Subject: Re: ipip and gif (and protocol tunnels in general)
To: NetBSD Networking Technical Discussion List <tech-net@NetBSD.ORG>
From: None <>
List: tech-net
Date: 04/19/2000 12:50:47
>What still confuses me about tunnels in general though is the question
>of whether or not the "outer" addresses have to match (exactly) another
>interface address (eg. the "outside" ethernet or PPP interface).  It
>would seem to me that they do and if this is so then why specify the
>local "outer" address as an address number to {gre,gif}config?  Why not
>just specify the associated interface name itself instead?  Does it
>really matter if it is possible to specify an alias address or not (even
>though that's exactly what I did as described in my reply to PR#9920)?

	no, we don't need to match outer destination address for gif,
	with destination address for some p2p interface (in the above, ppp).
	outer source address for gif needs to be an address belong to my node
	(otherwise you end up generating packets with a spoofed source
	address - we may want to put some sanity check on it).

	For example, it is legitimate for a node to configure far-away
	node as outer destination address for gif.  We do it frequently
	for tunelling IPv6 packet across the IPv4 ocean.

	# gifconfig gif0 x.x.x.x y.y.y.y
		x.x.x.x = my IPv4 address
		y.y.y.y = somewhere far away
	# ping6 -I gif0 -n ff02::1

	((IPv6 cloud in my site))
		x.x.x.x (dual stack)
		((IPv4 cloud))
		y.y.y.y (dual stack)
	((IPv6 cloud in peer's site))