1.\" $FreeBSD: src/share/man/man4/stf.4,v 1.3.2.5 2002/08/28 04:46:25 brooks Exp $ 2.\" $DragonFly: src/share/man/man4/stf.4,v 1.4 2007/11/23 23:16:37 swildner Exp $ 3.\" $KAME: stf.4,v 1.35 2001/05/02 06:24:49 itojun Exp $ 4.\" 5.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6.\" All rights reserved. 7.\" 8.\" Redistribution and use in source and binary forms, with or without 9.\" modification, are permitted provided that the following conditions 10.\" are met: 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 2. Redistributions in binary form must reproduce the above copyright 14.\" notice, this list of conditions and the following disclaimer in the 15.\" documentation and/or other materials provided with the distribution. 16.\" 3. Neither the name of the project nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.Dd April 27, 2001 33.Dt STF 4 34.Os 35.Sh NAME 36.Nm stf 37.Nd 38.Tn 6to4 39tunnel interface 40.Sh SYNOPSIS 41.Cd "pseudo-device stf" 42.Sh DESCRIPTION 43The 44.Nm 45interface supports 46.Dq 6to4 47IPv6 in IPv4 encapsulation. 48It can tunnel IPv6 traffic over IPv4, as specified in 49.Li RFC 3056 . 50.Pp 51For ordinary nodes in 6to4 site, you do not need 52.Nm 53interface. 54The 55.Nm 56interface is necessary for site border router 57(called 58.Dq 6to4 router 59in the specification). 60.Pp 61Each 62.Nm 63interface is created at runtime using interface cloning. 64This is 65most easily done with the 66.Xr ifconfig 8 67.Cm create 68command or using the 69.Va cloned_interfaces 70variable in 71.Xr rc.conf 5 . 72.Pp 73Due to the way 6to4 protocol is specified, 74.Nm 75interface requires certain configuration to work properly. 76Single 77(no more than 1) 78valid 6to4 address needs to be configured to the interface. 79.Dq A valid 6to4 address 80is an address which has the following properties. 81If any of the following properties are not satisfied, 82.Nm 83raises runtime error on packet transmission. 84Read the specification for more details. 85.Bl -bullet 86.It 87matches 88.Li 2002:xxyy:zzuu::/48 89where 90.Li xxyy:zzuu 91is a hexadecimal notation of an IPv4 address for the node. 92IPv4 address can be taken from any of interfaces your node has. 93Since the specification forbids the use of IPv4 private address, 94the address needs to be a global IPv4 address. 95.It 96Subnet identifier portion 97(48th to 63rd bit) 98and interface identifier portion 99(lower 64 bits) 100are properly filled to avoid address collisions. 101.El 102.Pp 103If you would like the node to behave as a relay router, 104the prefix length for the IPv6 interface address needs to be 16 so that 105the node would consider any 6to4 destination as 106.Dq on-link . 107If you would like to restrict 6to4 peers to be inside certain IPv4 prefix, 108you may want to configure IPv6 prefix length as 109.Dq 16 + IPv4 prefix length . 110.Nm 111interface will check the IPv4 source address on packets, 112if the IPv6 prefix length is larger than 16. 113.Pp 114.Nm 115can be configured to be ECN friendly. 116This can be configured by 117.Dv IFF_LINK1 . 118See 119.Xr gif 4 120for details. 121.Pp 122Please note that 6to4 specification is written as 123.Dq accept tunnelled packet from everyone 124tunnelling device. 125By enabling 126.Nm 127device, you are making it much easier for malicious parties to inject 128fabricated IPv6 packet to your node. 129Also, malicious party can inject an IPv6 packet with fabricated source address 130to make your node generate improper tunnelled packet. 131Administrators must take caution when enabling the interface. 132To prevent possible attacks, 133.Nm 134interface filters out the following packets. 135Note that the checks are no way complete: 136.Bl -bullet 137.It 138Packets with IPv4 unspecified address as outer IPv4 source/destination 139.Pq Li 0.0.0.0/8 140.It 141Packets with loopback address as outer IPv4 source/destination 142.Pq Li 127.0.0.0/8 143.It 144Packets with IPv4 multicast address as outer IPv4 source/destination 145.Pq Li 224.0.0.0/4 146.It 147Packets with limited broadcast address as outer IPv4 source/destination 148.Pq Li 255.0.0.0/8 149.It 150Packets with subnet broadcast address as outer IPv4 source/destination. 151The check is made against subnet broadcast addresses for 152all of the directly connected subnets. 153.It 154Packets that does not pass ingress filtering. 155Outer IPv4 source address must meet the IPv4 topology on the routing table. 156Ingress filter can be turned off by 157.Dv IFF_LINK2 158bit. 159.It 160The same set of rules are applied against the IPv4 address embedded into 161inner IPv6 address, if the IPv6 address matches 6to4 prefix. 162.El 163.Pp 164It is recommended to filter/audit 165incoming IPv4 packet with IP protocol number 41, as necessary. 166It is also recommended to filter/audit encapsulated IPv6 packets as well. 167You may also want to run normal ingress filter against inner IPv6 address 168to avoid spoofing. 169.Pp 170By setting the 171.Dv IFF_LINK0 172flag on the 173.Nm 174interface, it is possible to disable the input path, 175making the direct attacks from the outside impossible. 176Note, however, there are other security risks exist. 177If you wish to use the configuration, 178you must not advertise your 6to4 address to others. 179.\" 180.Sh EXAMPLES 181Note that 182.Li 8504:0506 183is equal to 184.Li 133.4.5.6 , 185written in hexadecimals. 186.Bd -literal 187# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 188# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 189 prefixlen 16 alias 190.Ed 191.Pp 192The following configuration accepts packets from IPv4 source 193.Li 9.1.0.0/16 194only. 195It emits 6to4 packet only for IPv6 destination 2002:0901::/32 196(IPv4 destination will match 197.Li 9.1.0.0/16 ) . 198.Bd -literal 199# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 200# ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\ 201 prefixlen 32 alias 202.Ed 203.Pp 204The following configuration uses the 205.Nm 206interface as an output-only device. 207You need to have alternative IPv6 connectivity 208(other than 6to4) 209to use this configuration. 210For outbound traffic, you can reach other 6to4 networks efficiently via 211.Nm . 212For inbound traffic, you will not receive any 6to4-tunneled packets 213(less security drawbacks). 214Be careful not to advertise your 6to4 prefix to others 215.Pq Li 2002:8504:0506::/48 , 216and not to use your 6to4 prefix as a source. 217.Bd -literal 218# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 219# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 220 prefixlen 16 alias deprecated link0 221# route add -inet6 2002:: -prefixlen 16 ::1 222# route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0 223.Ed 224.\" 225.Sh SEE ALSO 226.Xr gif 4 , 227.Xr inet 4 , 228.Xr inet6 4 229.Pp 230.Pa http://www.6bone.net/6bone_6to4.html 231.Rs 232.%A Brian Carpenter 233.%A Keith Moore 234.%T "Connection of IPv6 Domains via IPv4 Clouds" 235.%D February 2001 236.%R RFC 237.%N 3056 238.Re 239.Rs 240.%A Jun-ichiro itojun Hagino 241.%T "Possible abuse against IPv6 transition technologies" 242.%D July 2000 243.%N draft-itojun-ipv6-transition-abuse-01.txt 244.%O work in progress 245.Re 246.\" 247.Sh HISTORY 248The 249.Nm 250device first appeared in WIDE/KAME IPv6 stack. 251.\" 252.Sh BUGS 253No more than one 254.Nm 255interface is allowed for a node, 256and no more than one IPv6 interface address is allowed for an 257.Nm 258interface. 259It is to avoid source address selection conflicts 260between IPv6 layer and IPv4 layer, 261and to cope with ingress filtering rule on the other side. 262This is a feature to make 263.Nm 264work right for all occasions. 265