STF(4) | Device Drivers Manual | STF(4) |
stf
— 6to4 tunnel
interface
device stf
The stf
interface supports
“6to4” IPv6 in IPv4 encapsulation. It can tunnel IPv6 traffic
over IPv4, as specified in RFC3056
.
For ordinary nodes in 6to4 site, you do not need
stf
interface. The stf
interface is necessary for site border router (called “6to4
router” in the specification).
Each stf
interface is created at runtime
using interface cloning. This is most easily done with the
ifconfig(8) create
command or
using the cloned_interfaces variable in
rc.conf(5).
Due to the way 6to4 protocol is specified,
stf
interface requires certain configuration to work
properly. Single (no more than 1) valid 6to4 address needs to be configured
to the interface. “A valid 6to4 address” is an address which
has the following properties. If any of the following properties are not
satisfied, stf
raises runtime error on packet
transmission. Read the specification for more details.
2002:xxyy:zzuu::/48
where
xxyy:zzuu
is a hexadecimal notation of an IPv4
address for the node. IPv4 address can be taken from any of interfaces
your node has. Since the specification forbids the use of IPv4 private
address, the address needs to be a global IPv4 address.If you would like the node to behave as a relay router, the prefix
length for the IPv6 interface address needs to be 16 so that the node would
consider any 6to4 destination as “on-link”. If you would like
to restrict 6to4 peers to be inside certain IPv4 prefix, you may want to
configure IPv6 prefix length as “16 + IPv4 prefix length”.
stf
interface will check the IPv4 source address on
packets, if the IPv6 prefix length is larger than 16.
stf
can be configured to be ECN friendly.
This can be configured by IFF_LINK1
. See
gif(4) for details.
Please note that 6to4 specification is written as “accept
tunnelled packet from everyone” tunnelling device. By enabling
stf
device, you are making it much easier for
malicious parties to inject fabricated IPv6 packet to your node. Also,
malicious party can inject an IPv6 packet with fabricated source address to
make your node generate improper tunnelled packet. Administrators must take
caution when enabling the interface. To prevent possible attacks,
stf
interface filters out the following packets.
Note that the checks are no way complete:
0.0.0.0/8
)127.0.0.0/8
)224.0.0.0/4
)255.0.0.0/8
)10.0.0.0/8
,
172.16.0.0/12
,
192.168.0.0/16
)IFF_LINK2
bit.It is recommended to filter/audit incoming IPv4 packet with IP protocol number 41, as necessary. It is also recommended to filter/audit encapsulated IPv6 packets as well. You may also want to run normal ingress filter against inner IPv6 address to avoid spoofing.
By setting the IFF_LINK0
flag on the
stf
interface, it is possible to disable the input
path, making the direct attacks from the outside impossible. Note, however,
there are other security risks exist. If you wish to use the configuration,
you must not advertise your 6to4 address to others.
The following sysctl(8) variables can be used to
control the behavior of the stf
. The default value
is shown next to each variable.
stf
allows the use of private IPv4
addresses described in the RFC1918. This may be useful for an Intranet
environment or when some mechanisms of network address translation (NAT)
are used.Note that 8504:0506
is equal to
133.4.5.6
, written in hexadecimals.
# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ prefixlen 16 alias
The following configuration accepts packets from IPv4 source
9.1.0.0/16
only. It emits 6to4 packet only for IPv6
destination 2002:0901::/32 (IPv4 destination will match
9.1.0.0/16
).
# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000 # ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \ prefixlen 32 alias
The following configuration uses the stf
interface as an output-only device. You need to have alternative IPv6
connectivity (other than 6to4) to use this configuration. For outbound
traffic, you can reach other 6to4 networks efficiently via
stf
. For inbound traffic, you will not receive any
6to4-tunneled packets (less security drawbacks). Be careful not to advertise
your 6to4 prefix to others (2002:8504:0506::/48
),
and not to use your 6to4 prefix as a source.
# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00 # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \ prefixlen 16 alias deprecated link0 # route add -inet6 2002:: -prefixlen 16 ::1 # route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0
http://www.ipv6day.org/action.php?n=En.IPv6day
Brian Carpenter and Keith Moore, Connection of IPv6 Domains via IPv4 Clouds, RFC, 3056, February 2001.
Jun-ichiro itojun Hagino, Possible abuse against IPv6 transition technologies, draft-itojun-ipv6-transition-abuse-01.txt, July 2000, work in progress.
The stf
device first appeared in WIDE/KAME
IPv6 stack.
No more than one stf
interface is allowed
for a node, and no more than one IPv6 interface address is allowed for an
stf
interface. It is to avoid source address
selection conflicts between IPv6 layer and IPv4 layer, and to cope with
ingress filtering rule on the other side. This is a feature to make
stf
work right for all occasions.
December 28, 2012 | Debian |