Lines 64-107
Link Here
|
64 |
.Pp |
64 |
.Pp |
65 |
To use |
65 |
To use |
66 |
.Nm , |
66 |
.Nm , |
67 |
administrator needs to configure protocol and addresses used for the outer |
67 |
the administrator needs to configure the protocol and addresses used for the outer |
68 |
header. |
68 |
header. |
69 |
This can be done by using |
69 |
This can be done by using |
70 |
.Xr gifconfig 8 , |
70 |
.Xr gifconfig 8 , |
71 |
or |
71 |
or |
72 |
.Dv SIOCSIFPHYADDR |
72 |
.Dv SIOCSIFPHYADDR |
73 |
ioctl. |
73 |
ioctl. |
74 |
Also, administrator needs to configure protocol and addresses used for the |
74 |
The administrator also needs to configure the protocol and addresses for the |
75 |
inner header, by using |
75 |
inner header, with |
76 |
.Xr ifconfig 8 . |
76 |
.Xr ifconfig 8 . |
77 |
Note that IPv6 link-local address |
77 |
Note that IPv6 link-local addresses |
78 |
(those start with |
78 |
(those that start with |
79 |
.Li fe80:: ) |
79 |
.Li fe80:: ) |
80 |
will be automatically configured whenever possible. |
80 |
will be automatically be configured whenever possible. |
81 |
You may need to remove IPv6 link-local address manually using |
81 |
You may need to remove IPv6 link-local addresses manually using |
82 |
.Xr ifconfig 8 , |
82 |
.Xr ifconfig 8 , |
83 |
when you would like to disable the use of IPv6 as inner header |
83 |
if you want to disable the use of IPv6 as the inner header |
84 |
(like when you need pure IPv4-over-IPv6 tunnel). |
84 |
(for example, if you need a pure IPv4-over-IPv6 tunnel). |
85 |
Finally, use routing table to route the packets toward |
85 |
Finally, you must modify the routing table to route the packets through the |
86 |
.Nm |
86 |
.Nm |
87 |
interface. |
87 |
interface. |
88 |
.Pp |
88 |
.Pp |
|
|
89 |
The |
89 |
.Nm |
90 |
.Nm |
90 |
can be configured to be ECN friendly. |
91 |
pseudo-device can be configured to be ECN friendly. |
91 |
This can be configured by |
92 |
This can be configured by |
92 |
.Dv IFF_LINK1 . |
93 |
.Dv IFF_LINK1 . |
93 |
.Ss ECN friendly behavior |
94 |
.Ss ECN friendly behavior |
|
|
95 |
The |
94 |
.Nm |
96 |
.Nm |
95 |
can be configured to be ECN friendly, as described in |
97 |
pseudo-device can be configured to be ECN friendly, as described in |
96 |
.Dv draft-ietf-ipsec-ecn-02.txt . |
98 |
.Dv draft-ietf-ipsec-ecn-02.txt . |
97 |
This is turned off by default, and can be turned on by |
99 |
This is turned off by default, and can be turned on by the |
98 |
.Dv IFF_LINK1 |
100 |
.Dv IFF_LINK1 |
99 |
interface flag. |
101 |
interface flag. |
100 |
.Pp |
102 |
.Pp |
101 |
Without |
103 |
Without |
102 |
.Dv IFF_LINK1 , |
104 |
.Dv IFF_LINK1 , |
103 |
.Nm |
105 |
.Nm |
104 |
will show a normal behavior, like described in RFC2893. |
106 |
will show normal behavior, as described in RFC2893. |
105 |
This can be summarized as follows: |
107 |
This can be summarized as follows: |
106 |
.Bl -tag -width "Ingress" -offset indent |
108 |
.Bl -tag -width "Ingress" -offset indent |
107 |
.It Ingress |
109 |
.It Ingress |
Lines 139-153
Link Here
|
139 |
Note that the ECN friendly behavior violates RFC2893. |
141 |
Note that the ECN friendly behavior violates RFC2893. |
140 |
This should be used in mutual agreement with the peer. |
142 |
This should be used in mutual agreement with the peer. |
141 |
.Ss Security |
143 |
.Ss Security |
142 |
Malicious party may try to circumvent security filters by using |
144 |
A malicious party may try to circumvent security filters by using |
143 |
tunnelled packets. |
145 |
tunnelled packets. |
144 |
For better protection, |
146 |
For better protection, |
145 |
.Nm |
147 |
.Nm |
146 |
performs martian filter and ingress filter against outer source address, |
148 |
performs both martian and ingress filtering against the outer source address |
147 |
on egress. |
149 |
on egress. |
148 |
Note that martian/ingress filters are no way complete. |
150 |
Note that martian/ingress filters are in no way complete. |
149 |
You may want to secure your node by using packet filters. |
151 |
You may want to secure your node by using packet filters. |
150 |
Ingress filter can be turned off by |
152 |
Ingress filtering can be turned off by |
151 |
.Dv IFF_LINK2 |
153 |
.Dv IFF_LINK2 |
152 |
bit. |
154 |
bit. |
153 |
.\" |
155 |
.\" |
Lines 192-204
Link Here
|
192 |
.Sh HISTORY |
194 |
.Sh HISTORY |
193 |
The |
195 |
The |
194 |
.Nm |
196 |
.Nm |
195 |
device first appeared in WIDE hydrangea IPv6 kit. |
197 |
device first appeared in the WIDE hydrangea IPv6 kit. |
196 |
.\" |
198 |
.\" |
197 |
.Sh BUGS |
199 |
.Sh BUGS |
198 |
There are many tunnelling protocol specifications, |
200 |
There are many tunnelling protocol specifications, all |
199 |
defined differently from each other. |
201 |
defined differently from each other. The |
200 |
.Nm |
202 |
.Nm |
201 |
may not interoperate with peers which are based on different specifications, |
203 |
pseudo-device may not interoperate with peers which are based on different specifications, |
202 |
and are picky about outer header fields. |
204 |
and are picky about outer header fields. |
203 |
For example, you cannot usually use |
205 |
For example, you cannot usually use |
204 |
.Nm |
206 |
.Nm |
Lines 206-236
Link Here
|
206 |
.Pp |
208 |
.Pp |
207 |
The current code does not check if the ingress address |
209 |
The current code does not check if the ingress address |
208 |
(outer source address) |
210 |
(outer source address) |
209 |
configured to |
211 |
configured in the |
210 |
.Nm |
212 |
.Nm |
211 |
makes sense. |
213 |
interface makes sense. |
212 |
Make sure to configure an address which belongs to your node. |
214 |
Make sure to specify an address which belongs to your node. |
213 |
Otherwise, your node will not be able to receive packets from the peer, |
215 |
Otherwise, your node will not be able to receive packets from the peer, |
214 |
and your node will generate packets with a spoofed source address. |
216 |
and it will generate packets with a spoofed source address. |
215 |
.Pp |
217 |
.Pp |
216 |
If the outer protocol is IPv4, |
218 |
If the outer protocol is IPv4, |
217 |
.Nm |
219 |
.Nm |
218 |
does not try to perform path MTU discovery for the encapsulated packet |
220 |
does not try to perform path MTU discovery for the encapsulated packet |
219 |
(DF bit is set to 0). |
221 |
(DF bit is set to 0). |
220 |
.Pp |
222 |
.Pp |
221 |
If the outer protocol is IPv6, path MTU discovery for encapsulated packet |
223 |
If the outer protocol is IPv6, path MTU discovery for encapsulated packets |
222 |
may affect communication over the interface. |
224 |
may affect communication over the interface. |
223 |
The first bigger-than-pmtu packet may be lost. |
225 |
The first bigger-than-pmtu packet may be lost. |
224 |
To avoid the problem, you may want to set the interface MTU for |
226 |
To avoid the problem, you may want to set the interface MTU for |
225 |
.Nm |
227 |
.Nm |
226 |
to 1240 or smaller, when outer header is IPv6 and inner header is IPv4. |
228 |
to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4. |
227 |
.Pp |
229 |
.Pp |
|
|
230 |
The |
228 |
.Nm |
231 |
.Nm |
229 |
does not translate ICMP messages for outer header into inner header. |
232 |
pseudo-device does not translate ICMP messages for the outer header into the inner header. |
230 |
.Pp |
233 |
.Pp |
231 |
In the past, |
234 |
In the past, |
232 |
.Nm |
235 |
.Nm |
233 |
had a multi-destination behavior, configurable via |
236 |
had a multi-destination behavior, configurable via |
234 |
.Dv IFF_LINK0 |
237 |
.Dv IFF_LINK0 |
235 |
flag. |
238 |
flag. |
236 |
The behavior was obsoleted and is no longer supported. |
239 |
The behavior is obsolete and is no longer supported. |