]> git.saurik.com Git - apple/xnu.git/blob - bsd/man/man4/stf.4
xnu-1228.7.58.tar.gz
[apple/xnu.git] / bsd / man / man4 / stf.4
1 .\" $FreeBSD: src/share/man/man4/stf.4,v 1.3.2.4 2001/08/17 13:08:39 ru Exp $
2 .\" $KAME: stf.4,v 1.35 2001/05/02 06:24:49 itojun Exp $
3 .\"
4 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 .\" All rights reserved.
6 .\"
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
9 .\" are met:
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\" 3. Neither the name of the project nor the names of its contributors
16 .\" may be used to endorse or promote products derived from this software
17 .\" without specific prior written permission.
18 .\"
19 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 .\" SUCH DAMAGE.
30 .\"
31 .Dd April 27, 2001
32 .Dt STF 4
33 .Os
34 .Sh NAME
35 .Nm stf
36 .Nd
37 .Tn 6to4
38 tunnel interface
39 .Sh SYNOPSIS
40 .Cd "pseudo-device stf"
41 .Sh DESCRIPTION
42 The
43 .Nm
44 interface supports
45 .Dq 6to4
46 IPv6 in IPv4 encapsulation.
47 It can tunnel IPv6 traffic over IPv4, as specified in
48 .Li RFC3056 .
49 .Pp
50 For ordinary nodes in 6to4 site, you do not need
51 .Nm
52 interface.
53 The
54 .Nm
55 interface is necessary for site border router
56 (called
57 .Dq 6to4 router
58 in the specification).
59 .Pp
60 Due to the way 6to4 protocol is specified,
61 .Nm
62 interface requires certain configuration to work properly.
63 Single
64 (no more than 1)
65 valid 6to4 address needs to be configured to the interface.
66 .Dq A valid 6to4 address
67 is an address which has the following properties.
68 If any of the following properties are not satisfied,
69 .Nm
70 raises runtime error on packet transmission.
71 Read the specification for more details.
72 .Bl -bullet
73 .It
74 matches
75 .Li 2002:xxyy:zzuu::/48
76 where
77 .Li xxyy:zzuu
78 is a hexadecimal notation of an IPv4 address for the node.
79 IPv4 address can be taken from any of interfaces your node has.
80 Since the specification forbids the use of IPv4 private address,
81 the address needs to be a global IPv4 address.
82 .It
83 Subnet identifier portion
84 (48th to 63rd bit)
85 and interface identifier portion
86 (lower 64 bits)
87 are properly filled to avoid address collisions.
88 .El
89 .Pp
90 If you would like the node to behave as a relay router,
91 the prefix length for the IPv6 interface address needs to be 16 so that
92 the node would consider any 6to4 destination as
93 .Dq on-link .
94 If you would like to restrict 6to4 peers to be inside certain IPv4 prefix,
95 you may want to configure IPv6 prefix length as
96 .Dq 16 + IPv4 prefix length .
97 .Nm
98 interface will check the IPv4 source address on packets,
99 if the IPv6 prefix length is larger than 16.
100 .Pp
101 .Nm
102 can be configured to be ECN friendly.
103 This can be configured by
104 .Dv IFF_LINK1 .
105 See
106 .Xr gif 4
107 for details.
108 .Pp
109 Please note that 6to4 specification is written as
110 .Dq accept tunnelled packet from everyone
111 tunnelling device.
112 By enabling
113 .Nm
114 device, you are making it much easier for malicious parties to inject
115 fabricated IPv6 packet to your node.
116 Also, malicious party can inject an IPv6 packet with fabricated source address
117 to make your node generate improper tunnelled packet.
118 Administrators must take caution when enabling the interface.
119 To prevent possible attacks,
120 .Nm
121 interface filters out the following packets.
122 Note that the checks are no way complete:
123 .Bl -bullet
124 .It
125 Packets with IPv4 unspecified addrss as outer IPv4 source/destination
126 .Pq Li 0.0.0.0/8
127 .It
128 Packets with loopback address as outer IPv4 source/destination
129 .Pq Li 127.0.0.0/8
130 .It
131 Packets with IPv4 multicast address as outer IPv4 source/destination
132 .Pq Li 224.0.0.0/4
133 .It
134 Packets with limited broadcast address as outer IPv4 source/destination
135 .Pq Li 255.0.0.0/8
136 .It
137 Packets with subnet broadcast address as outer IPv4 source/destination.
138 The check is made against subnet broadcast addresses for
139 all of the directly connected subnets.
140 .It
141 Packets that does not pass ingress filtering.
142 Outer IPv4 source address must meet the IPv4 topology on the routing table.
143 Ingress filter can be turned off by
144 .Dv IFF_LINK2
145 bit.
146 .It
147 The same set of rules are appplied against the IPv4 address embedded into
148 inner IPv6 address, if the IPv6 address matches 6to4 prefix.
149 .El
150 .Pp
151 It is recommended to filter/audit
152 incoming IPv4 packet with IP protocol number 41, as necessary.
153 It is also recommended to filter/audit encapsulated IPv6 packets as well.
154 You may also want to run normal ingress filter against inner IPv6 address
155 to avoid spoofing.
156 .Pp
157 By setting the
158 .Dv IFF_LINK0
159 flag on the
160 .Nm
161 interface, it is possible to disable the input path,
162 making the direct attacks from the outside impossible.
163 Note, however, there are other security risks exist.
164 If you wish to use the configuration,
165 you must not advertise your 6to4 address to others.
166 .\"
167 .Sh EXAMPLES
168 Note that
169 .Li 8504:0506
170 is equal to
171 .Li 133.4.5.6 ,
172 written in hexadecimals.
173 .Bd -literal
174 # ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
175 # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\
176 prefixlen 16 alias
177 .Ed
178 .Pp
179 The following configuration accepts packets from IPv4 source
180 .Li 9.1.0.0/16
181 only.
182 It emits 6to4 packet only for IPv6 destination 2002:0901::/32
183 (IPv4 destination will match
184 .Li 9.1.0.0/16 ) .
185 .Bd -literal
186 # ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000
187 # ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\
188 prefixlen 32 alias
189 .Ed
190 .Pp
191 The following configuration uses the
192 .Nm
193 interface as an output-only device.
194 You need to have alternative IPv6 connectivity
195 (other than 6to4)
196 to use this configuration.
197 For outbound traffic, you can reach other 6to4 networks efficiently via
198 .Nm stf .
199 For inbound traffic, you will not receive any 6to4-tunneled packets
200 (less security drawbacks).
201 Be careful not to advertise your 6to4 prefix to others
202 .Pq Li 2002:8504:0506::/48 ,
203 and not to use your 6to4 prefix as a source.
204 .Bd -literal
205 # ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
206 # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\
207 prefixlen 16 alias deprecated link0
208 # route add -inet6 2002:: -prefixlen 16 ::1
209 # route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0
210 .Ed
211 .\"
212 .Sh SEE ALSO
213 .Xr gif 4 ,
214 .Xr inet 4 ,
215 .Xr inet6 4
216 .Pp
217 .Pa http://www.6bone.net/6bone_6to4.html
218 .Rs
219 .%A Brian Carpenter
220 .%A Keith Moore
221 .%T "Connection of IPv6 Domains via IPv4 Clouds"
222 .%D February 2001
223 .%R RFC
224 .%N 3056
225 .Re
226 .Rs
227 .%A Jun-ichiro itojun Hagino
228 .%T "Possible abuse against IPv6 transition technologies"
229 .%D July 2000
230 .%N draft-itojun-ipv6-transition-abuse-01.txt
231 .%O work in progress
232 .Re
233 .\"
234 .Sh HISTORY
235 The
236 .Nm
237 device first appeared in WIDE/KAME IPv6 stack.
238 .\"
239 .Sh BUGS
240 No more than one
241 .Nm
242 interface is allowed for a node,
243 and no more than one IPv6 interface address is allowed for an
244 .Nm
245 interface.
246 It is to avoid source address selection conflicts
247 between IPv6 layer and IPv4 layer,
248 and to cope with ingress filtering rule on the other side.
249 This is a feature to make
250 .Nm
251 work right for all occasions.