To use
gif,
the administrator must first create the interface
and then configure protocol and addresses used for the outer
header.
This can be done by using
ifconfig(8)
create
and
tunnel
subcommands, or
SIOCIFCREATE
and
SIOCSIFPHYADDR
ioctls.
Also, administrator needs to configure protocol and addresses used for the
inner header, by using
ifconfig(8).
Note that IPv6 link-local address
(those start with fe80::
)
will be automatically configured whenever possible.
You may need to remove IPv6 link-local address manually using
ifconfig(8),
when you would like to disable the use of IPv6 as inner header
(like when you need pure IPv4-over-IPv6 tunnel).
Finally, use routing table to route the packets toward
gif
interface.
gif
can be configured to be ECN friendly.
This can be configured by
IFF_LINK1
.
draft-ietf-ipsec-ecn-02.txt
.
This is turned off by default, and can be turned on by
IFF_LINK1
interface flag.
Without
IFF_LINK1
,
gif
will show a normal behavior, like described in RFC 2893.
This can be summarized as follows:
0
.
With
IFF_LINK1
,
gif
will copy ECN bits
(
0x02
and
0x01
on IPv4 TOS byte or IPv6 traffic class byte)
on egress and ingress, as follows:
0xfe
)
from
inner to outer.
set ECN CE bit to
0
.
1
,
enable ECN CE bit on the inner.
Note that the ECN friendly behavior violates RFC 2893. This should be used in mutual agreement with the peer.
When the inner packet is IPv4, the protocol field of the outer packet
is 4
(
IPPROTO_IPV4
).
When the inner packet is IPv6, the protocol field of the outer packet
is 41
(
IPPROTO_IPV6
).
When the inner packet is ISO CNLP, the protocol field of the outer packet
is 80
(
IPPROTO_EON
).
IFF_LINK2
bit.
Host X--NetBSD A ----------------tunnel---------- cisco D------Host E
\ |
\ /
+-----Router B--------Router C---------+
On
NetBSD
system A
NetBSD():
# route add default B
# ifconfig gifN create
# ifconfig gifN A netmask 0xffffffff tunnel A D up
# route add E 0
# route change E -ifp gif0
On Host D (Cisco):
Interface TunnelX
ip unnumbered D ! e.g. address from Ethernet interface
tunnel source D ! e.g. address from Ethernet interface
tunnel destination A
ip route C
or on Host D
NetBSD():
# route add default C
# ifconfig gifN D A
If all goes well, you should see packets flowing.
If you want to reach Host A over the tunnel (from the Cisco D), then
you have to have an alias on Host A for e.g. the Ethernet interface like:
ifconfig
The current code does not check if the ingress address (outer source address) configured to gif makes sense. Make sure to configure an address which belongs to your node. Otherwise, your node will not be able to receive packets from the peer, and your node will generate packets with a spoofed source address.
If the outer protocol is IPv6, path MTU discovery for encapsulated packet may affect communication over the interface.
In the past,
gif
had a multi-destination behavior, configurable via
IFF_LINK0
flag.
The behavior was obsoleted and is no longer supported.