GIF(4) | Device Drivers Manual | GIF(4) |
gif
—
pseudo-device gif
gif
interface is a generic tunneling pseudo device
for IPv4 and IPv6. It can tunnel IPv[46] traffic over IPv[46]. Therefore,
there can be four possible configurations. The behavior of
gif
is mainly based on RFC 2893 IPv6-over-IPv4
configured tunnel.
To use gif
, the administrator must first
create the interface and then configure protocol and addresses used for the
outer header. This can be done by using
ifconfig(8)
create
and tunnel
subcommands, or SIOCIFCREATE
and
SIOCSIFPHYADDR
ioctls. Also, administrator needs to
configure protocol and addresses used for the inner header, by using
ifconfig(8). Note that IPv6
link-local address (those start with fe80::
) will be
automatically configured whenever possible. You may need to remove IPv6
link-local address manually using
ifconfig(8), when you would
like to disable the use of IPv6 as inner header (like when you need pure
IPv4-over-IPv6 tunnel). Finally, use routing table to route the packets
toward gif
interface.
gif
can be configured to be ECN friendly.
This can be configured by IFF_LINK1
.
gif
can be configured to be ECN friendly, as described
in draft-ietf-ipsec-ecn-02.txt
. This is turned off by
default, and can be turned on by IFF_LINK1
interface
flag.
Without IFF_LINK1
,
gif
will show a normal behavior, like described in
RFC 2893. This can be summarized as follows:
0
.With IFF_LINK1
,
gif
will copy ECN bits (0x02
and 0x01
on IPv4 TOS byte or IPv6 traffic class
byte) on egress and ingress, as follows:
0xfe
)
from inner to outer. set ECN CE bit to 0
.1
, enable ECN CE bit on the inner.Note that the ECN friendly behavior violates RFC 2893. This should be used in mutual agreement with the peer.
When the inner packet is IPv4, the protocol field of the outer
packet is 4 (IPPROTO_IPV4
). When the inner packet is
IPv6, the protocol field of the outer packet is 41
(IPPROTO_IPV6
).
gif
performs martian
filter and ingress filter against outer source address, on egress. Note that
martian/ingress filters are no way complete. You may want to secure your node
by using packet filters. Ingress filter can be turned off by
IFF_LINK2
bit.
Host X--NetBSD A ----------------tunnel---------- cisco D------Host E \ | \ / +-----Router B--------Router C---------+
# route add default B # ifconfig gifN create # ifconfig gifN A netmask 0xffffffff tunnel A D up # route add E 0 # route change E -ifp gif0
On Host D (Cisco):
Interface TunnelX ip unnumbered D ! e.g. address from Ethernet interface tunnel source D ! e.g. address from Ethernet interface tunnel destination A tunnel mode ipip ip route C <some interface and mask> ip route A mask C ip route X mask tunnelX
or on Host D (NetBSD):
# route add default C # ifconfig gifN D A
If all goes well, you should see packets flowing.
If you want to reach Host A over the tunnel (from the Cisco D),
then you have to have an alias on Host A for e.g. the Ethernet interface
like: ifconfig
<etherif> alias
Y and on the cisco ip
route Y
mask tunnelX.
C. Perkins, IP Encapsulation within IP, RFC 2003, ftp://ftp.isi.edu/in-notes/rfc2003.txt, October 1996.
R. Gilligan and E. Nordmark, Transition Mechanisms for IPv6 Hosts and Routers, RFC 2893, ftp://ftp.isi.edu/in-notes/rfc2893.txt, August 2000.
Sally Floyd, David L. Black, and K. K. Ramakrishnan, IPsec Interactions with ECN, http://datatracker.ietf.org/internet-drafts/draft-ietf-ipsec-ecn/, December 1999.
F. Baker and P. Savola, Ingress Filtering for Multihomed Networks, RFC 3704, ftp://ftp.isi.edu/in-notes/rfc3704.txt, March 2004.
gif
device first appeared in WIDE hydrangea IPv6
kit.
gif
may not interoperate with peers which are
based on different specifications, and are picky about outer header fields.
For example, you cannot usually use gif
to talk with
IPsec devices that use IPsec tunnel mode.
The current code does not check if the ingress address (outer
source address) configured to gif
makes sense. Make
sure to configure an address which belongs to your node. Otherwise, your
node will not be able to receive packets from the peer, and your node will
generate packets with a spoofed source address.
If the outer protocol is IPv6, path MTU discovery for encapsulated packet may affect communication over the interface.
In the past, gif
had a multi-destination
behavior, configurable via IFF_LINK0
flag. The
behavior was obsoleted and is no longer supported.
August 14, 2018 | NetBSD 9.4 |