xref: /netbsd-src/share/man/man4/gif.4 (revision 414c828dd613a7970c34bb5e980628c33174d9d0)

.\"	$NetBSD: gif.4,v 1.34 2018/08/14 06:27:44 wiz Exp $
.\"	$KAME: gif.4,v 1.24 2001/02/20 12:54:01 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd August 14, 2018
.Dt GIF 4
.Os
.Sh NAME
.Nm gif
.Nd generic tunnel interface
.Sh SYNOPSIS
.Cd "pseudo-device gif"
.Sh DESCRIPTION
The
.Nm
interface is a generic tunneling pseudo device for IPv4 and IPv6.
It can tunnel IPv[46] traffic over IPv[46].
Therefore, there can be four possible configurations.
The behavior of
.Nm
is mainly based on RFC 2893 IPv6-over-IPv4 configured tunnel.
.Pp
To use
.Nm gif ,
the administrator must first create the interface
and then configure protocol and addresses used for the outer
header.
This can be done by using
.Xr ifconfig 8
.Cm create
and
.Cm tunnel
subcommands, or
.Dv SIOCIFCREATE
and
.Dv SIOCSIFPHYADDR
ioctls.
Also, administrator needs to configure protocol and addresses used for the
inner header, by using
.Xr ifconfig 8 .
Note that IPv6 link-local address
.Pq those start with Li fe80::
will be automatically configured whenever possible.
You may need to remove IPv6 link-local address manually using
.Xr ifconfig 8 ,
when you would like to disable the use of IPv6 as inner header
.Pq like when you need pure IPv4-over-IPv6 tunnel .
Finally, use routing table to route the packets toward
.Nm
interface.
.Pp
.Nm
can be configured to be ECN friendly.
This can be configured by
.Dv IFF_LINK1 .
.Ss ECN friendly behavior
.Nm
can be configured to be ECN friendly, as described in
.Dv draft-ietf-ipsec-ecn-02.txt .
This is turned off by default, and can be turned on by
.Dv IFF_LINK1
interface flag.
.Pp
Without
.Dv IFF_LINK1 ,
.Nm
will show a normal behavior, like described in RFC 2893.
This can be summarized as follows:
.Bl -tag -width "Ingress" -offset indent
.It Ingress
Set outer TOS bit to
.Dv 0 .
.It Egress
Drop outer TOS bit.
.El
.Pp
With
.Dv IFF_LINK1 ,
.Nm
will copy ECN bits
.Dv ( 0x02
and
.Dv 0x01
on IPv4 TOS byte or IPv6 traffic class byte)
on egress and ingress, as follows:
.Bl -tag -width "Ingress" -offset indent
.It Ingress
Copy TOS bits except for ECN CE
(masked with
.Dv 0xfe )
from
inner to outer.
set ECN CE bit to
.Dv 0 .
.It Egress
Use inner TOS bits with some change.
If outer ECN CE bit is
.Dv 1 ,
enable ECN CE bit on the inner.
.El
.Pp
Note that the ECN friendly behavior violates RFC 2893.
This should be used in mutual agreement with the peer.
.Ss Packet format
Every inner packet is encapsulated in an outer packet.
The inner packet may be IPv4 or IPv6.
The outer packet may be IPv4 or IPv6, and has all the
usual IP headers, including a protocol field that identifies the
type of inner packet.
.Pp
When the inner packet is IPv4, the protocol field of the outer packet
is 4
.Dv ( IPPROTO_IPV4 ) .
When the inner packet is IPv6, the protocol field of the outer packet
is 41
.Dv ( IPPROTO_IPV6 ) .
.Ss Security
Malicious party may try to circumvent security filters by using
tunneled packets.
For better protection,
.Nm
performs martian filter and ingress filter against outer source address,
on egress.
Note that martian/ingress filters are no way complete.
You may want to secure your node by using packet filters.
Ingress filter can be turned off by
.Dv IFF_LINK2
bit.
.\"
.Sh EXAMPLES
Configuration example:
.Bd -literal
Host X--NetBSD A  ----------------tunnel---------- cisco D------Host E
           \\                                          |
            \\                                        /
             +-----Router B--------Router C---------+

.Ed
On
.Nx
system A
.Ns ( Nx ) :
.Bd -literal
   # route add default B
   # ifconfig gifN create
   # ifconfig gifN A netmask 0xffffffff tunnel A D up
   # route add E 0
   # route change E -ifp gif0
.Ed
.Pp
On Host D (Cisco):
.Bd -literal
   Interface TunnelX
    ip unnumbered D   ! e.g. address from Ethernet interface
    tunnel source D   ! e.g. address from Ethernet interface
    tunnel destination A
    tunnel mode ipip
   ip route C <some interface and mask>
   ip route A mask C
   ip route X mask tunnelX
.Ed
.Pp
or on Host D
.Ns ( Nx ) :
.Bd -literal
   # route add default C
   # ifconfig gifN D A
.Ed
.Pp
If all goes well, you should see packets flowing.
.Pp
If you want to reach Host A over the tunnel (from the Cisco D), then
you have to have an alias on Host A for e.g. the Ethernet interface like:
.Ic ifconfig Ar <etherif> alias Y
and on the cisco
.Ic ip Ar route Y mask tunnelX .
.Sh SEE ALSO
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr l2tp 4 ,
.Xr ifconfig 8
.Rs
.%A C. Perkins
.%B RFC 2003
.%T IP Encapsulation within IP
.%D October 1996
.%U ftp://ftp.isi.edu/in-notes/rfc2003.txt
.Re
.Rs
.%A R. Gilligan
.%A E. Nordmark
.%B RFC 2893
.%T Transition Mechanisms for IPv6 Hosts and Routers
.%D August 2000
.%U ftp://ftp.isi.edu/in-notes/rfc2893.txt
.Re
.Rs
.%A Sally Floyd
.%A David L. Black
.%A K. K. Ramakrishnan
.%T "IPsec Interactions with ECN"
.%D December 1999
.%U http://datatracker.ietf.org/internet-drafts/draft-ietf-ipsec-ecn/
.Re
.Rs
.%A F. Baker
.%A P. Savola
.%B RFC 3704
.%T Ingress Filtering for Multihomed Networks
.%D March 2004
.%U ftp://ftp.isi.edu/in-notes/rfc3704.txt
.Re
.\"
.Sh STANDARDS
IPv4 over IPv4 encapsulation is compatible with RFC 2003.
IPv6 over IPv4 encapsulation is compatible with RFC 2893.
.\"
.Sh HISTORY
The
.Nm
device first appeared in WIDE hydrangea IPv6 kit.
.\"
.Sh BUGS
There are many tunneling protocol specifications,
defined differently from each other.
.Nm
may not interoperate with peers which are based on different specifications,
and are picky about outer header fields.
For example, you cannot usually use
.Nm
to talk with IPsec devices that use IPsec tunnel mode.
.Pp
The current code does not check if the ingress address
.Pq outer source address
configured to
.Nm
makes sense.
Make sure to configure an address which belongs to your node.
Otherwise, your node will not be able to receive packets from the peer,
and your node will generate packets with a spoofed source address.
.Pp
If the outer protocol is IPv6, path MTU discovery for encapsulated packet
may affect communication over the interface.
.Pp
In the past,
.Nm
had a multi-destination behavior, configurable via
.Dv IFF_LINK0
flag.
The behavior was obsoleted and is no longer supported.