diff options
author | ume <ume@FreeBSD.org> | 2001-06-11 12:39:29 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2001-06-11 12:39:29 +0000 |
commit | 832f8d224926758a9ae0b23a6b45353e44fbc87a (patch) | |
tree | a79fc7ad2b97862c4a404f352f0211ad93a7b5f1 /share/man/man4/stf.4 | |
parent | 2693854b01a52b0395a91322aa3edf926bddff38 (diff) | |
download | FreeBSD-src-832f8d224926758a9ae0b23a6b45353e44fbc87a.zip FreeBSD-src-832f8d224926758a9ae0b23a6b45353e44fbc87a.tar.gz |
Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.
TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.
Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks
Diffstat (limited to 'share/man/man4/stf.4')
-rw-r--r-- | share/man/man4/stf.4 | 70 |
1 files changed, 60 insertions, 10 deletions
diff --git a/share/man/man4/stf.4 b/share/man/man4/stf.4 index fdac049..c5f05e3 100644 --- a/share/man/man4/stf.4 +++ b/share/man/man4/stf.4 @@ -1,5 +1,5 @@ .\" $FreeBSD$ -.\" $KAME: stf.4,v 1.24 2000/06/07 23:35:18 itojun Exp $ +.\" $KAME: stf.4,v 1.35 2001/05/02 06:24:49 itojun Exp $ .\" .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. .\" All rights reserved. @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd March 6, 2000 +.Dd April 27, 2001 .Dt STF 4 .Os .Sh NAME @@ -45,7 +45,7 @@ interface supports .Dq 6to4 IPv6 in IPv4 encapsulation. It can tunnel IPv6 traffic over IPv4, as specified in -.Li draft-ietf-ngtrans-6to4-06.txt . +.Li RFC3056 . .Pp For ordinary nodes in 6to4 site, you do not need .Nm @@ -142,6 +142,9 @@ all of the directly connected subnets. .It Packets that does not pass ingress filtering. Outer IPv4 source address must meet the IPv4 topology on the routing table. +Ingress filter can be turned off by +.Dv IFF_LINK2 +bit. .It The same set of rules are appplied against the IPv4 address embedded into inner IPv6 address, if the IPv6 address matches 6to4 prefix. @@ -152,6 +155,16 @@ incoming IPv4 packet with IP protocol number 41, as necessary. It is also recommended to filter/audit encapsulated IPv6 packets as well. You may also want to run normal ingress filter against inner IPv6 address to avoid spoofing. +.Pp +By setting the +.Dv IFF_LINK0 +flag on the +.Nm +interface, it is possible to disable the input path, +making the direct attacks from the outside impossible. +Note, however, there are other security risks exist. +If you wish to use the configuration, +you must not advertise your 6to4 address to others. .\" .Sh EXAMPLES Note that @@ -175,28 +188,65 @@ It emits 6to4 packet only for IPv6 destination 2002:0901::/32 # ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \\ prefixlen 32 alias .Ed +.Pp +The following configuration uses the +.Nm +interface as an output-only device. +You need to have alternative IPv6 connectivity +.Pq other than 6to4 +to use this configuration. +For outbound traffic, you can reach other 6to4 networks efficiently via +.Nm stf . +For inbound traffic, you will not receive any 6to4-tunneled packets +.Pq less security drawbacks . +Be careful not to advertise your 6to4 prefix to others +.Pq Li 2002:8504:0506::/48 , +and not to use your 6to4 prefix as a source. +.Bd -literal +# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 +# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\ + prefixlen 16 alias deprecated link0 +# route add -inet6 2002:: -prefixlen 16 ::1 +# route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0 +.Ed .\" .Sh SEE ALSO .Xr gif 4 , .Xr inet 4 , .Xr inet6 4 +.Pp +.Pa http://www.6bone.net/6bone_6to4.html .Rs .%A Brian Carpenter .%A Keith Moore -.%T "Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels" -.%D June 2000 -.%N draft-ietf-ngtrans-6to4-06.txt -.%O work in progress +.%T "Connection of IPv6 Domains via IPv4 Clouds" +.%D February 2001 +.%R RFC +.%N 3056 .Re .Rs .%A Jun-ichiro itojun Hagino .%T "Possible abuse against IPv6 transition technologies" -.%D March 2000 -.%N draft-itojun-ipv6-transition-abuse-00.txt -.%O work in progress, http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00.txt +.%D July 2000 +.%N draft-itojun-ipv6-transition-abuse-01.txt +.%O work in progress .Re .\" .Sh HISTORY The .Nm device first appeared in WIDE/KAME IPv6 stack. +.\" +.Sh BUGS +No more than one +.Nm +interface is allowed for a node, +and no more than one IPv6 interface address is allowed for an +.Nm +interface. +It is to avoid source address selection conflicts +between IPv6 layer and IPv4 layer, +and to cope with ingress filtering rule on the other side. +This is a feature to make +.Nm +work right for all occasions. |