1 .\" $FreeBSD: src/share/man/man4/gif.4,v 1.3.2.11 2003/03/03 18:51:16 trhodes Exp $
2 .\" $KAME: gif.4,v 1.28 2001/05/18 13:15:56 itojun Exp $
4 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 .\" All rights reserved.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\" 3. Neither the name of the project nor the names of its contributors
16 .\" may be used to endorse or promote products derived from this software
17 .\" without specific prior written permission.
19 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 .Nd generic tunnel interface
38 .Cd "pseudo-device gif"
42 interface is a generic tunnelling pseudo device for IPv4 and IPv6.
43 It can tunnel IPv[46] traffic over IPv[46].
44 Therefore, there can be four possible configurations.
47 is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel.
51 can also tunnel ISO traffic over IPv[46] using EON encapsulation.
55 interface is created at runtime using interface cloning.
57 most easily done with the
58 .Dq Nm ifconfig Cm create
60 .Va gifconfig_ Ns Aq Ar interface
66 the administrator needs to configure the protocol and addresses used for the outer
68 This can be done by using
73 The administrator also needs to configure the protocol and addresses for the
76 Note that IPv6 link-local addresses
77 (those that start with
79 will be automatically be configured whenever possible.
80 You may need to remove IPv6 link-local addresses manually using
82 if you want to disable the use of IPv6 as the inner header
83 (for example, if you need a pure IPv4-over-IPv6 tunnel).
84 Finally, you must modify the routing table to route the packets through the
90 pseudo-device can be configured to be ECN friendly.
91 This can be configured by
93 .Ss ECN friendly behavior
96 pseudo-device can be configured to be ECN friendly, as described in
97 .Dv draft-ietf-ipsec-ecn-02.txt .
98 This is turned off by default, and can be turned on by the
105 will show normal behavior, as described in RFC2893.
106 This can be summarized as follows:
107 .Bl -tag -width "Ingress" -offset indent
122 on IPv4 TOS byte or IPv6 traffic class byte)
123 on egress and ingress, as follows:
124 .Bl -tag -width "Ingress" -offset indent
126 Copy TOS bits except for ECN CE
134 Use inner TOS bits with some change.
135 If outer ECN CE bit is
137 enable ECN CE bit on the inner.
140 Note that the ECN friendly behavior violates RFC2893.
141 This should be used in mutual agreement with the peer.
143 A malicious party may try to circumvent security filters by using
145 For better protection,
147 performs both martian and ingress filtering against the outer source address
149 Note that martian/ingress filters are in no way complete.
150 You may want to secure your node by using packet filters.
151 Ingress filtering can be turned off by
158 tunnels may not be nested.
159 This behavior may be modified at runtime by setting the
162 .Va net.link.gif.max_nesting
163 to the desired level of nesting.
166 tunnels are restricted to one per pair of end points.
167 Parallel tunnels may be enabled by setting the
170 .Va net.link.gif.parallel_tunnels
180 .%T Transition Mechanisms for IPv6 Hosts and Routers
182 .%O ftp://ftp.isi.edu/in-notes/rfc2893.txt
187 .%A K. K. Ramakrishnan
188 .%T "IPsec Interactions with ECN"
190 .%O draft-ietf-ipsec-ecn-02.txt
196 device first appeared in the WIDE hydrangea IPv6 kit.
199 There are many tunnelling protocol specifications, all
200 defined differently from each other. The
202 pseudo-device may not interoperate with peers which are based on different specifications,
203 and are picky about outer header fields.
204 For example, you cannot usually use
206 to talk with IPsec devices that use IPsec tunnel mode.
208 The current code does not check if the ingress address
209 (outer source address)
212 interface makes sense.
213 Make sure to specify an address which belongs to your node.
214 Otherwise, your node will not be able to receive packets from the peer,
215 and it will generate packets with a spoofed source address.
217 If the outer protocol is IPv4,
219 does not try to perform path MTU discovery for the encapsulated packet
220 (DF bit is set to 0).
222 If the outer protocol is IPv6, path MTU discovery for encapsulated packets
223 may affect communication over the interface.
224 The first bigger-than-pmtu packet may be lost.
225 To avoid the problem, you may want to set the interface MTU for
227 to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4.
231 pseudo-device does not translate ICMP messages for the outer header into the inner header.
235 had a multi-destination behavior, configurable via
238 The behavior is obsolete and is no longer supported.
240 It is thought that this is not actually a bug in gif, but rather lies
241 somewhere around a manipulation of an IPv6 routing table.