xref: /freebsd/share/man/man4/stf.4 (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
1.\"     $KAME: stf.4,v 1.35 2001/05/02 06:24:49 itojun Exp $
2.\"
3.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. Neither the name of the project nor the names of its contributors
15.\"    may be used to endorse or promote products derived from this software
16.\"    without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
30.Dd November 16, 2021
31.Dt STF 4
32.Os
33.Sh NAME
34.Nm stf
35.Nd
36.Tn 6to4
37tunnel interface
38.Sh SYNOPSIS
39.Cd "device stf"
40.Sh DESCRIPTION
41The
42.Nm
43interface supports
44.Dq 6to4
45and
46.Dq 6rd
47IPv6 in IPv4 encapsulation.
48It can tunnel IPv6 traffic over IPv4, as specified in
49.Li RFC3056
50or
51.Li RFC5969 .
52.Pp
53For ordinary nodes in a 6to4 or 6RD site, you do not need
54.Nm
55interface.
56The
57.Nm
58interface is necessary for site border routers
59(called
60.Dq 6to4 routers
61or
62.Dq 6rd Customer Edge (CE)
63in the specification).
64.Pp
65Each
66.Nm
67interface is created at runtime using interface cloning.
68This is
69most easily done with the
70.Xr ifconfig 8
71.Cm create
72command or using the
73.Va cloned_interfaces
74variable in
75.Xr rc.conf 5 .
76.Sh 6to4
77Due to the way 6to4 protocol is specified,
78.Nm
79interface requires certain configuration to work properly.
80Single
81(no more than 1)
82valid 6to4 address needs to be configured to the interface.
83.Dq A valid 6to4 address
84is an address which has the following properties.
85If any of the following properties are not satisfied,
86.Nm
87raises runtime error on packet transmission.
88Read the specification for more details.
89.Bl -bullet
90.It
91matches
92.Li 2002:xxyy:zzuu::/48
93where
94.Li xxyy:zzuu
95is a hexadecimal notation of an IPv4 address for the node.
96IPv4 address can be taken from any of interfaces your node has.
97Since the specification forbids the use of IPv4 private address,
98the address needs to be a global IPv4 address.
99.It
100Subnet identifier portion
101(48th to 63rd bit)
102and interface identifier portion
103(lower 64 bits)
104are properly filled to avoid address collisions.
105.El
106.Pp
107If you would like the node to behave as a relay router,
108the prefix length for the IPv6 interface address needs to be 16 so that
109the node would consider any 6to4 destination as
110.Dq on-link .
111If you would like to restrict 6to4 peers to be inside certain IPv4 prefix,
112you may want to configure IPv6 prefix length as
113.Dq 16 + IPv4 prefix length .
114.Nm
115interface will check the IPv4 source address on packets,
116if the IPv6 prefix length is larger than 16.
117.Pp
118.Nm
119can be configured to be ECN friendly.
120This can be configured by
121.Dv IFF_LINK1 .
122See
123.Xr gif 4
124for details.
125.Pp
126Please note that 6to4 specification is written as
127.Dq accept tunnelled packet from everyone
128tunnelling device.
129By enabling
130.Nm
131device, you are making it much easier for malicious parties to inject
132fabricated IPv6 packet to your node.
133Also, malicious party can inject an IPv6 packet with fabricated source address
134to make your node generate improper tunnelled packet.
135Administrators must take caution when enabling the interface.
136To prevent possible attacks,
137.Nm
138interface filters out the following packets.
139Note that the checks are no way complete:
140.Bl -bullet
141.It
142Packets with IPv4 unspecified address as outer IPv4 source/destination
143.Pq Li 0.0.0.0/8
144.It
145Packets with loopback address as outer IPv4 source/destination
146.Pq Li 127.0.0.0/8
147.It
148Packets with IPv4 multicast address as outer IPv4 source/destination
149.Pq Li 224.0.0.0/4
150.It
151Packets with limited broadcast address as outer IPv4 source/destination
152.Pq Li 255.0.0.0/8
153.It
154Packets with private address as outer IPv4 source/destination
155.Pq Li 10.0.0.0/8 , 172.16.0.0/12 , 192.168.0.0/16
156.It
157Packets with subnet broadcast address as outer IPv4 source/destination.
158The check is made against subnet broadcast addresses for
159all of the directly connected subnets.
160.It
161Packets that does not pass ingress filtering.
162Outer IPv4 source address must meet the IPv4 topology on the routing table.
163Ingress filter can be turned off by
164.Dv IFF_LINK2
165bit.
166.It
167The same set of rules are applied against the IPv4 address embedded into
168inner IPv6 address, if the IPv6 address matches 6to4 prefix.
169.El
170.Pp
171It is recommended to filter/audit
172incoming IPv4 packet with IP protocol number 41, as necessary.
173It is also recommended to filter/audit encapsulated IPv6 packets as well.
174You may also want to run normal ingress filter against inner IPv6 address
175to avoid spoofing.
176.Pp
177By setting the
178.Dv IFF_LINK0
179flag on the
180.Nm
181interface, it is possible to disable the input path,
182making the direct attacks from the outside impossible.
183Note, however, there are other security risks exist.
184If you wish to use the configuration,
185you must not advertise your 6to4 address to others.
186.\"
187.Sh 6rd
188Like
189.Dq 6to4
190.Dq 6rd
191also requires configuration before it can be used.
192The required configuration parameters are:
193.Bl -bullet
194.It
195The IPv6 address and prefix length.
196.It
197The border router IPv4 address.
198.It
199The IPv4 WAN address.
200.It
201The prefix length of the IPv4 WAN address.
202.El
203.Pp
204These can parameters are all configured through
205.Xr ifconfig 8 .
206.Pp
207The IPv6 address and prefix length can be configured like any other IPv6 address.
208Note that the prefix length is the IPv6 prefix length excluding the embedded
209IPv4 address bits.
210The prefix length of the delegated network is the sum of the IPv6 prefix length
211and the IPv4 prefix length.
212.Pp
213The border router IPv4 address is configured with the
214.Xr ifconfig 8
215.Cm stfv4br
216command.
217.Pp
218The IPv4 WAN address and IPv4 prefix length are configured using the
219.Xr ifconfig 8
220.Cm stfv4net
221command.
222.Sh SYSCTL VARIABLES
223The following
224.Xr sysctl 8
225variables can be used to control the behavior of the
226.Nm stf .
227The default value is shown next to each variable.
228.Bl -tag -width indent
229.It Va net.link.stf.permit_rfc1918 : No 0
230The RFC3056 requires the use of globally unique 32-bit IPv4
231addresses.
232This sysctl variable controls the behaviour of this requirement.
233When it set to not 0,
234.Nm stf
235allows the use of private IPv4 addresses described in the RFC1918.
236This may be useful for an Intranet environment or when some mechanisms
237of network address translation (NAT) are used.
238.El
239.Sh EXAMPLES
240Note that
241.Li 8504:0506
242is equal to
243.Li 133.4.5.6 ,
244written in hexadecimals.
245.Bd -literal
246# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
247# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\
248	prefixlen 16 alias
249.Ed
250.Pp
251The following configuration accepts packets from IPv4 source
252.Li 9.1.0.0/16
253only.
254It emits 6to4 packet only for IPv6 destination 2002:0901::/32
255(IPv4 destination will match
256.Li 9.1.0.0/16 ) .
257.Bd -literal
258# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000
259# ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\
260	prefixlen 32 alias
261.Ed
262.Pp
263The following configuration uses the
264.Nm
265interface as an output-only device.
266You need to have alternative IPv6 connectivity
267(other than 6to4)
268to use this configuration.
269For outbound traffic, you can reach other 6to4 networks efficiently via
270.Nm stf .
271For inbound traffic, you will not receive any 6to4-tunneled packets
272(less security drawbacks).
273Be careful not to advertise your 6to4 prefix to others
274.Pq Li 2002:8504:0506::/48 ,
275and not to use your 6to4 prefix as a source.
276.Bd -literal
277# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
278# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\
279	prefixlen 16 alias deprecated link0
280# route add -inet6 2002:: -prefixlen 16 ::1
281# route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0
282.Ed
283.Pp
284The following example configures a
285.Dq 6rd
286tunnel on a
287.Dq 6rd CE
288where the ISP's
289.Dq 6rd
290IPv6 prefix is 2001:db8::/32.
291The border router is 192.0.2.1.
292The
293.Dq 6rd CE
294has a WAN address of 192.0.2.2 and the full IPv4 address is embedded in the
295.Dq 6rd IPv6 address:
296.Bd -literal
297# ifconfig stf0 inet6 2001:db8:c000:0202:: prefixlen 32 up
298# ifconfig stf0 stfv4br 192.0.2.1
299# ifconfig stf0 stfv4net 192.0.2.2/32
300.Ed
301.\"
302.Sh SEE ALSO
303.Xr gif 4 ,
304.Xr inet 4 ,
305.Xr inet6 4
306.Rs
307.%A Brian Carpenter
308.%A Keith Moore
309.%T "Connection of IPv6 Domains via IPv4 Clouds"
310.%D February 2001
311.%R RFC
312.%N 3056
313.Re
314.Rs
315.%A Jun-ichiro itojun Hagino
316.%T "Possible abuse against IPv6 transition technologies"
317.%D July 2000
318.%N draft-itojun-ipv6-transition-abuse-01.txt
319.%O work in progress
320.Re
321.\"
322.Sh HISTORY
323The
324.Nm
325device first appeared in WIDE/KAME IPv6 stack.
326.\"
327.Sh BUGS
328No more than one
329.Nm
330interface is allowed for a node,
331and no more than one IPv6 interface address is allowed for an
332.Nm
333interface.
334It is to avoid source address selection conflicts
335between IPv6 layer and IPv4 layer,
336and to cope with ingress filtering rule on the other side.
337This is a feature to make
338.Nm
339work right for all occasions.
340