|
Lines 64-107
Link Here
|
| 64 |
.Pp |
64 |
.Pp |
| 65 |
To use |
65 |
To use |
| 66 |
.Nm , |
66 |
.Nm , |
| 67 |
administrator needs to configure protocol and addresses used for the outer |
67 |
the administrator needs to configure the protocol and addresses used for the outer |
| 68 |
header. |
68 |
header. |
| 69 |
This can be done by using |
69 |
This can be done by using |
| 70 |
.Xr gifconfig 8 , |
70 |
.Xr gifconfig 8 , |
| 71 |
or |
71 |
or |
| 72 |
.Dv SIOCSIFPHYADDR |
72 |
.Dv SIOCSIFPHYADDR |
| 73 |
ioctl. |
73 |
ioctl. |
| 74 |
Also, administrator needs to configure protocol and addresses used for the |
74 |
The administrator also needs to configure the protocol and addresses for the |
| 75 |
inner header, by using |
75 |
inner header, with |
| 76 |
.Xr ifconfig 8 . |
76 |
.Xr ifconfig 8 . |
| 77 |
Note that IPv6 link-local address |
77 |
Note that IPv6 link-local addresses |
| 78 |
(those start with |
78 |
(those that start with |
| 79 |
.Li fe80:: ) |
79 |
.Li fe80:: ) |
| 80 |
will be automatically configured whenever possible. |
80 |
will be automatically be configured whenever possible. |
| 81 |
You may need to remove IPv6 link-local address manually using |
81 |
You may need to remove IPv6 link-local addresses manually using |
| 82 |
.Xr ifconfig 8 , |
82 |
.Xr ifconfig 8 , |
| 83 |
when you would like to disable the use of IPv6 as inner header |
83 |
if you want to disable the use of IPv6 as the inner header |
| 84 |
(like when you need pure IPv4-over-IPv6 tunnel). |
84 |
(for example, if you need a pure IPv4-over-IPv6 tunnel). |
| 85 |
Finally, use routing table to route the packets toward |
85 |
Finally, you must modify the routing table to route the packets through the |
| 86 |
.Nm |
86 |
.Nm |
| 87 |
interface. |
87 |
interface. |
| 88 |
.Pp |
88 |
.Pp |
|
|
89 |
The |
| 89 |
.Nm |
90 |
.Nm |
| 90 |
can be configured to be ECN friendly. |
91 |
pseudo-device can be configured to be ECN friendly. |
| 91 |
This can be configured by |
92 |
This can be configured by |
| 92 |
.Dv IFF_LINK1 . |
93 |
.Dv IFF_LINK1 . |
| 93 |
.Ss ECN friendly behavior |
94 |
.Ss ECN friendly behavior |
|
|
95 |
The |
| 94 |
.Nm |
96 |
.Nm |
| 95 |
can be configured to be ECN friendly, as described in |
97 |
pseudo-device can be configured to be ECN friendly, as described in |
| 96 |
.Dv draft-ietf-ipsec-ecn-02.txt . |
98 |
.Dv draft-ietf-ipsec-ecn-02.txt . |
| 97 |
This is turned off by default, and can be turned on by |
99 |
This is turned off by default, and can be turned on by the |
| 98 |
.Dv IFF_LINK1 |
100 |
.Dv IFF_LINK1 |
| 99 |
interface flag. |
101 |
interface flag. |
| 100 |
.Pp |
102 |
.Pp |
| 101 |
Without |
103 |
Without |
| 102 |
.Dv IFF_LINK1 , |
104 |
.Dv IFF_LINK1 , |
| 103 |
.Nm |
105 |
.Nm |
| 104 |
will show a normal behavior, like described in RFC2893. |
106 |
will show normal behavior, as described in RFC2893. |
| 105 |
This can be summarized as follows: |
107 |
This can be summarized as follows: |
| 106 |
.Bl -tag -width "Ingress" -offset indent |
108 |
.Bl -tag -width "Ingress" -offset indent |
| 107 |
.It Ingress |
109 |
.It Ingress |
|
Lines 139-153
Link Here
|
| 139 |
Note that the ECN friendly behavior violates RFC2893. |
141 |
Note that the ECN friendly behavior violates RFC2893. |
| 140 |
This should be used in mutual agreement with the peer. |
142 |
This should be used in mutual agreement with the peer. |
| 141 |
.Ss Security |
143 |
.Ss Security |
| 142 |
Malicious party may try to circumvent security filters by using |
144 |
A malicious party may try to circumvent security filters by using |
| 143 |
tunnelled packets. |
145 |
tunnelled packets. |
| 144 |
For better protection, |
146 |
For better protection, |
| 145 |
.Nm |
147 |
.Nm |
| 146 |
performs martian filter and ingress filter against outer source address, |
148 |
performs both martian and ingress filtering against the outer source address |
| 147 |
on egress. |
149 |
on egress. |
| 148 |
Note that martian/ingress filters are no way complete. |
150 |
Note that martian/ingress filters are in no way complete. |
| 149 |
You may want to secure your node by using packet filters. |
151 |
You may want to secure your node by using packet filters. |
| 150 |
Ingress filter can be turned off by |
152 |
Ingress filtering can be turned off by |
| 151 |
.Dv IFF_LINK2 |
153 |
.Dv IFF_LINK2 |
| 152 |
bit. |
154 |
bit. |
| 153 |
.\" |
155 |
.\" |
|
Lines 192-204
Link Here
|
| 192 |
.Sh HISTORY |
194 |
.Sh HISTORY |
| 193 |
The |
195 |
The |
| 194 |
.Nm |
196 |
.Nm |
| 195 |
device first appeared in WIDE hydrangea IPv6 kit. |
197 |
device first appeared in the WIDE hydrangea IPv6 kit. |
| 196 |
.\" |
198 |
.\" |
| 197 |
.Sh BUGS |
199 |
.Sh BUGS |
| 198 |
There are many tunnelling protocol specifications, |
200 |
There are many tunnelling protocol specifications, all |
| 199 |
defined differently from each other. |
201 |
defined differently from each other. The |
| 200 |
.Nm |
202 |
.Nm |
| 201 |
may not interoperate with peers which are based on different specifications, |
203 |
pseudo-device may not interoperate with peers which are based on different specifications, |
| 202 |
and are picky about outer header fields. |
204 |
and are picky about outer header fields. |
| 203 |
For example, you cannot usually use |
205 |
For example, you cannot usually use |
| 204 |
.Nm |
206 |
.Nm |
|
Lines 206-236
Link Here
|
| 206 |
.Pp |
208 |
.Pp |
| 207 |
The current code does not check if the ingress address |
209 |
The current code does not check if the ingress address |
| 208 |
(outer source address) |
210 |
(outer source address) |
| 209 |
configured to |
211 |
configured in the |
| 210 |
.Nm |
212 |
.Nm |
| 211 |
makes sense. |
213 |
interface makes sense. |
| 212 |
Make sure to configure an address which belongs to your node. |
214 |
Make sure to specify an address which belongs to your node. |
| 213 |
Otherwise, your node will not be able to receive packets from the peer, |
215 |
Otherwise, your node will not be able to receive packets from the peer, |
| 214 |
and your node will generate packets with a spoofed source address. |
216 |
and it will generate packets with a spoofed source address. |
| 215 |
.Pp |
217 |
.Pp |
| 216 |
If the outer protocol is IPv4, |
218 |
If the outer protocol is IPv4, |
| 217 |
.Nm |
219 |
.Nm |
| 218 |
does not try to perform path MTU discovery for the encapsulated packet |
220 |
does not try to perform path MTU discovery for the encapsulated packet |
| 219 |
(DF bit is set to 0). |
221 |
(DF bit is set to 0). |
| 220 |
.Pp |
222 |
.Pp |
| 221 |
If the outer protocol is IPv6, path MTU discovery for encapsulated packet |
223 |
If the outer protocol is IPv6, path MTU discovery for encapsulated packets |
| 222 |
may affect communication over the interface. |
224 |
may affect communication over the interface. |
| 223 |
The first bigger-than-pmtu packet may be lost. |
225 |
The first bigger-than-pmtu packet may be lost. |
| 224 |
To avoid the problem, you may want to set the interface MTU for |
226 |
To avoid the problem, you may want to set the interface MTU for |
| 225 |
.Nm |
227 |
.Nm |
| 226 |
to 1240 or smaller, when outer header is IPv6 and inner header is IPv4. |
228 |
to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4. |
| 227 |
.Pp |
229 |
.Pp |
|
|
230 |
The |
| 228 |
.Nm |
231 |
.Nm |
| 229 |
does not translate ICMP messages for outer header into inner header. |
232 |
pseudo-device does not translate ICMP messages for the outer header into the inner header. |
| 230 |
.Pp |
233 |
.Pp |
| 231 |
In the past, |
234 |
In the past, |
| 232 |
.Nm |
235 |
.Nm |
| 233 |
had a multi-destination behavior, configurable via |
236 |
had a multi-destination behavior, configurable via |
| 234 |
.Dv IFF_LINK0 |
237 |
.Dv IFF_LINK0 |
| 235 |
flag. |
238 |
flag. |
| 236 |
The behavior was obsoleted and is no longer supported. |
239 |
The behavior is obsolete and is no longer supported. |