.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> -<p class="Pp">No more than one <code class="Nm">stf</code> interface is allowed - for a node, and no more than one IPv6 interface address is allowed for an - <code class="Nm">stf</code> interface. It is to avoid source address - selection conflicts between IPv6 layer and IPv4 layer, and to cope with - ingress filtering rule on the other side. This is a feature to make - <code class="Nm">stf</code> work right for all occasions.</p> -</section> -</div> -<table class="foot"> - <tr> - <td class="foot-date">November 16, 2021</td> - <td class="foot-os">FreeBSD 15.0</td> - </tr> -</table> |