1.\" $KAME: stf.4,v 1.6 2000/03/11 08:01:51 itojun Exp $ 2.\" 3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the project nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" $FreeBSD$ 31.\" 32.Dd March 6, 2000 33.Dt STF 4 34.Os KAME 35.Sh NAME 36.Nm stf 37.Nd 38.Tn 6to4 tunnel interface 39.Sh SYNOPSIS 40.Cd "pseudo-device stf" 41.Sh DESCRIPTION 42The 43.Nm 44interface supports 45.Dq 6to4 46IPv6 in IPv4 encapsulation. 47It can tunnel IPv6 traffic over IPv4, as specified in 48.Li draft-ietf-ngtrans-6to4-03.txt . 49.Pp 50Due to the way 6to4 protocol is specified, 51.Nm 52interface requires certain configuration to work properly. 53Single 54.Pq no more than 1 55valid 6to4 address needs to be configured to the interface. 56.Dq A valid 6to4 address 57is an address which has the following properties. 58If any of the following properties are not satisfied, 59.Nm stf 60raises runtime error on packet transmission. 61Read the specification for more details. 62.Bl -bullet 63.It 64matches 65.Li 2002:xxyy:zzuu::/48 66where 67.Li xxyy:zzuu 68is a hexadecimal notation of an IPv4 address for the node. 69.It 70The interface identifier portion 71.Pq lower 64 bits 72is properly filled to avoid address collisions. 73.El 74.Pp 75If you would like the node to behave as a relay router, 76the prefix length for the IPv6 interface address needs to be 16 so that 77the node would consider any 6to4 destination as 78.Dq on-link . 79If you would like to restrict 6to4 peers to be inside certain IPv4 prefix, 80you may want to configure IPv6 prefix length as 81.Dq 16 + IPv4 prefix length . 82.\"(Not yet implemented on 4.0) 83.\".Nm 84.\"interface will check the IPv4 source address on packets, 85.\"if the IPv6 prefix length is larger than 16. 86.Pp 87.Nm 88can be configured to be ECN friendly. 89This can be configured by 90.Dv IFF_LINK1 . 91See 92.Xr gif 4 93for details. 94.Pp 95Please note that 6to4 specification is written as 96.Dq accept tunnelled packet from everyone 97tunnelling device. 98By enabling 99.Nm 100device, you are making it much easier for malicious parties to inject 101fabricated IPv6 packet to your node. 102Also, malicious party can inject an IPv6 packet with fabricated source address 103to make your node generate improper tunnelled packet. 104Administrators must take caution when enabling the interface. 105It is recommended to filter/audit 106incoming IPv4 packet with IP protocol number 41, as necessary. 107.\"To prevent possible DoS attacks, 108.\"(No check yet on 4.0, but such packets won't go through IPv4 cloud.) 109.\".Nm 110.\"interface filters out packets with the following property: 111.\".Bl -bullet 112.\".It 113.\"Packets with 6to4 address based on 0.0.0.0, as inner destination/source 114.\".It 115.\"Packets with 6to4 address based on 255.255.255.255, 116.\" as inner destination/source 117.\".El 118.\".Pp 119You may also want to reject encapsulated IPv6 packets with 120suspicious 6to4 addresses, like 121.Li 2002:7f00::/24. 122.\" 123.Sh EXAMPLES 124Note that 125.Li 8504:0506 126is equal to 127.Li 133.4.5.6 , 128written in hexadecimals. 129.Bd -literal 130# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 131# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 132 prefixlen 16 alias 133.Ed 134.Pp 135The following configuration sends packets to IPv4 destination 10.1.0.0/16 136only 137.Pq IPv6 prefix length = 32 . 138.Bd -literal 139# ifconfig ne0 inet 10.1.2.3 netmask 0xffff0000 140# ifconfig stf0 inet6 2002:0a01:0203:0000:a00:5aff:fe38:6f86 \\ 141 prefixlen 32 alias 142.Ed 143.\" 144.Sh SEE ALSO 145.Xr gif 4 , 146.Xr inet 4 , 147.Xr inet6 4 148.Rs 149.%A Brian Carpenter 150.%A Keith Moore 151.%T "Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels" 152.%D October 1999 153.%N draft-ietf-ngtrans-6to4-03.txt 154.%O work in progress 155.Re 156.Rs 157.%A Jun-ichiro itojun Hagino 158.%T "Possible abuse against IPv6 transition technologies" 159.%D March 2000 160.%N draft-itojun-ipv6-transition-abuse-00.txt 161.%O work in progress 162.Re 163.\" 164.Sh HISTORY 165The 166.Nm 167device first appeared in WIDE/KAME IPv6 stack. 168