1.\" $NetBSD: stf.4,v 1.10 2001/02/17 04:28:10 itojun Exp $ 2.\" $KAME: stf.4,v 1.32 2001/02/17 04:27:27 itojun Exp $ 3.\" 4.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the project nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd March 6, 2000 32.Dt STF 4 33.Os 34.Sh NAME 35.Nm stf 36.Nd 6to4 tunnel interface 37.Sh SYNOPSIS 38.Cd "pseudo-device stf" 39.Sh DESCRIPTION 40The 41.Nm 42interface supports 43.Dq 6to4 44IPv6 in IPv4 encapsulation. 45It can tunnel IPv6 traffic over IPv4, as specified in 46.Li draft-ietf-ngtrans-6to4-06.txt . 47.Pp 48.Nm 49interfaces are dynamically created and destroyed with the 50.Xr ifconfig 51.Cm create 52and 53.Cm destroy 54subcommands. Only one 55.Nm stf 56interface may be created. 57.Pp 58For ordinary nodes in 6to4 site, you do not need 59.Nm 60interface. 61The 62.Nm 63interface is necessary for site border router 64.Po 65called 66.Dq 6to4 router 67in the specification 68.Pc . 69.Pp 70Due to the way 6to4 protocol is specified, 71.Nm 72interface requires certain configuration to work properly. 73Single 74.Pq no more than 1 75valid 6to4 address needs to be configured to the interface. 76.Dq A valid 6to4 address 77is an address which has the following properties. 78If any of the following properties are not satisfied, 79.Nm stf 80raises runtime error on packet transmission. 81Read the specification for more details. 82.Bl -bullet 83.It 84matches 85.Li 2002:xxyy:zzuu::/48 86where 87.Li xxyy:zzuu 88is a hexadecimal notation of an IPv4 address for the node. 89IPv4 address can be taken from any of interfaces your node has. 90Since the specification forbids the use of IPv4 private address, 91the address needs to be a global IPv4 address. 92.It 93Subnet identifier portion 94.Pq 48th to 63rd bit 95and interface identifier portion 96.Pq lower 64 bits 97are properly filled to avoid address collisions. 98.El 99.Pp 100If you would like the node to behave as a relay router, 101the prefix length for the IPv6 interface address needs to be 16 so that 102the node would consider any 6to4 destination as 103.Dq on-link . 104If you would like to restrict 6to4 peers to be inside certain IPv4 prefix, 105you may want to configure IPv6 prefix length as 106.Dq 16 + IPv4 prefix length . 107.Nm 108interface will check the IPv4 source address on packets, 109if the IPv6 prefix length is larger than 16. 110.Pp 111.Nm 112can be configured to be ECN friendly. 113This can be configured by 114.Dv IFF_LINK1 . 115See 116.Xr gif 4 117for details. 118.Pp 119Please note that 6to4 specification is written as 120.Dq accept tunnelled packet from everyone 121tunnelling device. 122By enabling 123.Nm 124device, you are making it much easier for malicious parties to inject 125fabricated IPv6 packet to your node. 126Also, malicious party can inject an IPv6 packet with fabricated source address 127to make your node generate improper tunnelled packet. 128Administrators must take caution when enabling the interface. 129To prevent possible attacks, 130.Nm 131interface filters out the following packets. 132Note that the checks are no way complete: 133.Bl -bullet 134.It 135Packets with IPv4 unspecified addrss as outer IPv4 source/destination 136.Pq Li 0.0.0.0/8 137.It 138Packets with loopback address as outer IPv4 source/destination 139.Pq Li 127.0.0.0/8 140.It 141Packets with IPv4 multicast address as outer IPv4 source/destination 142.Pq Li 224.0.0.0/4 143.It 144Packets with limited broadcast address as outer IPv4 source/destination 145.Pq Li 255.0.0.0/8 146.It 147Packets with subnet broadcast address as outer IPv4 source/destination. 148The check is made against subnet broadcast addresses for 149all of the directly connected subnets. 150.It 151Packets that does not pass ingress filtering. 152Outer IPv4 source address must meet the IPv4 topology on the routing table. 153Ingress filter can be turned off by 154.Dv IFF_LINK2 155bit. 156.It 157The same set of rules are appplied against the IPv4 address embedded into 158inner IPv6 address, if the IPv6 address matches 6to4 prefix. 159.El 160.Pp 161It is recommended to filter/audit 162incoming IPv4 packet with IP protocol number 41, as necessary. 163It is also recommended to filter/audit encapsulated IPv6 packets as well. 164You may also want to run normal ingress filter against inner IPv6 address 165to avoid spoofing. 166.\" 167.Sh EXAMPLES 168Note that 169.Li 8504:0506 170is equal to 171.Li 133.4.5.6 , 172written in hexadecimals. 173.Bd -literal 174# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 175# ifconfig stf0 create inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 176 prefixlen 16 alias 177.Ed 178.Pp 179The following configuration accepts packets from IPv4 source 180.Li 9.1.0.0/16 181only. 182It emits 6to4 packet only for IPv6 destination 2002:0901::/32 183.Pq IPv4 destination will match Li 9.1.0.0/16 . 184.Bd -literal 185# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 186# ifconfig stf0 create inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\ 187 prefixlen 32 alias 188.Ed 189.\" 190.Sh SEE ALSO 191.Xr gif 4 , 192.Xr inet 4 , 193.Xr inet6 4 194.Pp 195.Pa http://www.6bone.net/6bone_6to4.html 196.Rs 197.%A Brian Carpenter 198.%A Keith Moore 199.%T "Connection of IPv6 Domains via IPv4 Clouds" 200.%D February 2001 201.%R RFC 202.%N 3056 203.Re 204.Rs 205.%A Jun-ichiro itojun Hagino 206.%T "Possible abuse against IPv6 transition technologies" 207.%D July 2000 208.%N draft-itojun-ipv6-transition-abuse-01.txt 209.%O work in progress 210.Re 211.\" 212.Sh HISTORY 213The 214.Nm 215device first appeared in WIDE/KAME IPv6 stack. 216.\" 217.Sh BUGS 218No more than one 219.Nm 220interface is allowed for a node, 221and no more than one IPv6 interface address is allowed for an 222.Nm 223interface. 224It is to avoid source address selection conflicts 225between IPv6 layer and IPv4 layer, 226and to cope with ingress filtering rule on the other side. 227This is a feature to make 228.Nm 229work right for all occasions. 230