1.\" $FreeBSD$ 2.\" $KAME: gif.4,v 1.28 2001/05/18 13:15:56 itojun Exp $ 3.\" 4.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the project nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd April 10, 1999 32.Dt GIF 4 33.Os 34.Sh NAME 35.Nm gif 36.Nd generic tunnel interface 37.Sh SYNOPSIS 38.Cd "device gif" 39.Sh DESCRIPTION 40The 41.Nm 42interface is a generic tunnelling pseudo device for IPv4 and IPv6. 43It can tunnel IPv[46] traffic over IPv[46]. 44Therefore, there can be four possible configurations. 45The behavior of 46.Nm 47is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel. 48On 49.Nx , 50.Nm 51can also tunnel ISO traffic over IPv[46] using EON encapsulation. 52.Pp 53Each 54.Nm 55interface is created at runtime using interface cloning. 56This is 57most easily done with the 58.Xr ifconfig 8 59.Cm create 60command or using the 61.Va gifconfig_ Ns Aq Ar interface 62variable in 63.Xr rc.conf 5 . 64.Pp 65To use 66.Nm , 67administrator needs to configure protocol and addresses used for the outer 68header. 69This can be done by using 70.Xr gifconfig 8 , 71or 72.Dv SIOCSIFPHYADDR 73ioctl. 74Also, administrator needs to configure protocol and addresses used for the 75inner header, by using 76.Xr ifconfig 8 . 77Note that IPv6 link-local address 78(those start with 79.Li fe80:: ) 80will be automatically configured whenever possible. 81You may need to remove IPv6 link-local address manually using 82.Xr ifconfig 8 , 83when you would like to disable the use of IPv6 as inner header 84(like when you need pure IPv4-over-IPv6 tunnel). 85Finally, use routing table to route the packets toward 86.Nm 87interface. 88.Pp 89.Nm 90can be configured to be ECN friendly. 91This can be configured by 92.Dv IFF_LINK1 . 93.Pp 94.Ss ECN friendly behavior 95.Nm 96can be configured to be ECN friendly, as described in 97.Dv draft-ietf-ipsec-ecn-02.txt . 98This is turned off by default, and can be turned on by 99.Dv IFF_LINK1 100interface flag. 101.Pp 102Without 103.Dv IFF_LINK1 , 104.Nm 105will show a normal behavior, like described in RFC2893. 106This can be summarized as follows: 107.Bl -tag -width "Ingress" -offset indent 108.It Ingress 109Set outer TOS bit to 110.Dv 0 . 111.It Egress 112Drop outer TOS bit. 113.El 114.Pp 115With 116.Dv IFF_LINK1 , 117.Nm 118will copy ECN bits 119.Dv ( 0x02 120and 121.Dv 0x01 122on IPv4 TOS byte or IPv6 traffic class byte) 123on egress and ingress, as follows: 124.Bl -tag -width "Ingress" -offset indent 125.It Ingress 126Copy TOS bits except for ECN CE 127(masked with 128.Dv 0xfe ) 129from 130inner to outer. 131Set ECN CE bit to 132.Dv 0 . 133.It Egress 134Use inner TOS bits with some change. 135If outer ECN CE bit is 136.Dv 1 , 137enable ECN CE bit on the inner. 138.El 139.Pp 140Note that the ECN friendly behavior violates RFC2893. 141This should be used in mutual agreement with the peer. 142.Pp 143.Ss Security 144Malicious party may try to circumvent security filters by using 145tunnelled packets. 146For better protection, 147.Nm 148performs martian filter and ingress filter against outer source address, 149on egress. 150Note that martian/ingress filters are no way complete. 151You may want to secure your node by using packet filters. 152Ingress filter can be turned off by 153.Dv IFF_LINK2 154bit. 155.\" 156.Sh SEE ALSO 157.Xr inet 4 , 158.Xr inet6 4 , 159.Xr gifconfig 8 160.Rs 161.%A R. Gilligan 162.%A E. Nordmark 163.%B RFC2893 164.%T Transition Mechanisms for IPv6 Hosts and Routers 165.%D August 2000 166.%O ftp://ftp.isi.edu/in-notes/rfc2893.txt 167.Re 168.Rs 169.%A Sally Floyd 170.%A David L. Black 171.%A K. K. Ramakrishnan 172.%T "IPsec Interactions with ECN" 173.%D December 1999 174.%O draft-ietf-ipsec-ecn-02.txt 175.Re 176.\" 177.Sh HISTORY 178The 179.Nm 180device first appeared in WIDE hydrangea IPv6 kit. 181.\" 182.Sh BUGS 183There are many tunnelling protocol specifications, 184defined differently from each other. 185.Nm 186may not interoperate with peers which are based on different specifications, 187and are picky about outer header fields. 188For example, you cannot usually use 189.Nm 190to talk with IPsec devices that use IPsec tunnel mode. 191.Pp 192The current code does not check if the ingress address 193(outer source address) 194configured to 195.Nm 196makes sense. 197Make sure to configure an address which belongs to your node. 198Otherwise, your node will not be able to receive packets from the peer, 199and your node will generate packets with a spoofed source address. 200.Pp 201If the outer protocol is IPv4, 202.Nm 203does not try to perform path MTU discovery for the encapsulated packet 204(DF bit is set to 0). 205.Pp 206If the outer protocol is IPv6, path MTU discovery for encapsulated packet 207may affect communication over the interface. 208The first bigger-than-pmtu packet may be lost. 209To avoid the problem, you may want to set the interface MTU for 210.Nm 211to 1240 or smaller, when outer header is IPv6 and inner header is IPv4. 212.Pp 213.Nm 214does not translate ICMP messages for outer header into inner header. 215.Pp 216In the past, 217.Nm 218had a multi-destination behavior, configurable via 219.Dv IFF_LINK0 220flag. 221The behavior was obsoleted and is no longer supported. 222