|GIF(4)||FreeBSD Kernel Interfaces Manual||GIF(4)|
NAMEgif — generic tunnel interface
DESCRIPTIONThe gif interface is a generic tunnelling device for IPv4 and IPv6. It can tunnel IPv traffic over IPv. Therefore, there can be four possible configurations. The behavior of gif is mainly based on RFC2893 IPv6-over-IPv4 configured tunnel. On NetBSD, gif can also tunnel ISO traffic over IPv using EON encapsulation. Note that gif does not perform GRE encapsulation; use gre(4) for GRE encapsulation.
Each gif interface is created at runtime using interface cloning. This is most easily done with the “ ifconfig create” command or using the ifconfig_< interface> variable in rc.conf(5).
To use gif, the administrator needs to configure the protocol and addresses used for the outer header. This can be done by using ifconfig(8) tunnel, or SIOCSIFPHYADDR ioctl. The administrator also needs to configure the protocol and addresses for the inner header, with ifconfig(8). Note that IPv6 link-local addresses (those that start with
fe80::) will be automatically configured whenever possible. You may need to remove IPv6 link-local addresses manually using ifconfig(8), if you want to disable the use of IPv6 as the inner header (for example, if you need a pure IPv4-over-IPv6 tunnel). Finally, you must modify the routing table to route the packets through the gif interface.
The gif device can be configured to be ECN friendly. This can be configured by IFF_LINK1.
ECN friendly behaviorThe gif device can be configured to be ECN friendly, as described in draft-ietf-ipsec-ecn-02.txt. This is turned off by default, and can be turned on by the IFF_LINK1 interface flag.
Without IFF_LINK1, gif will show normal behavior, as described in RFC2893. This can be summarized as follows:
- Set outer TOS bit to 0.
- Drop outer TOS bit.
With IFF_LINK1, gif will copy ECN bits ( 0x02 and 0x01 on IPv4 TOS byte or IPv6 traffic class byte) on egress and ingress, as follows:
- Copy TOS bits except for ECN CE (masked with 0xfe) from inner to outer. Set ECN CE bit to 0.
- Use inner TOS bits with some change. If outer ECN CE bit is 1, enable ECN CE bit on the inner.
Note that the ECN friendly behavior violates RFC2893. This should be used in mutual agreement with the peer.
SecurityA malicious party may try to circumvent security filters by using tunnelled packets. For better protection, gif performs both martian and ingress filtering against the outer source address on egress. Note that martian/ingress filters are in no way complete. You may want to secure your node by using packet filters. Ingress filtering can break tunnel operation in an asymmetrically routed network. It can be turned off by IFF_LINK2 bit.
Route cachingProcessing each packet requires two route lookups: first on the packet itself, and second on the tunnel destination. This second route can be cached, increasing tunnel performance. However, in a dynamically routed network, the tunnel will stick to the cached route, ignoring routing table updates. Route caching can be enabled with the IFF_LINK0 flag.
MiscellaneousBy default, gif tunnels may not be nested. This behavior may be modified at runtime by setting the sysctl(8) variable net.link.gif.max_nesting to the desired level of nesting. Additionally, gif tunnels are restricted to one per pair of end points. Parallel tunnels may be enabled by setting the sysctl(8) variable net.link.gif.parallel_tunnels to 1.
SEE ALSOgre(4), inet(4), inet6(4), ifconfig(8)
R. Gilligan and E. Nordmark, Transition Mechanisms for IPv6 Hosts and Routers, RFC2893, http://tools.ietf.org/html/rfc2893, August 2000.
Sally Floyd, David L. Black, and K. K. Ramakrishnan, IPsec Interactions with ECN, December 1999, draft-ietf-ipsec-ecn-02.txt.
HISTORYThe gif device first appeared in the WIDE hydrangea IPv6 kit.
BUGSThere are many tunnelling protocol specifications, all defined differently from each other. The gif device may not interoperate with peers which are based on different specifications, and are picky about outer header fields. For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode.
The current code does not check if the ingress address (outer source address) configured in the gif interface makes sense. Make sure to specify an address which belongs to your node. Otherwise, your node will not be able to receive packets from the peer, and it will generate packets with a spoofed source address.
If the outer protocol is IPv4, gif does not try to perform path MTU discovery for the encapsulated packet (DF bit is set to 0).
If the outer protocol is IPv6, path MTU discovery for encapsulated packets may affect communication over the interface. The first bigger-than-pmtu packet may be lost. To avoid the problem, you may want to set the interface MTU for gif to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4.
The gif device does not translate ICMP messages for the outer header into the inner header.
In the past, gif had a multi-destination behavior, configurable via IFF_LINK0 flag. The behavior is obsolete and is no longer supported.
On FreeBSD 6.1, 6.2, 6.3, 7.0, 7.1, and 7.2 the gif sends and receives incorrect EtherIP packets with reversed version field when if_bridge(4) is used together. As a workaround on this interoperability issue, the following two ifconfig(8) flags can be used:
- accepts both correct EtherIP packets and ones with reversed version field, if enabled. If disabled, the gif accepts the correct packets only. This flag is enabled by default.
- sends EtherIP packets with reversed version field intentionally, if enabled. If disabled, the gif sends the correct packets only. This flag is disabled by default.
If interoperability with the older FreeBSD machines is needed, both of these two flags must be enabled.
|August 1, 2011||FreeBSD|