diff options
Diffstat (limited to 'static/netbsd/man4/stf.4 3.html')
| -rw-r--r-- | static/netbsd/man4/stf.4 3.html | 190 |
1 files changed, 0 insertions, 190 deletions
diff --git a/static/netbsd/man4/stf.4 3.html b/static/netbsd/man4/stf.4 3.html deleted file mode 100644 index 1064d74c..00000000 --- a/static/netbsd/man4/stf.4 3.html +++ /dev/null @@ -1,190 +0,0 @@ -<table class="head"> - <tr> - <td class="head-ltitle">STF(4)</td> - <td class="head-vol">Device Drivers Manual</td> - <td class="head-rtitle">STF(4)</td> - </tr> -</table> -<div class="manual-text"> -<section class="Sh"> -<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> -<p class="Pp"><code class="Nm">stf</code> — <span class="Nd">6to4 tunnel - interface</span></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> -<p class="Pp"><code class="Cd">pseudo-device stf</code></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> -<p class="Pp">The <code class="Nm">stf</code> interface supports - “6to4” IPv6 in IPv4 encapsulation. It can tunnel IPv6 traffic - over IPv4, as specified in <code class="Li">RFC3056</code>. - <code class="Nm">stf</code> interfaces are dynamically created and destroyed - with the <a class="Xr">ifconfig(8)</a> <code class="Cm">create</code> and - <code class="Cm">destroy</code> subcommands. Only one - <code class="Nm">stf</code> interface may be created.</p> -<p class="Pp">For ordinary nodes in 6to4 sites, you do not need a - <code class="Nm">stf</code> interface. The <code class="Nm">stf</code> - interface is only necessary on the site border router (called the - “6to4 router” in the specification).</p> -<p class="Pp">Due to the way the 6to4 protocol is specified, - <code class="Nm">stf</code> interfaces require certain configuration to work - properly. A single (no more than one) valid 6to4 address needs to be - configured on the interface. “A valid 6to4 address” is an - address which has the following properties. If any of the following - properties are not satisfied, <code class="Nm">stf</code> raises a runtime - error on packet transmission. Read the specification for more details.</p> -<ul class="Bl-bullet"> - <li>matches <code class="Li">2002:xxyy:zzuu::/48</code>, where - <code class="Li">xxyy:zzuu</code> is the hexadecimal notation of an IPv4 - address for the node. The IPv4 address used can be taken from any - interface your node has. Since the specification forbids the use of IPv4 - private address, the address needs to be a global IPv4 address.</li> - <li>Subnet identifier portion (48th to 63rd bit) and interface identifier - portion (lower 64 bits) are properly filled to avoid address - collisions.</li> -</ul> -<p class="Pp">If you would like the node to behave as a relay router, the prefix - length for the IPv6 interface address needs to be 16 so that the node would - consider any 6to4 destination as “on-link”. If you would like - to restrict 6to4 peers to be inside a certain IPv4 prefix, you may want to - configure the IPv6 prefix length to be “16 + IPv4 prefix - length”. The <code class="Nm">stf</code> interface will check the - IPv4 source address on packets if the IPv6 prefix length is larger than - 16.</p> -<p class="Pp"><code class="Nm">stf</code> can be configured to be ECN (Explicit - Congestion Notification) friendly. This can be configured by - <code class="Dv">IFF_LINK1</code>. See <a class="Xr">gif(4)</a> for - details.</p> -<p class="Pp">Please note that the 6to4 specification is written as an - “accept tunneled packet from everyone” tunneling device. By - enabling the <code class="Nm">stf</code> device, you are making it much - easier for malicious parties to inject fabricated IPv6 packets to your node. - Also, malicious parties can inject IPv6 packets with fabricated source - addresses to make your node generate improper tunneled packets. - Administrators must be cautious when enabling the interface. To prevent - possible attacks, the <code class="Nm">stf</code> interface filters out the - following packets (note that the checks are in no way complete):</p> -<ul class="Bl-bullet"> - <li>Packets with IPv4 unspecified addresses as outer IPv4 source/destination - (<code class="Li">0.0.0.0/8</code>)</li> - <li>Packets with the loopback address as outer IPv4 source/destination - (<code class="Li">127.0.0.0/8</code>)</li> - <li>Packets with IPv4 multicast addresses as outer IPv4 source/destination - (<code class="Li">224.0.0.0/4</code>)</li> - <li>Packets with limited broadcast addresses as outer IPv4 source/destination - (<code class="Li">255.0.0.0/8</code>)</li> - <li>Packets with private addresses as outer IPv4 source/destination - (<code class="Li">10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16</code>)</li> - <li>Packets with IPv4 link-local addresses as outer IPv4 source/destination - (<code class="Li">169.254.0.0/16</code>)</li> - <li>Packets with subnet broadcast addresses as outer IPv4 source/destination. - The check is made against subnet broadcast addresses for all of the - directly connected subnets.</li> - <li>Packets that do not pass ingress filtering. Outer IPv4 source addresses - must meet the IPv4 topology on the routing table. Ingress filtering can be - turned off by <code class="Dv">IFF_LINK2</code> bit.</li> - <li>The same set of rules are applied against the IPv4 address embedded into - the inner IPv6 address, if the IPv6 address matches the 6to4 prefix.</li> - <li>Packets with site-local or link-local unicast addresses as inner IPv6 - source/destination</li> - <li>Packets with node-local or link-local multicast addresses as inner IPv6 - source/destination</li> -</ul> -<p class="Pp">It is recommended to filter/audit incoming IPv4 packets with IP - protocol number 41, as necessary. It is also recommended to filter/audit - encapsulated IPv6 packets as well. You may also want to run normal ingress - filtering against inner IPv6 addresses to avoid spoofing.</p> -<p class="Pp">By setting the <code class="Dv">IFF_LINK0</code> flag on the - <code class="Nm">stf</code> interface, it is possible to disable the input - path, making direct attacks from the outside impossible. Note, however, that - other security risks exist. If you wish to use the configuration, you must - not advertise your 6to4 addresses to others.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1> -<p class="Pp">Note that <code class="Li">8504:0506</code> is equal to - <code class="Li">133.4.5.6</code>, written in hexadecimal.</p> -<div class="Bd Pp Li"> -<pre># ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 -# ifconfig stf0 create inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ - prefixlen 16 alias</pre> -</div> -<p class="Pp">The following configuration accepts packets from IPv4 source - address <code class="Li">9.1.0.0/16</code> only. It emits 6to4 packets only - for IPv6 destination 2002:0901::/32 (IPv4 destination will match - <code class="Li">9.1.0.0/16</code>).</p> -<div class="Bd Pp Li"> -<pre># ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 -# ifconfig stf0 create inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \ - prefixlen 32 alias</pre> -</div> -<p class="Pp">The following configuration uses the <code class="Nm">stf</code> - interface as an output-only device. You need to have alternative IPv6 - connectivity (other than 6to4) to use this configuration. For outbound - traffic, you can reach other 6to4 networks efficiently via - <code class="Nm">stf</code>. For inbound traffic, you will not receive any - 6to4-tunneled packets (less security drawbacks). Be careful not to advertise - your 6to4 prefix to others (<code class="Li">2002:8504:0506::/48</code>), - and not to use your 6to4 prefix as a source address.</p> -<div class="Bd Pp Li"> -<pre># ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 -# ifconfig stf0 create inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ - prefixlen 16 alias deprecated link0 -# route add -inet6 2002:: -prefixlen 16 ::1 -ifp stf0</pre> -</div> -</section> -<section class="Sh"> -<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE - ALSO</a></h1> -<p class="Pp"><a class="Xr">gif(4)</a>, <a class="Xr">inet(4)</a>, - <a class="Xr">inet6(4)</a></p> -<p class="Pp"></p> -<p class="Pp"><cite class="Rs"><span class="RsA">Brian Carpenter</span> and - <span class="RsA">Keith Moore</span>, <span class="RsT">Connection of IPv6 - Domains via IPv4 Clouds</span>, <span class="RsR">RFC</span>, - <span class="RsN">3056</span>, <span class="RsD">February - 2001</span>.</cite></p> -<p class="Pp"><cite class="Rs"><span class="RsA">C. Huitema</span>, - <span class="RsT">An Anycast Prefix for 6to4 Relay Routers</span>, - <span class="RsR">RFC</span>, <span class="RsN">3068</span>, - <span class="RsD">June 2001</span>.</cite></p> -<p class="Pp"><cite class="Rs"><span class="RsA">F. Baker</span> and - <span class="RsA">P. Savola</span>, <span class="RsT">Ingress Filtering for - Multihomed Networks</span>, <span class="RsR">RFC</span>, - <span class="RsN">3704</span>, <span class="RsD">March - 2004</span>.</cite></p> -<p class="Pp"><cite class="Rs"><span class="RsA">P. Savola</span> and - <span class="RsA">C. Patel</span>, <span class="RsT">Security Considerations - for 6to4</span>, <span class="RsR">RFC</span>, - <span class="RsN">3964</span>, <span class="RsD">December - 2004</span>.</cite></p> -<p class="Pp"><cite class="Rs"><span class="RsA">Jun-ichiro itojun - Hagino</span>, <span class="RsT">Possible abuse against IPv6 transition - technologies</span>, - <span class="RsN">draft-itojun-ipv6-transition-abuse-01.txt</span>, - <span class="RsD">July 2000</span>, <span class="RsO">expired, work in - progress</span>.</cite></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> -<p class="Pp">The <code class="Nm">stf</code> device first appeared in WIDE/KAME - IPv6 stack.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> -<p class="Pp">No more than one <code class="Nm">stf</code> interface is allowed - for a node, and no more than one IPv6 interface address is allowed for an - <code class="Nm">stf</code> interface. This is to avoid source address - selection conflicts between the IPv6 layer and the IPv4 layer, and to cope - with ingress filtering rules on the other side. This is a feature to make - <code class="Nm">stf</code> work right for all occasions.</p> -</section> -</div> -<table class="foot"> - <tr> - <td class="foot-date">January 2, 2011</td> - <td class="foot-os">NetBSD 10.1</td> - </tr> -</table> |