xref: /freebsd/share/man/man4/gif.4 (revision 43a5ec4eb41567cc92586503212743d89686d78f)
1.\"	$KAME: gif.4,v 1.28 2001/05/18 13:15:56 itojun Exp $
2.\"
3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. Neither the name of the project nor the names of its contributors
15.\"    may be used to endorse or promote products derived from this software
16.\"    without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
30.\" $FreeBSD$
31.\"
32.Dd October 21, 2018
33.Dt GIF 4
34.Os
35.Sh NAME
36.Nm gif
37.Nd generic tunnel interface
38.Sh SYNOPSIS
39.Cd "device gif"
40.Sh DESCRIPTION
41The
42.Nm
43interface is a generic tunnelling device for IPv4 and IPv6.
44It can tunnel IPv[46] traffic over IPv[46].
45Therefore, there can be four possible configurations.
46The behavior of
47.Nm
48is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel.
49On
50.Nx ,
51.Nm
52can also tunnel ISO traffic over IPv[46] using EON encapsulation.
53Note that
54.Nm
55does not perform GRE encapsulation; use
56.Xr gre 4
57for GRE encapsulation.
58.Pp
59Each
60.Nm
61interface is created at runtime using interface cloning.
62This is
63most easily done with the
64.Dq Nm ifconfig Cm create
65command or using the
66.Va ifconfig_ Ns Aq Ar interface
67variable in
68.Xr rc.conf 5 .
69.Pp
70To use
71.Nm ,
72the administrator needs to configure the protocol and addresses used for the outer
73header.
74This can be done by using
75.Xr ifconfig 8
76.Cm tunnel ,
77or
78.Dv SIOCSIFPHYADDR
79ioctl.
80The administrator also needs to configure the protocol and addresses for the
81inner header, with
82.Xr ifconfig 8 .
83Note that IPv6 link-local addresses
84(those that start with
85.Li fe80:: )
86will be automatically configured whenever possible.
87You may need to remove IPv6 link-local addresses manually using
88.Xr ifconfig 8 ,
89if you want to disable the use of IPv6 as the inner header
90(for example, if you need a pure IPv4-over-IPv6 tunnel).
91Finally, you must modify the routing table to route the packets through the
92.Nm
93interface.
94.Pp
95The
96.Nm
97device can be configured to be ECN friendly.
98This can be configured by
99.Dv IFF_LINK1 .
100.Ss ECN friendly behavior
101The
102.Nm
103device can be configured to be ECN friendly, as described in
104.Dv draft-ietf-ipsec-ecn-02.txt .
105This is turned off by default, and can be turned on by the
106.Dv IFF_LINK1
107interface flag.
108.Pp
109Without
110.Dv IFF_LINK1 ,
111.Nm
112will show normal behavior, as described in RFC2893.
113This can be summarized as follows:
114.Bl -tag -width "Ingress" -offset indent
115.It Ingress
116Set outer TOS bit to
117.Dv 0 .
118.It Egress
119Drop outer TOS bit.
120.El
121.Pp
122With
123.Dv IFF_LINK1 ,
124.Nm
125will copy ECN bits
126.Dv ( 0x02
127and
128.Dv 0x01
129on IPv4 TOS byte or IPv6 traffic class byte)
130on egress and ingress, as follows:
131.Bl -tag -width "Ingress" -offset indent
132.It Ingress
133Copy TOS bits except for ECN CE
134(masked with
135.Dv 0xfe )
136from
137inner to outer.
138Set ECN CE bit to
139.Dv 0 .
140.It Egress
141Use inner TOS bits with some change.
142If outer ECN CE bit is
143.Dv 1 ,
144enable ECN CE bit on the inner.
145.El
146.Pp
147Note that the ECN friendly behavior violates RFC2893.
148This should be used in mutual agreement with the peer.
149.Ss Security
150A malicious party may try to circumvent security filters by using
151tunnelled packets.
152For better protection,
153.Nm
154performs both martian and ingress filtering against the outer source address
155on egress.
156Note that martian/ingress filters are in no way complete.
157You may want to secure your node by using packet filters.
158Ingress filtering can break tunnel operation in an asymmetrically
159routed network.
160It can be turned off by
161.Dv IFF_LINK2
162bit.
163.Ss Miscellaneous
164By default,
165.Nm
166tunnels may not be nested.
167This behavior may be modified at runtime by setting the
168.Xr sysctl 8
169variable
170.Va net.link.gif.max_nesting
171to the desired level of nesting.
172.Sh SEE ALSO
173.Xr gre 4 ,
174.Xr inet 4 ,
175.Xr inet6 4 ,
176.Xr ifconfig 8
177.Rs
178.%A R. Gilligan
179.%A E. Nordmark
180.%B RFC2893
181.%T Transition Mechanisms for IPv6 Hosts and Routers
182.%D August 2000
183.%U http://tools.ietf.org/html/rfc2893
184.Re
185.Rs
186.%A Sally Floyd
187.%A David L. Black
188.%A K. K. Ramakrishnan
189.%T "IPsec Interactions with ECN"
190.%D December 1999
191.%O draft-ietf-ipsec-ecn-02.txt
192.Re
193.\"
194.Sh HISTORY
195The
196.Nm
197device first appeared in the WIDE hydrangea IPv6 kit.
198.\"
199.Sh BUGS
200There are many tunnelling protocol specifications, all
201defined differently from each other.
202The
203.Nm
204device may not interoperate with peers which are based on different specifications,
205and are picky about outer header fields.
206For example, you cannot usually use
207.Nm
208to talk with IPsec devices that use IPsec tunnel mode.
209.Pp
210If the outer protocol is IPv4,
211.Nm
212does not try to perform path MTU discovery for the encapsulated packet
213(DF bit is set to 0).
214.Pp
215If the outer protocol is IPv6, path MTU discovery for encapsulated packets
216may affect communication over the interface.
217The first bigger-than-pmtu packet may be lost.
218To avoid the problem, you may want to set the interface MTU for
219.Nm
220to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4.
221.Pp
222The
223.Nm
224device does not translate ICMP messages for the outer header into the inner header.
225.Pp
226In the past,
227.Nm
228had a multi-destination behavior, configurable via
229.Dv IFF_LINK0
230flag.
231The behavior is obsolete and is no longer supported.
232