Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
GIF(4)			    Kernel Interfaces Manual			GIF(4)

NAME
       gif -- generic tunnel interface

SYNOPSIS
       device gif

DESCRIPTION
       The gif interface is a generic tunnelling device	for IPv4 and IPv6.  It
       can  tunnel IPv[46] traffic over	IPv[46].  Therefore, there can be four
       possible	configurations.	 The  behavior	of  gif	 is  mainly  based  on
       RFC2893 IPv6-over-IPv4 configured tunnel.  On NetBSD, gif can also tun-
       nel  ISO	 traffic  over IPv[46] using EON encapsulation.	 Note that gif
       does not	perform	GRE encapsulation; use gre(4) for GRE encapsulation.

       Each gif	interface is created at	runtime	using interface	cloning.  This
       is most easily done with	the "ifconfig create"  command	or  using  the
       ifconfig_<interface> variable in	rc.conf(5).

       To  use	gif, the administrator needs to	configure the protocol and ad-
       dresses used  for  the  outer  header.	This  can  be  done  by	 using
       ifconfig(8)  tunnel,  or	 SIOCSIFPHYADDR	ioctl.	The administrator also
       needs to	configure the protocol and addresses  for  the	inner  header,
       with  ifconfig(8).   Note  that	IPv6  link-local addresses (those that
       start with fe80::) will be automatically	configured whenever  possible.
       You  may	 need  to  remove  IPv6	 link-local  addresses	manually using
       ifconfig(8), if you want	to disable the use of IPv6 as the inner	header
       (for example, if	you need a pure	IPv4-over-IPv6 tunnel).	 Finally,  you
       must  modify the	routing	table to route the packets through the gif in-
       terface.

       The gif device can be configured	to be ECN friendly.  This can be  con-
       figured by IFF_LINK1.

   ECN friendly	behavior
       The  gif	 device	 can be	configured to be ECN friendly, as described in
       draft-ietf-ipsec-ecn-02.txt.  This is turned off	by default, and	can be
       turned on by the	IFF_LINK1 interface flag.

       Without IFF_LINK1, gif will  show  normal  behavior,  as	 described  in
       RFC2893.	 This can be summarized	as follows:

	     Ingress  Set outer	TOS bit	to 0.

	     Egress   Drop outer TOS bit.

       With  IFF_LINK1,	gif will copy ECN bits (0x02 and 0x01 on IPv4 TOS byte
       or IPv6 traffic class byte) on egress and ingress, as follows:

	     Ingress  Copy TOS bits except for ECN CE (masked with 0xfe)  from
		      inner to outer.  Set ECN CE bit to 0.

	     Egress   Use  inner  TOS  bits with some change.  If outer	ECN CE
		      bit is 1,	enable ECN CE bit on the inner.

       Note that the ECN friendly behavior violates RFC2893.  This  should  be
       used in mutual agreement	with the peer.

   Security
       A  malicious party may try to circumvent	security filters by using tun-
       nelled packets.	For better protection, gif performs both  martian  and
       ingress	filtering  against  the	 outer source address on egress.  Note
       that martian/ingress filters are	in no way complete.  You may  want  to
       secure  your node by using packet filters.  Ingress filtering can break
       tunnel operation	in an asymmetrically routed network.  It can be	turned
       off by IFF_LINK2	bit.

   Miscellaneous
       By default, gif tunnels may not be nested.  This	behavior may be	 modi-
       fied	at    runtime	 by    setting	  the	 sysctl(8)    variable
       net.link.gif.max_nesting	to the desired level of	nesting.

SEE ALSO
       gre(4), inet(4),	inet6(4), ifconfig(8)

       R. Gilligan and E. Nordmark, "Transition	Mechanisms for IPv6 Hosts  and
       Routers", RFC2893, http://tools.ietf.org/html/rfc2893, August 2000.

       Sally Floyd, David L. Black, and	K. K. Ramakrishnan, IPsec Interactions
       with ECN, December 1999,	draft-ietf-ipsec-ecn-02.txt.

HISTORY
       The gif device first appeared in	the WIDE hydrangea IPv6	kit.

BUGS
       There  are many tunnelling protocol specifications, all defined differ-
       ently from each other.  The gif device may not interoperate with	 peers
       which  are based	on different specifications, and are picky about outer
       header fields.  For example, you	cannot usually use gif	to  talk  with
       IPsec devices that use IPsec tunnel mode.

       If  the	outer  protocol	 is IPv4, gif does not try to perform path MTU
       discovery for the encapsulated packet (DF bit is	set to 0).

       If the outer protocol is	IPv6,  path  MTU  discovery  for  encapsulated
       packets may affect communication	over the interface.  The first bigger-
       than-pmtu  packet  may  be lost.	 To avoid the problem, you may want to
       set the interface MTU for gif to	1240 or	smaller, when the outer	header
       is IPv6 and the inner header is IPv4.

       The gif device does not translate ICMP messages for  the	 outer	header
       into the	inner header.

       In  the	past,  gif  had	a multi-destination behavior, configurable via
       IFF_LINK0 flag.	The behavior is	obsolete and is	no longer supported.

FreeBSD	13.2		       October 21, 2018				GIF(4)

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | HISTORY | BUGS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=gif&sektion=4&manpath=FreeBSD+14.1-RELEASE+and+Ports>

home | help