xref: /freebsd/share/man/man4/stf.4 (revision 63d1fd5970ec814904aa0f4580b10a0d302d08b2)
1.\"     $KAME: stf.4,v 1.35 2001/05/02 06:24:49 itojun Exp $
2.\"
3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. Neither the name of the project nor the names of its contributors
15.\"    may be used to endorse or promote products derived from this software
16.\"    without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
30.\" $FreeBSD$
31.\"
32.Dd December 28, 2012
33.Dt STF 4
34.Os
35.Sh NAME
36.Nm stf
37.Nd
38.Tn 6to4
39tunnel interface
40.Sh SYNOPSIS
41.Cd "device stf"
42.Sh DESCRIPTION
43The
44.Nm
45interface supports
46.Dq 6to4
47IPv6 in IPv4 encapsulation.
48It can tunnel IPv6 traffic over IPv4, as specified in
49.Li RFC3056 .
50.Pp
51For ordinary nodes in 6to4 site, you do not need
52.Nm
53interface.
54The
55.Nm
56interface is necessary for site border router
57(called
58.Dq 6to4 router
59in the specification).
60.Pp
61Each
62.Nm
63interface is created at runtime using interface cloning.
64This is
65most easily done with the
66.Xr ifconfig 8
67.Cm create
68command or using the
69.Va cloned_interfaces
70variable in
71.Xr rc.conf 5 .
72.Pp
73Due to the way 6to4 protocol is specified,
74.Nm
75interface requires certain configuration to work properly.
76Single
77(no more than 1)
78valid 6to4 address needs to be configured to the interface.
79.Dq A valid 6to4 address
80is an address which has the following properties.
81If any of the following properties are not satisfied,
82.Nm
83raises runtime error on packet transmission.
84Read the specification for more details.
85.Bl -bullet
86.It
87matches
88.Li 2002:xxyy:zzuu::/48
89where
90.Li xxyy:zzuu
91is a hexadecimal notation of an IPv4 address for the node.
92IPv4 address can be taken from any of interfaces your node has.
93Since the specification forbids the use of IPv4 private address,
94the address needs to be a global IPv4 address.
95.It
96Subnet identifier portion
97(48th to 63rd bit)
98and interface identifier portion
99(lower 64 bits)
100are properly filled to avoid address collisions.
101.El
102.Pp
103If you would like the node to behave as a relay router,
104the prefix length for the IPv6 interface address needs to be 16 so that
105the node would consider any 6to4 destination as
106.Dq on-link .
107If you would like to restrict 6to4 peers to be inside certain IPv4 prefix,
108you may want to configure IPv6 prefix length as
109.Dq 16 + IPv4 prefix length .
110.Nm
111interface will check the IPv4 source address on packets,
112if the IPv6 prefix length is larger than 16.
113.Pp
114.Nm
115can be configured to be ECN friendly.
116This can be configured by
117.Dv IFF_LINK1 .
118See
119.Xr gif 4
120for details.
121.Pp
122Please note that 6to4 specification is written as
123.Dq accept tunnelled packet from everyone
124tunnelling device.
125By enabling
126.Nm
127device, you are making it much easier for malicious parties to inject
128fabricated IPv6 packet to your node.
129Also, malicious party can inject an IPv6 packet with fabricated source address
130to make your node generate improper tunnelled packet.
131Administrators must take caution when enabling the interface.
132To prevent possible attacks,
133.Nm
134interface filters out the following packets.
135Note that the checks are no way complete:
136.Bl -bullet
137.It
138Packets with IPv4 unspecified address as outer IPv4 source/destination
139.Pq Li 0.0.0.0/8
140.It
141Packets with loopback address as outer IPv4 source/destination
142.Pq Li 127.0.0.0/8
143.It
144Packets with IPv4 multicast address as outer IPv4 source/destination
145.Pq Li 224.0.0.0/4
146.It
147Packets with limited broadcast address as outer IPv4 source/destination
148.Pq Li 255.0.0.0/8
149.It
150Packets with private address as outer IPv4 source/destination
151.Pq Li 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16
152.It
153Packets with subnet broadcast address as outer IPv4 source/destination.
154The check is made against subnet broadcast addresses for
155all of the directly connected subnets.
156.It
157Packets that does not pass ingress filtering.
158Outer IPv4 source address must meet the IPv4 topology on the routing table.
159Ingress filter can be turned off by
160.Dv IFF_LINK2
161bit.
162.It
163The same set of rules are applied against the IPv4 address embedded into
164inner IPv6 address, if the IPv6 address matches 6to4 prefix.
165.El
166.Pp
167It is recommended to filter/audit
168incoming IPv4 packet with IP protocol number 41, as necessary.
169It is also recommended to filter/audit encapsulated IPv6 packets as well.
170You may also want to run normal ingress filter against inner IPv6 address
171to avoid spoofing.
172.Pp
173By setting the
174.Dv IFF_LINK0
175flag on the
176.Nm
177interface, it is possible to disable the input path,
178making the direct attacks from the outside impossible.
179Note, however, there are other security risks exist.
180If you wish to use the configuration,
181you must not advertise your 6to4 address to others.
182.\"
183.Sh SYSCTL VARIABLES
184The following
185.Xr sysctl 8
186variables can be used to control the behavior of the
187.Nm stf .
188The default value is shown next to each variable.
189.Bl -tag -width indent
190.It Va net.link.stf.permit_rfc1918 : No 0
191The RFC3056 requires the use of globally unique 32-bit IPv4
192addresses.
193This sysctl variable controls the behaviour of this requirement.
194When it set to not 0,
195.Nm stf
196allows the use of private IPv4 addresses described in the RFC1918.
197This may be useful for an Intranet environment or when some mechanisms
198of network address translation (NAT) are used.
199.El
200.Sh EXAMPLES
201Note that
202.Li 8504:0506
203is equal to
204.Li 133.4.5.6 ,
205written in hexadecimals.
206.Bd -literal
207# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
208# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\
209	prefixlen 16 alias
210.Ed
211.Pp
212The following configuration accepts packets from IPv4 source
213.Li 9.1.0.0/16
214only.
215It emits 6to4 packet only for IPv6 destination 2002:0901::/32
216(IPv4 destination will match
217.Li 9.1.0.0/16 ) .
218.Bd -literal
219# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000
220# ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\
221	prefixlen 32 alias
222.Ed
223.Pp
224The following configuration uses the
225.Nm
226interface as an output-only device.
227You need to have alternative IPv6 connectivity
228(other than 6to4)
229to use this configuration.
230For outbound traffic, you can reach other 6to4 networks efficiently via
231.Nm stf .
232For inbound traffic, you will not receive any 6to4-tunneled packets
233(less security drawbacks).
234Be careful not to advertise your 6to4 prefix to others
235.Pq Li 2002:8504:0506::/48 ,
236and not to use your 6to4 prefix as a source.
237.Bd -literal
238# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
239# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\
240	prefixlen 16 alias deprecated link0
241# route add -inet6 2002:: -prefixlen 16 ::1
242# route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0
243.Ed
244.\"
245.Sh SEE ALSO
246.Xr gif 4 ,
247.Xr inet 4 ,
248.Xr inet6 4
249.Pp
250.Pa http://www.ipv6day.org/action.php?n=En.IPv6day
251.Rs
252.%A Brian Carpenter
253.%A Keith Moore
254.%T "Connection of IPv6 Domains via IPv4 Clouds"
255.%D February 2001
256.%R RFC
257.%N 3056
258.Re
259.Rs
260.%A Jun-ichiro itojun Hagino
261.%T "Possible abuse against IPv6 transition technologies"
262.%D July 2000
263.%N draft-itojun-ipv6-transition-abuse-01.txt
264.%O work in progress
265.Re
266.\"
267.Sh HISTORY
268The
269.Nm
270device first appeared in WIDE/KAME IPv6 stack.
271.\"
272.Sh BUGS
273No more than one
274.Nm
275interface is allowed for a node,
276and no more than one IPv6 interface address is allowed for an
277.Nm
278interface.
279It is to avoid source address selection conflicts
280between IPv6 layer and IPv4 layer,
281and to cope with ingress filtering rule on the other side.
282This is a feature to make
283.Nm
284work right for all occasions.
285