1 .\" $KAME: gif.4,v 1.28 2001/05/18 13:15:56 itojun Exp $
3 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
14 .\" 3. Neither the name of the project nor the names of its contributors
15 .\" may be used to endorse or promote products derived from this software
16 .\" without specific prior written permission.
18 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 .Nd generic tunnel interface
43 interface is a generic tunnelling device for IPv4 and IPv6.
44 It can tunnel IPv[46] traffic over IPv[46].
45 Therefore, there can be four possible configurations.
48 is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel.
52 can also tunnel ISO traffic over IPv[46] using EON encapsulation.
56 interface is created at runtime using interface cloning.
58 most easily done with the
59 .Dq Nm ifconfig Cm create
61 .Va gifconfig_ Ns Aq Ar interface
67 the administrator needs to configure the protocol and addresses used for the outer
69 This can be done by using
75 The administrator also needs to configure the protocol and addresses for the
78 Note that IPv6 link-local addresses
79 (those that start with
81 will be automatically configured whenever possible.
82 You may need to remove IPv6 link-local addresses manually using
84 if you want to disable the use of IPv6 as the inner header
85 (for example, if you need a pure IPv4-over-IPv6 tunnel).
86 Finally, you must modify the routing table to route the packets through the
92 device can be configured to be ECN friendly.
93 This can be configured by
95 .Ss ECN friendly behavior
98 device can be configured to be ECN friendly, as described in
99 .Dv draft-ietf-ipsec-ecn-02.txt .
100 This is turned off by default, and can be turned on by the
107 will show normal behavior, as described in RFC2893.
108 This can be summarized as follows:
109 .Bl -tag -width "Ingress" -offset indent
124 on IPv4 TOS byte or IPv6 traffic class byte)
125 on egress and ingress, as follows:
126 .Bl -tag -width "Ingress" -offset indent
128 Copy TOS bits except for ECN CE
136 Use inner TOS bits with some change.
137 If outer ECN CE bit is
139 enable ECN CE bit on the inner.
142 Note that the ECN friendly behavior violates RFC2893.
143 This should be used in mutual agreement with the peer.
145 A malicious party may try to circumvent security filters by using
147 For better protection,
149 performs both martian and ingress filtering against the outer source address
151 Note that martian/ingress filters are in no way complete.
152 You may want to secure your node by using packet filters.
153 Ingress filtering can break tunnel operation in an asymmetrically
155 It can be turned off by
159 Processing each packet requires two route lookups: first on the
160 packet itself, and second on the tunnel destination.
161 This second route can be cached, increasing tunnel performance.
162 However, in a dynamically routed network, the tunnel will stick
163 to the cached route, ignoring routing table updates.
164 Route caching can be enabled with the
171 tunnels may not be nested.
172 This behavior may be modified at runtime by setting the
175 .Va net.link.gif.max_nesting
176 to the desired level of nesting.
179 tunnels are restricted to one per pair of end points.
180 Parallel tunnels may be enabled by setting the
183 .Va net.link.gif.parallel_tunnels
193 .%T Transition Mechanisms for IPv6 Hosts and Routers
195 .%O ftp://ftp.isi.edu/in-notes/rfc2893.txt
200 .%A K. K. Ramakrishnan
201 .%T "IPsec Interactions with ECN"
203 .%O draft-ietf-ipsec-ecn-02.txt
209 device first appeared in the WIDE hydrangea IPv6 kit.
212 There are many tunnelling protocol specifications, all
213 defined differently from each other.
216 device may not interoperate with peers which are based on different specifications,
217 and are picky about outer header fields.
218 For example, you cannot usually use
220 to talk with IPsec devices that use IPsec tunnel mode.
222 The current code does not check if the ingress address
223 (outer source address)
226 interface makes sense.
227 Make sure to specify an address which belongs to your node.
228 Otherwise, your node will not be able to receive packets from the peer,
229 and it will generate packets with a spoofed source address.
231 If the outer protocol is IPv4,
233 does not try to perform path MTU discovery for the encapsulated packet
234 (DF bit is set to 0).
236 If the outer protocol is IPv6, path MTU discovery for encapsulated packets
237 may affect communication over the interface.
238 The first bigger-than-pmtu packet may be lost.
239 To avoid the problem, you may want to set the interface MTU for
241 to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4.
245 device does not translate ICMP messages for the outer header into the inner header.
249 had a multi-destination behavior, configurable via
252 The behavior is obsolete and is no longer supported.