[src/trunk]: src add stf(4), for stf (6to4) pseudo interface.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src add stf(4), for stf (6to4) pseudo interface.
From: itojun <itojun%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 06:59:29 +0000
details:   https://anonhg.NetBSD.org/src/rev/11bbf56481b2
branches:  trunk
changeset: 485106:11bbf56481b2
user:      itojun <itojun%NetBSD.org@localhost>
date:      Wed Apr 19 06:34:19 2000 +0000

description:
add stf(4), for stf (6to4) pseudo interface.

diffstat:

 distrib/sets/lists/man/mi |    4 +-
 share/man/man4/Makefile   |    4 +-
 share/man/man4/stf.4      |  198 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 203 insertions(+), 3 deletions(-)

diffs (245 lines):

diff -r 2288fd94dfde -r 11bbf56481b2 distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Wed Apr 19 06:31:49 2000 +0000
+++ b/distrib/sets/lists/man/mi Wed Apr 19 06:34:19 2000 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.224 2000/04/17 17:06:21 augustss Exp $
+# $NetBSD: mi,v 1.225 2000/04/19 06:34:19 itojun Exp $
 ./usr/share/info/am-utils.info
 ./usr/share/info/awk.info
 ./usr/share/info/bfd.info
@@ -509,6 +509,7 @@
 ./usr/share/man/cat4/stderr.0
 ./usr/share/man/cat4/stdin.0
 ./usr/share/man/cat4/stdout.0
+./usr/share/man/cat4/stf.0
 ./usr/share/man/cat4/strip.0
 ./usr/share/man/cat4/sv.0
 ./usr/share/man/cat4/sw.0
@@ -1473,6 +1474,7 @@
 ./usr/share/man/man4/stderr.4
 ./usr/share/man/man4/stdin.4
 ./usr/share/man/man4/stdout.4
+./usr/share/man/man4/stf.4
 ./usr/share/man/man4/strip.4
 ./usr/share/man/man4/sv.4
 ./usr/share/man/man4/sw.4
diff -r 2288fd94dfde -r 11bbf56481b2 share/man/man4/Makefile
--- a/share/man/man4/Makefile   Wed Apr 19 06:31:49 2000 +0000
+++ b/share/man/man4/Makefile   Wed Apr 19 06:34:19 2000 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.142 2000/04/16 23:36:51 perry Exp $
+#      $NetBSD: Makefile,v 1.143 2000/04/19 06:34:20 itojun Exp $
 #      @(#)Makefile    8.1 (Berkeley) 6/18/93
 
 MAN=   adv.4 adw.4 ahb.4 ahc.4 aria.4 atalk.4 audio.4 auvia.4 awi.4 bha.4 \
@@ -42,7 +42,7 @@
 MAN+=  si.4
 
 # IPv6/IPsec
-MAN+=  faith.4 gif.4 inet6.4 icmp6.4 ip6.4 ipsec.4
+MAN+=  faith.4 gif.4 inet6.4 icmp6.4 ip6.4 ipsec.4 stf.4
 
 MLINKS+=bha.4 bt.4
 MLINKS+=cardbus.4 cbb.4
diff -r 2288fd94dfde -r 11bbf56481b2 share/man/man4/stf.4
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/man/man4/stf.4      Wed Apr 19 06:34:19 2000 +0000
@@ -0,0 +1,198 @@
+.\"     $NetBSD: stf.4,v 1.1 2000/04/19 06:34:21 itojun Exp $
+.\"     $KAME: stf.4,v 1.19 2000/04/19 05:22:08 itojun Exp $
+.\"
+.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd March 6, 2000
+.Dt STF 4
+.Os
+.Sh NAME
+.Nm stf
+.Nd
+.Tn 6to4 tunnel interface
+.Sh SYNOPSIS
+.Cd "pseudo-device stf"
+.Sh DESCRIPTION
+The
+.Nm
+interface supports
+.Dq 6to4
+IPv6 in IPv4 encapsulation.
+It can tunnel IPv6 traffic over IPv4, as specified in
+.Li draft-ietf-ngtrans-6to4-03.txt .
+.Pp
+For ordinary nodes in 6to4 site, you do not need
+.Nm
+interface.
+The
+.Nm
+interface is necessary for site border router
+.Po
+called
+.Dq 6to4 router
+in the specification
+.Pc .
+.Pp
+Due to the way 6to4 protocol is specified,
+.Nm
+interface requires certain configuration to work properly.
+Single
+.Pq no more than 1
+valid 6to4 address needs to be configured to the interface.
+.Dq A valid 6to4 address
+is an address which has the following properties.
+If any of the following properties are not satisfied,
+.Nm stf
+raises runtime error on packet transmission.
+Read the specification for more details.
+.Bl -bullet
+.It
+matches
+.Li 2002:xxyy:zzuu::/48
+where
+.Li xxyy:zzuu
+is a hexadecimal notation of an IPv4 address for the node.
+IPv4 address can be taken from any of interfaces your node has.
+.It
+Subnet identifier portion
+.Pq 48th to 63rd bit
+and interface identifier portion
+.Pq lower 64 bits
+are properly filled to avoid address collisions.
+.El
+.Pp
+If you would like the node to behave as a relay router,
+the prefix length for the IPv6 interface address needs to be 16 so that
+the node would consider any 6to4 destination as
+.Dq on-link .
+If you would like to restrict 6to4 peers to be inside certain IPv4 prefix,
+you may want to configure IPv6 prefix length as
+.Dq 16 + IPv4 prefix length .
+.Nm
+interface will check the IPv4 source address on packets,
+if the IPv6 prefix length is larger than 16.
+.Pp
+.Nm
+can be configured to be ECN friendly.
+This can be configured by
+.Dv IFF_LINK1 .
+See
+.Xr gif 4
+for details.
+.Pp
+Please note that 6to4 specification is written as
+.Dq accept tunnelled packet from everyone
+tunnelling device.
+By enabling
+.Nm
+device, you are making it much easier for malicious parties to inject
+fabricated IPv6 packet to your node.
+Also, malicious party can inject an IPv6 packet with fabricated source address
+to make your node generate improper tunnelled packet.
+Administrators must take caution when enabling the interface.
+It is recommended to filter/audit
+incoming IPv4 packet with IP protocol number 41, as necessary.
+To prevent possible attacks,
+.Nm
+interface filters out the following packets.
+Note that the checks are no way complete:
+.Bl -bullet
+.It
+Packets with IPv4 multicast address as outer IPv4 source/destination
+.Pq Li 224.0.0.0/4
+.It
+Packets with IPv4 unspecified addrss as outer IPv4 source/destination
+.Pq Li 0.0.0.0/32
+.It
+Packets with limited broadcast address as outer IPv4 source/destination
+.Pq Li 255.255.255.255/32
+.It
+Packets with subnet broadcast address as outer IPv4 source/destination.
+The check is made against subnet broadcast addresses for
+all of the directly connected subnets.
+.It
+Packets that does not pass ingress filtering.
+Outer IPv4 source address must meet the IPv4 topology on the routing table.
+.It
+The same set of rules are appplied against the IPv4 address embedded into
+inner IPv6 address, if the IPv6 address matches 6to4 prefix.
+.El
+.Pp
+You may also want to reject encapsulated IPv6 packets with
+suspicious 6to4 addresses, like
+.Li 2002:7f00::/24.
+You may also want to run normal ingress filter against inner IPv6 address
+to avoid spoofing.
+.\"
+.Sh EXAMPLES
+Note that
+.Li 8504:0506
+is equal to
+.Li 133.4.5.6 ,
+written in hexadecimals.
+.Bd -literal
+# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
+# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \\
+       prefixlen 16 alias
+.Ed
+.Pp
+The following configuration accepts packets from IPv4 source
+.Li 10.1.0.0/16
+only.
+It emits 6to4 packet only for IPv6 destination 2002:0a01::/32
+.Pq IPv4 destination will match Li 10.1.0.0/16 .
+.Bd -literal
+# ifconfig ne0 inet 10.1.2.3 netmask 0xffff0000
+# ifconfig stf0 inet6 2002:0a01:0203:0000:a00:5aff:fe38:6f86 \\
+       prefixlen 32 alias
+.Ed
+.\"
+.Sh SEE ALSO
+.Xr gif 4 ,
+.Xr inet 4 ,
+.Xr inet6 4
+.Rs
+.%A Brian Carpenter
+.%A Keith Moore
+.%T "Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels"
+.%D October 1999
+.%N draft-ietf-ngtrans-6to4-03.txt
+.%O work in progress
+.Re
+.Rs
+.%A Jun-ichiro itojun Hagino
+.%T "Possible abuse against IPv6 transition technologies"
+.%D March 2000
+.%N draft-itojun-ipv6-transition-abuse-00.txt
+.%O work in progress, http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00.txt
+.Re
+.\"
+.Sh HISTORY
+The
+.Nm
+device first appeared in WIDE/KAME IPv6 stack.
Prev by Date: [src/trunk]: src/sys introduce sys/netinet/ip_encap.c, to dispatch inbound pa...
Next by Date: [src/trunk]: src/sys/dev/pci Add some Symbios devices.
Previous by Thread: [src/trunk]: src/sys introduce sys/netinet/ip_encap.c, to dispatch inbound pa...
Next by Thread: [src/trunk]: src/sys/dev/pci Add some Symbios devices.
Indexes:
Home | Main Index | Thread Index | Old Index