1.\" $NetBSD: stf.4,v 1.17 2002/11/17 19:34:52 itojun Exp $ 2.\" $KAME: stf.4,v 1.39 2002/11/17 19:34:02 itojun Exp $ 3.\" 4.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the project nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd April 27, 2001 32.Dt STF 4 33.Os 34.Sh NAME 35.Nm stf 36.Nd 6to4 tunnel interface 37.Sh SYNOPSIS 38.Cd "pseudo-device stf" 39.Sh DESCRIPTION 40The 41.Nm 42interface supports 43.Dq 6to4 44IPv6 in IPv4 encapsulation. 45It can tunnel IPv6 traffic over IPv4, as specified in 46.Li RFC3056 . 47.Nm 48interfaces are dynamically created and destroyed with the 49.Xr ifconfig 8 50.Cm create 51and 52.Cm destroy 53subcommands. Only one 54.Nm stf 55interface may be created. 56.Pp 57For ordinary nodes in 6to4 site, you do not need 58.Nm 59interface. 60The 61.Nm 62interface is necessary for site border router 63.Po 64called 65.Dq 6to4 router 66in the specification 67.Pc . 68.Pp 69Due to the way 6to4 protocol is specified, 70.Nm 71interface requires certain configuration to work properly. 72Single 73.Pq no more than 1 74valid 6to4 address needs to be configured to the interface. 75.Dq A valid 6to4 address 76is an address which has the following properties. 77If any of the following properties are not satisfied, 78.Nm stf 79raises runtime error on packet transmission. 80Read the specification for more details. 81.Bl -bullet 82.It 83matches 84.Li 2002:xxyy:zzuu::/48 85where 86.Li xxyy:zzuu 87is a hexadecimal notation of an IPv4 address for the node. 88IPv4 address can be taken from any of interfaces your node has. 89Since the specification forbids the use of IPv4 private address, 90the address needs to be a global IPv4 address. 91.It 92Subnet identifier portion 93.Pq 48th to 63rd bit 94and interface identifier portion 95.Pq lower 64 bits 96are properly filled to avoid address collisions. 97.El 98.Pp 99If you would like the node to behave as a relay router, 100the prefix length for the IPv6 interface address needs to be 16 so that 101the node would consider any 6to4 destination as 102.Dq on-link . 103If you would like to restrict 6to4 peers to be inside certain IPv4 prefix, 104you may want to configure IPv6 prefix length as 105.Dq 16 + IPv4 prefix length . 106.Nm 107interface will check the IPv4 source address on packets, 108if the IPv6 prefix length is larger than 16. 109.Pp 110.Nm 111can be configured to be ECN friendly. 112This can be configured by 113.Dv IFF_LINK1 . 114See 115.Xr gif 4 116for details. 117.Pp 118Please note that 6to4 specification is written as 119.Dq accept tunnelled packet from everyone 120tunnelling device. 121By enabling 122.Nm 123device, you are making it much easier for malicious parties to inject 124fabricated IPv6 packet to your node. 125Also, malicious party can inject an IPv6 packet with fabricated source address 126to make your node generate improper tunnelled packet. 127Administrators must take caution when enabling the interface. 128To prevent possible attacks, 129.Nm 130interface filters out the following packets. 131Note that the checks are no way complete: 132.Bl -bullet 133.It 134Packets with IPv4 unspecified address as outer IPv4 source/destination 135.Pq Li 0.0.0.0/8 136.It 137Packets with loopback address as outer IPv4 source/destination 138.Pq Li 127.0.0.0/8 139.It 140Packets with IPv4 multicast address as outer IPv4 source/destination 141.Pq Li 224.0.0.0/4 142.It 143Packets with limited broadcast address as outer IPv4 source/destination 144.Pq Li 255.0.0.0/8 145.It 146Packets with private address as outer IPv4 source/destination 147.Pq Li 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 148.It 149Packets with IPv4 link-local address as outer IPv4 source/destination 150.Pq Li 169.254.0.0/16 151.It 152Packets with subnet broadcast address as outer IPv4 source/destination. 153The check is made against subnet broadcast addresses for 154all of the directly connected subnets. 155.It 156Packets that does not pass ingress filtering. 157Outer IPv4 source address must meet the IPv4 topology on the routing table. 158Ingress filter can be turned off by 159.Dv IFF_LINK2 160bit. 161.It 162The same set of rules are applied against the IPv4 address embedded into 163inner IPv6 address, if the IPv6 address matches 6to4 prefix. 164.It 165Packets with site-local or link-local unicast address as 166inner IPv6 source/destination 167.It 168Packets with node-local or link-local multicast address as 169inner IPv6 source/destination 170.El 171.Pp 172It is recommended to filter/audit 173incoming IPv4 packet with IP protocol number 41, as necessary. 174It is also recommended to filter/audit encapsulated IPv6 packets as well. 175You may also want to run normal ingress filter against inner IPv6 address 176to avoid spoofing. 177.Pp 178By setting the 179.Dv IFF_LINK0 180flag on the 181.Nm 182interface, it is possible to disable the input path, 183making the direct attacks from the outside impossible. 184Note, however, there are other security risks exist. 185If you wish to use the configuration, 186you must not advertise your 6to4 address to others. 187.\" 188.Sh EXAMPLES 189Note that 190.Li 8504:0506 191is equal to 192.Li 133.4.5.6 , 193written in hexadecimals. 194.Bd -literal 195# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 196# ifconfig stf0 create inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 197 prefixlen 16 alias 198.Ed 199.Pp 200The following configuration accepts packets from IPv4 source 201.Li 9.1.0.0/16 202only. 203It emits 6to4 packet only for IPv6 destination 2002:0901::/32 204.Pq IPv4 destination will match Li 9.1.0.0/16 . 205.Bd -literal 206# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 207# ifconfig stf0 create inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\ 208 prefixlen 32 alias 209.Ed 210.Pp 211The following configuration uses the 212.Nm 213interface as an output-only device. 214You need to have alternative IPv6 connectivity 215.Pq other than 6to4 216to use this configuration. 217For outbound traffic, you can reach other 6to4 networks efficiently via 218.Nm stf . 219For inbound traffic, you will not receive any 6to4-tunneled packets 220.Pq less security drawbacks . 221Be careful not to advertise your 6to4 prefix to others 222.Pq Li 2002:8504:0506::/48 , 223and not to use your 6to4 prefix as a source. 224.Bd -literal 225# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 226# ifconfig stf0 create inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ 227 prefixlen 16 alias deprecated link0 228# route add -inet6 2002:: -prefixlen 16 ::1 -ifp stf0 229.Ed 230.\" 231.Sh SEE ALSO 232.Xr gif 4 , 233.Xr inet 4 , 234.Xr inet6 4 235.Pp 236.Pa http://www.6bone.net/6bone_6to4.html 237.Rs 238.%A Brian Carpenter 239.%A Keith Moore 240.%T "Connection of IPv6 Domains via IPv4 Clouds" 241.%D February 2001 242.%R RFC 243.%N 3056 244.Re 245.Rs 246.%A Jun-ichiro itojun Hagino 247.%T "Possible abuse against IPv6 transition technologies" 248.%D July 2000 249.%N draft-itojun-ipv6-transition-abuse-01.txt 250.%O work in progress 251.Re 252.\" 253.Sh HISTORY 254The 255.Nm 256device first appeared in WIDE/KAME IPv6 stack. 257.\" 258.Sh BUGS 259No more than one 260.Nm 261interface is allowed for a node, 262and no more than one IPv6 interface address is allowed for an 263.Nm 264interface. 265It is to avoid source address selection conflicts 266between IPv6 layer and IPv4 layer, 267and to cope with ingress filtering rule on the other side. 268This is a feature to make 269.Nm 270work right for all occasions. 271