NAME
gif —
generic tunnel interface
SYNOPSIS
pseudo-device gif
DESCRIPTION
The
gif interface is a generic tunneling pseudo device for
IPv4 and IPv6. It can tunnel IPv[46] traffic over IPv[46]. Therefore, there
can be four possible configurations. The behavior of
gif is
mainly based on RFC 2893 IPv6-over-IPv4 configured tunnel.
gif can also tunnel ISO traffic over IPv[46] using EON
encapsulation.
To use
gif, the administrator must first create the interface
and then configure protocol and addresses used for the outer header. This can
be done by using
ifconfig(8)
create and
tunnel subcommands, or
SIOCIFCREATE
and
SIOCSIFPHYADDR
ioctls. Also, administrator needs to
configure protocol and addresses used for the inner header, by using
ifconfig(8). Note that IPv6
link-local address (those start with
fe80::
) will be
automatically configured whenever possible. You may need to remove IPv6
link-local address manually using
ifconfig(8), when you would
like to disable the use of IPv6 as inner header (like when you need pure
IPv4-over-IPv6 tunnel). Finally, use routing table to route the packets toward
gif interface.
gif can be configured to be ECN friendly. This can be
configured by
IFF_LINK1
.
ECN friendly behavior
gif can be configured to be ECN friendly, as described in
draft-ietf-ipsec-ecn-02.txt
. This is turned off by
default, and can be turned on by
IFF_LINK1
interface
flag.
Without
IFF_LINK1
,
gif will show a
normal behavior, like described in RFC 2893. This can be summarized as
follows:
-
-
- Ingress
- Set outer TOS bit to
0
.
-
-
- Egress
- Drop outer TOS bit.
With
IFF_LINK1
,
gif will copy ECN bits
(
0x02
and
0x01
on IPv4 TOS
byte or IPv6 traffic class byte) on egress and ingress, as follows:
-
-
- Ingress
- Copy TOS bits except for ECN CE (masked with
0xfe
) from inner to outer. set ECN CE bit to
0
.
-
-
- Egress
- Use inner TOS bits with some change. If outer ECN CE bit is
1
, enable ECN CE bit on the inner.
Note that the ECN friendly behavior violates RFC 2893. This should be used in
mutual agreement with the peer.
Every inner packet is encapsulated in an outer packet. The inner packet may be
IPv4, IPv6, or ISO CLNP. The outer packet may be IPv4 or IPv6, and has all the
usual IP headers, including a protocol field that identifies the type of inner
packet.
When the inner packet is IPv4, the protocol field of the outer packet is 4
(
IPPROTO_IPV4
). When the inner packet is IPv6, the
protocol field of the outer packet is 41
(
IPPROTO_IPV6
). When the inner packet is ISO CNLP, the
protocol field of the outer packet is 80
(
IPPROTO_EON
).
Security
Malicious party may try to circumvent security filters by using tunneled
packets. For better protection,
gif performs martian filter
and ingress filter against outer source address, on egress. Note that
martian/ingress filters are no way complete. You may want to secure your node
by using packet filters. Ingress filter can be turned off by
IFF_LINK2
bit.
EXAMPLES
Configuration example:
Host X--NetBSD A ----------------tunnel---------- cisco D------Host E
\ |
\ /
+-----Router B--------Router C---------+
On
NetBSD system A (
NetBSD):
# route add default B
# ifconfig gifN create
# ifconfig gifN A netmask 0xffffffff tunnel A D up
# route add E 0
# route change E -ifp gif0
On Host D (Cisco):
Interface TunnelX
ip unnumbered D ! e.g. address from Ethernet interface
tunnel source D ! e.g. address from Ethernet interface
tunnel destination A
ip route C <some interface and mask>
ip route A mask C
ip route X mask tunnelX
or on Host D (
NetBSD):
# route add default C
# ifconfig gifN D A
If all goes well, you should see packets flowing.
If you want to reach Host A over the tunnel (from the Cisco D), then you have to
have an alias on Host A for e.g. the Ethernet interface like:
ifconfig <etherif> alias Y and
on the cisco
ip route Y mask tunnelX.
SEE ALSO
etherip(4),
inet(4),
inet6(4),
ifconfig(8)
C. Perkins, IP
Encapsulation within IP, RFC 2003,
ftp://ftp.isi.edu/in-notes/rfc2003.txt,
October 1996.
R. Gilligan and E.
Nordmark, Transition Mechanisms for IPv6 Hosts and
Routers, RFC 2893,
ftp://ftp.isi.edu/in-notes/rfc2893.txt,
August 2000.
Sally Floyd, David
L. Black, and K. K. Ramakrishnan,
IPsec Interactions with ECN,
http://datatracker.ietf.org/internet-drafts/draft-ietf-ipsec-ecn/,
December 1999.
F. Baker and P.
Savola, Ingress Filtering for Multihomed
Networks, RFC 3704,
ftp://ftp.isi.edu/in-notes/rfc3704.txt,
March 2004.
STANDARDS
IPv4 over IPv4 encapsulation is compatible with RFC 2003. IPv6 over IPv4
encapsulation is compatible with RFC 2893.
HISTORY
The
gif device first appeared in WIDE hydrangea IPv6 kit.
BUGS
There are many tunneling protocol specifications, defined differently from each
other.
gif may not interoperate with peers which are based
on different specifications, and are picky about outer header fields. For
example, you cannot usually use
gif to talk with IPsec
devices that use IPsec tunnel mode.
The current code does not check if the ingress address (outer source address)
configured to
gif makes sense. Make sure to configure an
address which belongs to your node. Otherwise, your node will not be able to
receive packets from the peer, and your node will generate packets with a
spoofed source address.
If the outer protocol is IPv6, path MTU discovery for encapsulated packet may
affect communication over the interface.
In the past,
gif had a multi-destination behavior,
configurable via
IFF_LINK0
flag. The behavior was
obsoleted and is no longer supported.