stf - 6to4 tunnel interface
For ordinary nodes in 6to4 site, you do not need interface. The interface is necessary for site border router (called ``6to4 router'' in the specification).
Each interface is created at runtime using interface cloning. This is most easily done with the ifconfig(8) create command or using the cloned_interfaces variable in rc.conf5.
Due to the way 6to4 protocol is specified, interface requires certain configuration to work properly. Single (no more than 1) valid 6to4 address needs to be configured to the interface. ``A valid 6to4 address'' is an address which has the following properties. If any of the following properties are not satisfied, raises runtime error on packet transmission. Read the specification for more details.
If you would like the node to behave as a relay router, the prefix length for the IPv6 interface address needs to be 16 so that the node would consider any 6to4 destination as ``on-link'' If you would like to restrict 6to4 peers to be inside certain IPv4 prefix, you may want to configure IPv6 prefix length as ``16 + IPv4 prefix length'' interface will check the IPv4 source address on packets, if the IPv6 prefix length is larger than 16.
can be configured to be ECN friendly. This can be configured by IFF_LINK1 See gif(4) for details.
Please note that 6to4 specification is written as ``accept tunnelled packet from everyone'' tunnelling device. By enabling device, you are making it much easier for malicious parties to inject fabricated IPv6 packet to your node. Also, malicious party can inject an IPv6 packet with fabricated source address to make your node generate improper tunnelled packet. Administrators must take caution when enabling the interface. To prevent possible attacks, interface filters out the following packets. Note that the checks are no way complete:
It is recommended to filter/audit incoming IPv4 packet with IP protocol number 41, as necessary. It is also recommended to filter/audit encapsulated IPv6 packets as well. You may also want to run normal ingress filter against inner IPv6 address to avoid spoofing.
By setting the IFF_LINK0 flag on the interface, it is possible to disable the input path, making the direct attacks from the outside impossible. Note, however, there are other security risks exist. If you wish to use the configuration, you must not advertise your 6to4 address to others.
# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ prefixlen 16 alias
The following configuration accepts packets from IPv4 source 9.1.0.0/16 only. It emits 6to4 packet only for IPv6 destination 2002:0901::/32 (IPv4 destination will match 9.1.0.0/16 )
# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 # ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \ prefixlen 32 alias
The following configuration uses the interface as an output-only device. You need to have alternative IPv6 connectivity (other than 6to4) to use this configuration. For outbound traffic, you can reach other 6to4 networks efficiently via stf For inbound traffic, you will not receive any 6to4-tunneled packets (less security drawbacks). Be careful not to advertise your 6to4 prefix to others (2002:8504:0506::/48 ) and not to use your 6to4 prefix as a source.
# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ prefixlen 16 alias deprecated link0 # route add -inet6 2002:: -prefixlen 16 ::1 # route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0
http://www.6bone.net/6bone_6to4.html
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |