1.\" $NetBSD: stf.4,v 1.24 2011/01/02 12:48:21 wiz Exp $ 2.\" $KAME: stf.4,v 1.39 2002/11/17 19:34:02 itojun Exp $ 3.\" 4.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the project nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd January 2, 2011 32.Dt STF 4 33.Os 34.Sh NAME 35.Nm stf 36.Nd 6to4 tunnel interface 37.Sh SYNOPSIS 38.Cd "pseudo-device stf" 39.Sh DESCRIPTION 40The 41.Nm 42interface supports 43.Dq 6to4 44IPv6 in IPv4 encapsulation. 45It can tunnel IPv6 traffic over IPv4, as specified in 46.Li RFC3056 . 47.Nm 48interfaces are dynamically created and destroyed with the 49.Xr ifconfig 8 50.Cm create 51and 52.Cm destroy 53subcommands. 54Only one 55.Nm 56interface may be created. 57.Pp 58For ordinary nodes in 6to4 sites, you do not need a 59.Nm 60interface. 61The 62.Nm 63interface is only necessary on the site border router 64.Po 65called the 66.Dq 6to4 router 67in the specification 68.Pc . 69.Pp 70Due to the way the 6to4 protocol is specified, 71.Nm 72interfaces require certain configuration to work properly. 73A single 74.Pq no more than one 75valid 6to4 address needs to be configured on the interface. 76.Dq A valid 6to4 address 77is an address which has the following properties. 78If any of the following properties are not satisfied, 79.Nm stf 80raises a runtime error on packet transmission. 81Read the specification for more details. 82.Bl -bullet 83.It 84matches 85.Li 2002:xxyy:zzuu::/48 , 86where 87.Li xxyy:zzuu 88is the hexadecimal notation of an IPv4 address for the node. 89The IPv4 address used can be taken from any interface your node has. 90Since the specification forbids the use of IPv4 private address, 91the address needs to be a global IPv4 address. 92.It 93Subnet identifier portion 94.Pq 48th to 63rd bit 95and interface identifier portion 96.Pq lower 64 bits 97are properly filled to avoid address collisions. 98.El 99.Pp 100If you would like the node to behave as a relay router, 101the prefix length for the IPv6 interface address needs to be 16 so that 102the node would consider any 6to4 destination as 103.Dq on-link . 104If you would like to restrict 6to4 peers to be inside a certain IPv4 prefix, 105you may want to configure the IPv6 prefix length to be 106.Dq 16 + IPv4 prefix length . 107The 108.Nm 109interface will check the IPv4 source address on packets 110if the IPv6 prefix length is larger than 16. 111.Pp 112.Nm 113can be configured to be ECN (Explicit Congestion Notification) friendly. 114This can be configured by 115.Dv IFF_LINK1 . 116See 117.Xr gif 4 118for details. 119.Pp 120Please note that the 6to4 specification is written as an 121.Dq accept tunneled packet from everyone 122tunneling device. 123By enabling the 124.Nm 125device, you are making it much easier for malicious parties to inject 126fabricated IPv6 packets to your node. 127Also, malicious parties can inject IPv6 packets with fabricated source addresses 128to make your node generate improper tunneled packets. 129Administrators must be cautious when enabling the interface. 130To prevent possible attacks, the 131.Nm 132interface filters out the following packets (note that the checks are 133in no way complete): 134.Bl -bullet 135.It 136Packets with IPv4 unspecified addresses as outer IPv4 source/destination 137.Pq Li 0.0.0.0/8 138.It 139Packets with the loopback address as outer IPv4 source/destination 140.Pq Li 127.0.0.0/8 141.It 142Packets with IPv4 multicast addresses as outer IPv4 source/destination 143.Pq Li 224.0.0.0/4 144.It 145Packets with limited broadcast addresses as outer IPv4 source/destination 146.Pq Li 255.0.0.0/8 147.It 148Packets with private addresses as outer IPv4 source/destination 149.Pq Li 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 150.It 151Packets with IPv4 link-local addresses as outer IPv4 source/destination 152.Pq Li 169.254.0.0/16 153.It 154Packets with subnet broadcast addresses as outer IPv4 source/destination. 155The check is made against subnet broadcast addresses for 156all of the directly connected subnets. 157.It 158Packets that do not pass ingress filtering. 159Outer IPv4 source addresses must meet the IPv4 topology on the routing table. 160Ingress filtering can be turned off by 161.Dv IFF_LINK2 162bit. 163.It 164The same set of rules are applied against the IPv4 address embedded into 165the inner IPv6 address, if the IPv6 address matches the 6to4 prefix. 166.It 167Packets with site-local or link-local unicast addresses as 168inner IPv6 source/destination 169.It 170Packets with node-local or link-local multicast addresses as 171inner IPv6 source/destination 172.El 173.Pp 174It is recommended to filter/audit 175incoming IPv4 packets with IP protocol number 41, as necessary. 176It is also recommended to filter/audit encapsulated IPv6 packets as well. 177You may also want to run normal ingress filtering against inner IPv6 addresses 178to avoid spoofing. 179.Pp 180By setting the 181.Dv IFF_LINK0 182flag on the 183.Nm 184interface, it is possible to disable the input path, 185making direct attacks from the outside impossible. 186Note, however, that other security risks exist. 187If you wish to use the configuration, 188you must not advertise your 6to4 addresses to others. 189.\" 190.Sh EXAMPLES 191Note that 192.Li 8504:0506 193is equal to 194.Li 133.4.5.6 , 195written in hexadecimal. 196.Bd -literal 197# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 198# ifconfig stf0 create inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 199 prefixlen 16 alias 200.Ed 201.Pp 202The following configuration accepts packets from IPv4 source address 203.Li 9.1.0.0/16 204only. 205It emits 6to4 packets only for IPv6 destination 2002:0901::/32 206.Pq IPv4 destination will match Li 9.1.0.0/16 . 207.Bd -literal 208# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 209# ifconfig stf0 create inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\ 210 prefixlen 32 alias 211.Ed 212.Pp 213The following configuration uses the 214.Nm 215interface as an output-only device. 216You need to have alternative IPv6 connectivity 217.Pq other than 6to4 218to use this configuration. 219For outbound traffic, you can reach other 6to4 networks efficiently via 220.Nm stf . 221For inbound traffic, you will not receive any 6to4-tunneled packets 222.Pq less security drawbacks . 223Be careful not to advertise your 6to4 prefix to others 224.Pq Li 2002:8504:0506::/48 , 225and not to use your 6to4 prefix as a source address. 226.Bd -literal 227# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 228# ifconfig stf0 create inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 229 prefixlen 16 alias deprecated link0 230# route add -inet6 2002:: -prefixlen 16 ::1 -ifp stf0 231.Ed 232.\" 233.Sh SEE ALSO 234.Xr gif 4 , 235.Xr inet 4 , 236.Xr inet6 4 237.Pp 238.Rs 239.%A Brian Carpenter 240.%A Keith Moore 241.%T "Connection of IPv6 Domains via IPv4 Clouds" 242.%D February 2001 243.%R RFC 244.%N 3056 245.Re 246.Rs 247.%A C. Huitema 248.%T "An Anycast Prefix for 6to4 Relay Routers" 249.%D June 2001 250.%R RFC 251.%N 3068 252.Re 253.Rs 254.%A F. Baker 255.%A P. Savola 256.%T "Ingress Filtering for Multihomed Networks" 257.%D March 2004 258.%R RFC 259.%N 3704 260.Re 261.Rs 262.%A P. Savola 263.%A C. Patel 264.%T "Security Considerations for 6to4" 265.%D December 2004 266.%R RFC 267.%N 3964 268.Re 269.Rs 270.%A Jun-ichiro itojun Hagino 271.%T "Possible abuse against IPv6 transition technologies" 272.%D July 2000 273.%N draft-itojun-ipv6-transition-abuse-01.txt 274.%O expired, work in progress 275.Re 276.\" 277.Sh HISTORY 278The 279.Nm 280device first appeared in WIDE/KAME IPv6 stack. 281.\" 282.Sh BUGS 283No more than one 284.Nm 285interface is allowed for a node, 286and no more than one IPv6 interface address is allowed for an 287.Nm 288interface. 289This is to avoid source address selection conflicts 290between the IPv6 layer and the IPv4 layer, 291and to cope with ingress filtering rules on the other side. 292This is a feature to make 293.Nm 294work right for all occasions. 295