diff options
Diffstat (limited to 'static/netbsd/man4/gif.4')
| -rw-r--r-- | static/netbsd/man4/gif.4 | 276 |
1 files changed, 276 insertions, 0 deletions
diff --git a/static/netbsd/man4/gif.4 b/static/netbsd/man4/gif.4 new file mode 100644 index 00000000..a56c411b --- /dev/null +++ b/static/netbsd/man4/gif.4 @@ -0,0 +1,276 @@ +.\" $NetBSD: gif.4,v 1.34 2018/08/14 06:27:44 wiz Exp $ +.\" $KAME: gif.4,v 1.24 2001/02/20 12:54:01 itojun Exp $ +.\" +.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the project nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd August 14, 2018 +.Dt GIF 4 +.Os +.Sh NAME +.Nm gif +.Nd generic tunnel interface +.Sh SYNOPSIS +.Cd "pseudo-device gif" +.Sh DESCRIPTION +The +.Nm +interface is a generic tunneling pseudo device for IPv4 and IPv6. +It can tunnel IPv[46] traffic over IPv[46]. +Therefore, there can be four possible configurations. +The behavior of +.Nm +is mainly based on RFC 2893 IPv6-over-IPv4 configured tunnel. +.Pp +To use +.Nm gif , +the administrator must first create the interface +and then configure protocol and addresses used for the outer +header. +This can be done by using +.Xr ifconfig 8 +.Cm create +and +.Cm tunnel +subcommands, or +.Dv SIOCIFCREATE +and +.Dv SIOCSIFPHYADDR +ioctls. +Also, administrator needs to configure protocol and addresses used for the +inner header, by using +.Xr ifconfig 8 . +Note that IPv6 link-local address +.Pq those start with Li fe80:: +will be automatically configured whenever possible. +You may need to remove IPv6 link-local address manually using +.Xr ifconfig 8 , +when you would like to disable the use of IPv6 as inner header +.Pq like when you need pure IPv4-over-IPv6 tunnel . +Finally, use routing table to route the packets toward +.Nm +interface. +.Pp +.Nm +can be configured to be ECN friendly. +This can be configured by +.Dv IFF_LINK1 . +.Ss ECN friendly behavior +.Nm +can be configured to be ECN friendly, as described in +.Dv draft-ietf-ipsec-ecn-02.txt . +This is turned off by default, and can be turned on by +.Dv IFF_LINK1 +interface flag. +.Pp +Without +.Dv IFF_LINK1 , +.Nm +will show a normal behavior, like described in RFC 2893. +This can be summarized as follows: +.Bl -tag -width "Ingress" -offset indent +.It Ingress +Set outer TOS bit to +.Dv 0 . +.It Egress +Drop outer TOS bit. +.El +.Pp +With +.Dv IFF_LINK1 , +.Nm +will copy ECN bits +.Dv ( 0x02 +and +.Dv 0x01 +on IPv4 TOS byte or IPv6 traffic class byte) +on egress and ingress, as follows: +.Bl -tag -width "Ingress" -offset indent +.It Ingress +Copy TOS bits except for ECN CE +(masked with +.Dv 0xfe ) +from +inner to outer. +set ECN CE bit to +.Dv 0 . +.It Egress +Use inner TOS bits with some change. +If outer ECN CE bit is +.Dv 1 , +enable ECN CE bit on the inner. +.El +.Pp +Note that the ECN friendly behavior violates RFC 2893. +This should be used in mutual agreement with the peer. +.Ss Packet format +Every inner packet is encapsulated in an outer packet. +The inner packet may be IPv4 or IPv6. +The outer packet may be IPv4 or IPv6, and has all the +usual IP headers, including a protocol field that identifies the +type of inner packet. +.Pp +When the inner packet is IPv4, the protocol field of the outer packet +is 4 +.Dv ( IPPROTO_IPV4 ) . +When the inner packet is IPv6, the protocol field of the outer packet +is 41 +.Dv ( IPPROTO_IPV6 ) . +.Ss Security +Malicious party may try to circumvent security filters by using +tunneled packets. +For better protection, +.Nm +performs martian filter and ingress filter against outer source address, +on egress. +Note that martian/ingress filters are no way complete. +You may want to secure your node by using packet filters. +Ingress filter can be turned off by +.Dv IFF_LINK2 +bit. +.\" +.Sh EXAMPLES +Configuration example: +.Bd -literal +Host X--NetBSD A ----------------tunnel---------- cisco D------Host E + \\ | + \\ / + +-----Router B--------Router C---------+ + +.Ed +On +.Nx +system A +.Ns ( Nx ) : +.Bd -literal + # route add default B + # ifconfig gifN create + # ifconfig gifN A netmask 0xffffffff tunnel A D up + # route add E 0 + # route change E -ifp gif0 +.Ed +.Pp +On Host D (Cisco): +.Bd -literal + Interface TunnelX + ip unnumbered D ! e.g. address from Ethernet interface + tunnel source D ! e.g. address from Ethernet interface + tunnel destination A + tunnel mode ipip + ip route C <some interface and mask> + ip route A mask C + ip route X mask tunnelX +.Ed +.Pp +or on Host D +.Ns ( Nx ) : +.Bd -literal + # route add default C + # ifconfig gifN D A +.Ed +.Pp +If all goes well, you should see packets flowing. +.Pp +If you want to reach Host A over the tunnel (from the Cisco D), then +you have to have an alias on Host A for e.g. the Ethernet interface like: +.Ic ifconfig Ar <etherif> alias Y +and on the cisco +.Ic ip Ar route Y mask tunnelX . +.Sh SEE ALSO +.Xr inet 4 , +.Xr inet6 4 , +.Xr l2tp 4 , +.Xr ifconfig 8 +.Rs +.%A C. Perkins +.%B RFC 2003 +.%T IP Encapsulation within IP +.%D October 1996 +.%U ftp://ftp.isi.edu/in-notes/rfc2003.txt +.Re +.Rs +.%A R. Gilligan +.%A E. Nordmark +.%B RFC 2893 +.%T Transition Mechanisms for IPv6 Hosts and Routers +.%D August 2000 +.%U ftp://ftp.isi.edu/in-notes/rfc2893.txt +.Re +.Rs +.%A Sally Floyd +.%A David L. Black +.%A K. K. Ramakrishnan +.%T "IPsec Interactions with ECN" +.%D December 1999 +.%U http://datatracker.ietf.org/internet-drafts/draft-ietf-ipsec-ecn/ +.Re +.Rs +.%A F. Baker +.%A P. Savola +.%B RFC 3704 +.%T Ingress Filtering for Multihomed Networks +.%D March 2004 +.%U ftp://ftp.isi.edu/in-notes/rfc3704.txt +.Re +.\" +.Sh STANDARDS +IPv4 over IPv4 encapsulation is compatible with RFC 2003. +IPv6 over IPv4 encapsulation is compatible with RFC 2893. +.\" +.Sh HISTORY +The +.Nm +device first appeared in WIDE hydrangea IPv6 kit. +.\" +.Sh BUGS +There are many tunneling protocol specifications, +defined differently from each other. +.Nm +may not interoperate with peers which are based on different specifications, +and are picky about outer header fields. +For example, you cannot usually use +.Nm +to talk with IPsec devices that use IPsec tunnel mode. +.Pp +The current code does not check if the ingress address +.Pq outer source address +configured to +.Nm +makes sense. +Make sure to configure an address which belongs to your node. +Otherwise, your node will not be able to receive packets from the peer, +and your node will generate packets with a spoofed source address. +.Pp +If the outer protocol is IPv6, path MTU discovery for encapsulated packet +may affect communication over the interface. +.Pp +In the past, +.Nm +had a multi-destination behavior, configurable via +.Dv IFF_LINK0 +flag. +The behavior was obsoleted and is no longer supported. |