Provided by: freebsd-manpages_7.2-1_all bug

NAME

     stf - 6to4 tunnel interface

SYNOPSIS

     device stf

DESCRIPTION

     The stf interface supports “6to4” IPv6 in IPv4 encapsulation.  It can
     tunnel IPv6 traffic over IPv4, as specified in RFC3056.

     For ordinary nodes in 6to4 site, you do not need stf interface.  The stf
     interface is necessary for site border router (called “6to4 router” in
     the specification).

     Each stf interface is created at runtime using interface cloning.  This
     is most easily done with the ifconfig(8) create command or using the
     cloned_interfaces variable in rc.conf(5).

     Due to the way 6to4 protocol is specified, stf interface requires certain
     configuration to work properly.  Single (no more than 1) valid 6to4
     address needs to be configured to the interface.  “A valid 6to4 address”
     is an address which has the following properties.  If any of the
     following properties are not satisfied, stf raises runtime error on
     packet transmission.  Read the specification for more details.

     ·   matches 2002:xxyy:zzuu::/48 where xxyy:zzuu is a hexadecimal notation
         of an IPv4 address for the node.  IPv4 address can be taken from any
         of interfaces your node has.  Since the specification forbids the use
         of IPv4 private address, the address needs to be a global IPv4
         address.

     ·   Subnet identifier portion (48th to 63rd bit) and interface identifier
         portion (lower 64 bits) are properly filled to avoid address
         collisions.

     If you would like the node to behave as a relay router, the prefix length
     for the IPv6 interface address needs to be 16 so that the node would
     consider any 6to4 destination as “on-link”.  If you would like to
     restrict 6to4 peers to be inside certain IPv4 prefix, you may want to
     configure IPv6 prefix length as “16 + IPv4 prefix length”.  stf interface
     will check the IPv4 source address on packets, if the IPv6 prefix length
     is larger than 16.

     stf can be configured to be ECN friendly.  This can be configured by
     IFF_LINK1.  See gif(4) for details.

     Please note that 6to4 specification is written as “accept tunnelled
     packet from everyone” tunnelling device.  By enabling stf device, you are
     making it much easier for malicious parties to inject fabricated IPv6
     packet to your node.  Also, malicious party can inject an IPv6 packet
     with fabricated source address to make your node generate improper
     tunnelled packet.  Administrators must take caution when enabling the
     interface.  To prevent possible attacks, stf interface filters out the
     following packets.  Note that the checks are no way complete:

     ·   Packets with IPv4 unspecified address as outer IPv4
         source/destination (0.0.0.0/8)

     ·   Packets with loopback address as outer IPv4 source/destination
         (127.0.0.0/8)

     ·   Packets with IPv4 multicast address as outer IPv4 source/destination
         (224.0.0.0/4)

     ·   Packets with limited broadcast address as outer IPv4
         source/destination (255.0.0.0/8)

     ·   Packets with private address as outer IPv4 source/destination
         (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

     ·   Packets with subnet broadcast address as outer IPv4
         source/destination.  The check is made against subnet broadcast
         addresses for all of the directly connected subnets.

     ·   Packets that does not pass ingress filtering.  Outer IPv4 source
         address must meet the IPv4 topology on the routing table.  Ingress
         filter can be turned off by IFF_LINK2 bit.

     ·   The same set of rules are applied against the IPv4 address embedded
         into inner IPv6 address, if the IPv6 address matches 6to4 prefix.

     It is recommended to filter/audit incoming IPv4 packet with IP protocol
     number 41, as necessary.  It is also recommended to filter/audit
     encapsulated IPv6 packets as well.  You may also want to run normal
     ingress filter against inner IPv6 address to avoid spoofing.

     By setting the IFF_LINK0 flag on the stf interface, it is possible to
     disable the input path, making the direct attacks from the outside
     impossible.  Note, however, there are other security risks exist.  If you
     wish to use the configuration, you must not advertise your 6to4 address
     to others.

EXAMPLES

     Note that 8504:0506 is equal to 133.4.5.6, written in hexadecimals.

     # ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
     # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \
             prefixlen 16 alias

     The following configuration accepts packets from IPv4 source 9.1.0.0/16
     only.  It emits 6to4 packet only for IPv6 destination 2002:0901::/32
     (IPv4 destination will match 9.1.0.0/16).

     # ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000
     # ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \
             prefixlen 32 alias

     The following configuration uses the stf interface as an output-only
     device.  You need to have alternative IPv6 connectivity (other than 6to4)
     to use this configuration.  For outbound traffic, you can reach other
     6to4 networks efficiently via stf.  For inbound traffic, you will not
     receive any 6to4-tunneled packets (less security drawbacks).  Be careful
     not to advertise your 6to4 prefix to others (2002:8504:0506::/48), and
     not to use your 6to4 prefix as a source.

     # ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
     # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \
             prefixlen 16 alias deprecated link0
     # route add -inet6 2002:: -prefixlen 16 ::1
     # route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0

SEE ALSO

     gif(4), inet(4), inet6(4)

     http://www.6bone.net/6bone_6to4.html

     Brian Carpenter and Keith Moore, Connection of IPv6 Domains via IPv4
     Clouds, RFC, 3056, February 2001.

     Jun-ichiro itojun Hagino, Possible abuse against IPv6 transition
     technologies, draft-itojun-ipv6-transition-abuse-01.txt, July 2000, work
     in progress.

HISTORY

     The stf device first appeared in WIDE/KAME IPv6 stack.

BUGS

     No more than one stf interface is allowed for a node, and no more than
     one IPv6 interface address is allowed for an stf interface.  It is to
     avoid source address selection conflicts between IPv6 layer and IPv4
     layer, and to cope with ingress filtering rule on the other side.  This
     is a feature to make stf work right for all occasions.