1.\" $FreeBSD$ 2.\" $KAME: stf.4,v 1.24 2000/06/07 23:35:18 itojun Exp $ 3.\" 4.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the project nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd March 6, 2000 32.Dt STF 4 33.Os 34.Sh NAME 35.Nm stf 36.Nd 37.Tn 6to4 tunnel interface 38.Sh SYNOPSIS 39.Cd "pseudo-device stf" 40.Sh DESCRIPTION 41The 42.Nm 43interface supports 44.Dq 6to4 45IPv6 in IPv4 encapsulation. 46It can tunnel IPv6 traffic over IPv4, as specified in 47.Li draft-ietf-ngtrans-6to4-06.txt . 48.Pp 49For ordinary nodes in 6to4 site, you do not need 50.Nm 51interface. 52The 53.Nm 54interface is necessary for site border router 55.Po 56called 57.Dq 6to4 router 58in the specification 59.Pc . 60.Pp 61Due to the way 6to4 protocol is specified, 62.Nm 63interface requires certain configuration to work properly. 64Single 65.Pq no more than 1 66valid 6to4 address needs to be configured to the interface. 67.Dq A valid 6to4 address 68is an address which has the following properties. 69If any of the following properties are not satisfied, 70.Nm 71raises runtime error on packet transmission. 72Read the specification for more details. 73.Bl -bullet 74.It 75matches 76.Li 2002:xxyy:zzuu::/48 77where 78.Li xxyy:zzuu 79is a hexadecimal notation of an IPv4 address for the node. 80IPv4 address can be taken from any of interfaces your node has. 81Since the specification forbids the use of IPv4 private address, 82the address needs to be a global IPv4 address. 83.It 84Subnet identifier portion 85.Pq 48th to 63rd bit 86and interface identifier portion 87.Pq lower 64 bits 88are properly filled to avoid address collisions. 89.El 90.Pp 91If you would like the node to behave as a relay router, 92the prefix length for the IPv6 interface address needs to be 16 so that 93the node would consider any 6to4 destination as 94.Dq on-link . 95If you would like to restrict 6to4 peers to be inside certain IPv4 prefix, 96you may want to configure IPv6 prefix length as 97.Dq 16 + IPv4 prefix length . 98.Nm 99interface will check the IPv4 source address on packets, 100if the IPv6 prefix length is larger than 16. 101.Pp 102.Nm 103can be configured to be ECN friendly. 104This can be configured by 105.Dv IFF_LINK1 . 106See 107.Xr gif 4 108for details. 109.Pp 110Please note that 6to4 specification is written as 111.Dq accept tunnelled packet from everyone 112tunnelling device. 113By enabling 114.Nm 115device, you are making it much easier for malicious parties to inject 116fabricated IPv6 packet to your node. 117Also, malicious party can inject an IPv6 packet with fabricated source address 118to make your node generate improper tunnelled packet. 119Administrators must take caution when enabling the interface. 120To prevent possible attacks, 121.Nm 122interface filters out the following packets. 123Note that the checks are no way complete: 124.Bl -bullet 125.It 126Packets with IPv4 unspecified addrss as outer IPv4 source/destination 127.Pq Li 0.0.0.0/8 128.It 129Packets with loopback address as outer IPv4 source/destination 130.Pq Li 127.0.0.0/8 131.It 132Packets with IPv4 multicast address as outer IPv4 source/destination 133.Pq Li 224.0.0.0/4 134.It 135Packets with limited broadcast address as outer IPv4 source/destination 136.Pq Li 255.0.0.0/8 137.It 138Packets with subnet broadcast address as outer IPv4 source/destination. 139The check is made against subnet broadcast addresses for 140all of the directly connected subnets. 141.It 142Packets that does not pass ingress filtering. 143Outer IPv4 source address must meet the IPv4 topology on the routing table. 144.It 145The same set of rules are appplied against the IPv4 address embedded into 146inner IPv6 address, if the IPv6 address matches 6to4 prefix. 147.El 148.Pp 149It is recommended to filter/audit 150incoming IPv4 packet with IP protocol number 41, as necessary. 151It is also recommended to filter/audit encapsulated IPv6 packets as well. 152You may also want to run normal ingress filter against inner IPv6 address 153to avoid spoofing. 154.\" 155.Sh EXAMPLES 156Note that 157.Li 8504:0506 158is equal to 159.Li 133.4.5.6 , 160written in hexadecimals. 161.Bd -literal 162# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 163# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 164 prefixlen 16 alias 165.Ed 166.Pp 167The following configuration accepts packets from IPv4 source 168.Li 9.1.0.0/16 169only. 170It emits 6to4 packet only for IPv6 destination 2002:0901::/32 171.Pq IPv4 destination will match Li 9.1.0.0/16 . 172.Bd -literal 173# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 174# ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\ 175 prefixlen 32 alias 176.Ed 177.\" 178.Sh SEE ALSO 179.Xr gif 4 , 180.Xr inet 4 , 181.Xr inet6 4 182.Rs 183.%A Brian Carpenter 184.%A Keith Moore 185.%T "Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels" 186.%D June 2000 187.%N draft-ietf-ngtrans-6to4-06.txt 188.%O work in progress 189.Re 190.Rs 191.%A Jun-ichiro itojun Hagino 192.%T "Possible abuse against IPv6 transition technologies" 193.%D March 2000 194.%N draft-itojun-ipv6-transition-abuse-00.txt 195.%O work in progress, http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00.txt 196.Re 197.\" 198.Sh HISTORY 199The 200.Nm 201device first appeared in WIDE/KAME IPv6 stack. 202