xref: /freebsd/share/man/man4/gif.4 (revision 0787ca52b414cb0f4922cfb47df3553a30ed989f)

.\"	$FreeBSD$
.\"	$KAME: gif.4,v 1.28 2001/05/18 13:15:56 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd April 10, 1999
.Dt GIF 4
.Os
.Sh NAME
.Nm gif
.Nd generic tunnel interface
.Sh SYNOPSIS
.Cd "device gif"
.Sh DESCRIPTION
The
.Nm
interface is a generic tunnelling pseudo device for IPv4 and IPv6.
It can tunnel IPv[46] traffic over IPv[46].
Therefore, there can be four possible configurations.
The behavior of
.Nm
is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel.
On
.Nx ,
.Nm
can also tunnel ISO traffic over IPv[46] using EON encapsulation.
.Pp
.Nm
interfaces are allocated at runtime using interface cloning.
This is
most easily done with the
.Xr ifconfig 8
.Cm create
command.
.Pp
To use
.Nm ,
administrator needs to configure protocol and addresses used for the outer
header.
This can be done by using
.Xr gifconfig 8 ,
or
.Dv SIOCSIFPHYADDR
ioctl.
Also, administrator needs to configure protocol and addresses used for the
inner header, by using
.Xr ifconfig 8 .
Note that IPv6 link-local address
(those start with
.Li fe80:: )
will be automatically configured whenever possible.
You may need to remove IPv6 link-local address manually using
.Xr ifconfig 8 ,
when you would like to disable the use of IPv6 as inner header
(like when you need pure IPv4-over-IPv6 tunnel).
Finally, use routing table to route the packets toward
.Nm
interface.
.Pp
.Nm
can be configured to be ECN friendly.
This can be configured by
.Dv IFF_LINK1 .
.Pp
.Ss ECN friendly behavior
.Nm
can be configured to be ECN friendly, as described in
.Dv draft-ietf-ipsec-ecn-02.txt .
This is turned off by default, and can be turned on by
.Dv IFF_LINK1
interface flag.
.Pp
Without
.Dv IFF_LINK1 ,
.Nm
will show a normal behavior, like described in RFC2893.
This can be summarized as follows:
.Bl -tag -width "Ingress" -offset indent
.It Ingress
Set outer TOS bit to
.Dv 0 .
.It Egress
Drop outer TOS bit.
.El
.Pp
With
.Dv IFF_LINK1 ,
.Nm
will copy ECN bits
.Dv ( 0x02
and
.Dv 0x01
on IPv4 TOS byte or IPv6 traffic class byte)
on egress and ingress, as follows:
.Bl -tag -width "Ingress" -offset indent
.It Ingress
Copy TOS bits except for ECN CE
(masked with
.Dv 0xfe )
from
inner to outer.
Set ECN CE bit to
.Dv 0 .
.It Egress
Use inner TOS bits with some change.
If outer ECN CE bit is
.Dv 1 ,
enable ECN CE bit on the inner.
.El
.Pp
Note that the ECN friendly behavior violates RFC2893.
This should be used in mutual agreement with the peer.
.Pp
.Ss Security
Malicious party may try to circumvent security filters by using
tunnelled packets.
For better protection,
.Nm
performs martian filter and ingress filter against outer source address,
on egress.
Note that martian/ingress filters are no way complete.
You may want to secure your node by using packet filters.
Ingress filter can be turned off by
.Dv IFF_LINK2
bit.
.\"
.Sh SEE ALSO
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr gifconfig 8
.Rs
.%A	R. Gilligan
.%A	E. Nordmark
.%B	RFC2893
.%T	Transition Mechanisms for IPv6 Hosts and Routers
.%D	August 2000
.%O	ftp://ftp.isi.edu/in-notes/rfc2893.txt
.Re
.Rs
.%A	Sally Floyd
.%A	David L. Black
.%A	K. K. Ramakrishnan
.%T	"IPsec Interactions with ECN"
.%D	December 1999
.%O	draft-ietf-ipsec-ecn-02.txt
.Re
.\"
.Sh HISTORY
The
.Nm
device first appeared in WIDE hydrangea IPv6 kit.
.\"
.Sh BUGS
There are many tunnelling protocol specifications,
defined differently from each other.
.Nm
may not interoperate with peers which are based on different specifications,
and are picky about outer header fields.
For example, you cannot usually use
.Nm
to talk with IPsec devices that use IPsec tunnel mode.
.Pp
The current code does not check if the ingress address
(outer source address)
configured to
.Nm
makes sense.
Make sure to configure an address which belongs to your node.
Otherwise, your node will not be able to receive packets from the peer,
and your node will generate packets with a spoofed source address.
.Pp
If the outer protocol is IPv4,
.Nm
does not try to perform path MTU discovery for the encapsulated packet
(DF bit is set to 0).
.Pp
If the outer protocol is IPv6, path MTU discovery for encapsulated packet
may affect communication over the interface.
The first bigger-than-pmtu packet may be lost.
To avoid the problem, you may want to set the interface MTU for
.Nm
to 1240 or smaller, when outer header is IPv6 and inner header is IPv4.
.Pp
.Nm
does not translate ICMP messages for outer header into inner header.
.Pp
In the past,
.Nm
had a multi-destination behavior, configurable via
.Dv IFF_LINK0
flag.
The behavior was obsoleted and is no longer supported.