Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
GIF(4)			    Kernel Interfaces Manual			GIF(4)

NAME
       gif -- generic tunnel interface

SYNOPSIS
       device gif

DESCRIPTION
       The gif interface is a generic tunnelling device	for IPv4 and IPv6.  It
       can  tunnel IPv[46] traffic over	IPv[46].  Therefore, there can be four
       possible	configurations.	 The  behavior	of  gif	 is  mainly  based  on
       RFC2893 IPv6-over-IPv4 configured tunnel.  On NetBSD, gif can also tun-
       nel  ISO	 traffic  over IPv[46] using EON encapsulation.	 Note that gif
       does not	perform	GRE encapsulation; use gre(4) for GRE encapsulation.

       The gif interface can also tunnel Ethernet traffic over	IPv4  or  IPv6
       when  combined  with  a	if_bridge(4) interface using EtherIP protocol.
       See if_bridge(4)	for detailed setup.

       Each gif	interface is created at	runtime	using interface	cloning.  This
       is most easily done with	the "ifconfig create"  command	or  using  the
       ifconfig_<interface> variable in	rc.conf(5).

       To  use	gif, the administrator needs to	configure the protocol and ad-
       dresses used  for  the  outer  header.	This  can  be  done  by	 using
       ifconfig(8)  tunnel,  or	 SIOCSIFPHYADDR	ioctl.	The administrator also
       needs to	configure the protocol and addresses  for  the	inner  header,
       with  ifconfig(8).   Note  that	IPv6  link-local addresses (those that
       start with fe80::) will be automatically	configured whenever  possible.
       You  may	 need  to  remove  IPv6	 link-local  addresses	manually using
       ifconfig(8), if you want	to disable the use of IPv6 as the inner	header
       (for example, if	you need a pure	IPv4-over-IPv6 tunnel).	 Finally,  you
       must  modify the	routing	table to route the packets through the gif in-
       terface.

   MTU Configuration and Path MTU Discovery
       The gif interface uses the fixed	length,	1280, to determine whether the
       outgoing	IPv6 packets are split.	 This means the	MTU  value  configured
       on the interface	will be	ignored	when the outer protocol	is IPv6.  When
       the  NOCLAMP  interface flag is set, gif	uses the same configured value
       as IPv4 communications.	This behavior prevents potential  issues  when
       the path	MTU is smaller than the	interface MTU.	This section describes
       the  reason  why	the default behavior is	different.  The	NOCLAMP	inter-
       face flag can be	set using the following	command:

	     ifconfig gif0 noclamp

       and clear the flag using	the following:

	     ifconfig gif0 -noclamp

       where gif0 is the actual	interface name.

       A tunnel	interface always has an	implicit smaller  MTU  for  the	 inner
       protocol	 than  the  outer  protocol  because of	the additional header.
       Note that the interface MTU on a	gif interface, the  default  value  is
       1280,  is  used as MTU for the outer protocol.  This means that the MTU
       for the inner protocol varies depending on the  outer  protocol	header
       length.	 If  an	outgoing packet	bigger than the	inner protocol MTU ar-
       rives at	a gif interface	for encapsulation, it will be split into frag-
       ments.  Specifically, if	IPv4 is	used as	the outer protocol, the	 inner
       is  20  octets  smaller than the	interface MTU.	In the case of the de-
       fault interface MTU, 1280, inner	packets	bigger than 1260 will be frag-
       mented.	In the case of IPv6, the inner is 40 octets smaller  than  the
       outer.

       This  fragmentation  is	not  harmful though it can degrade the perfor-
       mance.  Note that while an increased MTU	on gif interface helps to mit-
       igate this reduced performance issue, it	can also cause	packet	losses
       on  the	intermediate narrowest path between the	two communication end-
       points in IPv6.	IPv6 allows fragmentation only on the sender,  not  on
       the  routers  in	the communication path.	 A big outgoing	packet will be
       dropped on a router with	a smaller MTU.

       In normal IPv6 communication, an	ICMPv6 Packet Too Big  error  will  be
       sent  back  to the sender, who can adjust the packet length and re-send
       it.  This process is performed in the upper protocols than L3, such  as
       TCP, and	makes the packet length	shorter	so that	packets	go through the
       path without fragmentation.  This behavior is known as path MTU discov-
       ery.

       When using a gif	interface, the Packet Too Big message is generated for
       the  outer  protocol.   Since the gif interface does not	translate this
       error to	the inner protocol, the	inner  protocol	 sees  it  just	 as  a
       packet loss with	no useful information to adjust	the length of the next
       packets.	 In this situation, path MTU discovery does not	work, and com-
       munications of the inner	protocol become	stalled.

       In  order  to  avoid  this, a gif interface silently splits a packet of
       over 1240 octets	into fragments to  make	 the  outer  protocol  packets
       equal  or shorter than 1280 octets, even	when the interface MTU is con-
       figured as larger than 1280.  Note that this occurs only	when the outer
       protocol	is IPv6.  1280 is the smallest MTU in IPv6 and	guarantees  no
       packet loss occurs on intermediate routers.

       As mentioned earlier, the performance is	sub-optimal if the actual path
       MTU  is	larger than 1280.  A typical confusing scenario	is as follows.
       The gif interface can have Ethernet, whose MTU is usually 1500, as  the
       inner  protocol.	 It is called an EtherIP tunnel, and can be configured
       by adding the gif interface as a	member of if_bridge(4) interface.  The
       if_bridge(4) interface forcibly changes the MTU of  the	gif  interface
       with  those for the other member	interfaces, which are likely 1500.  In
       this case, a situation in which the MTU of the gif  interface  is  1500
       but fragmentation in 1280 octets	always occurs.

       The  default  behavior is most conservative to prevent confusing	packet
       loss.  Depending	on the network configuration, enabling the NOCLAMP in-
       terface flag might be helpful for better	performance.  It is crucial to
       ensure that the path MTU	is equal to or larger than the	interface  MTU
       when enabling this flag.

   ECN friendly	behavior
       The  gif	 device	 can be	configured to be ECN friendly, as described in
       draft-ietf-ipsec-ecn-02.txt.  This is turned off	by default, and	can be
       turned on by the	IFF_LINK1 interface flag.

       Without IFF_LINK1, gif will  show  normal  behavior,  as	 described  in
       RFC2893.	 This can be summarized	as follows:

	     Ingress  Set outer	TOS bit	to 0.

	     Egress   Drop outer TOS bit.

       With  IFF_LINK1,	gif will copy ECN bits (0x02 and 0x01 on IPv4 TOS byte
       or IPv6 traffic class byte) on egress and ingress, as follows:

	     Ingress  Copy TOS bits except for ECN CE (masked with 0xfe)  from
		      inner to outer.  Set ECN CE bit to 0.

	     Egress   Use  inner  TOS  bits with some change.  If outer	ECN CE
		      bit is 1,	enable ECN CE bit on the inner.

       Note that the ECN friendly behavior violates RFC2893.  This  should  be
       used in mutual agreement	with the peer.

   Security
       A  malicious party may try to circumvent	security filters by using tun-
       nelled packets.	For better protection, gif performs both  martian  and
       ingress	filtering  against  the	 outer source address on egress.  Note
       that martian/ingress filters are	in no way complete.  You may  want  to
       secure  your node by using packet filters.  Ingress filtering can break
       tunnel operation	in an asymmetrically routed network.  It can be	turned
       off by IFF_LINK2	bit.

   Miscellaneous
       By default, gif tunnels may not be nested.  This	behavior may be	 modi-
       fied	at    runtime	 by    setting	  the	 sysctl(8)    variable
       net.link.gif.max_nesting	to the desired level of	nesting.

SEE ALSO
       gre(4), if_bridge(4), inet(4), inet6(4),	ifconfig(8)

       R. Gilligan and E. Nordmark, "Transition	Mechanisms for IPv6 Hosts  and
       Routers", RFC2893, http://tools.ietf.org/html/rfc2893, August 2000.

       Sally Floyd, David L. Black, and	K. K. Ramakrishnan, IPsec Interactions
       with ECN, December 1999,	draft-ietf-ipsec-ecn-02.txt.

       R.  Housley and S. Hollenbeck, EtherIP: Tunneling Ethernet Frames in IP
       Datagrams, RFC 3378, September 2002.

HISTORY
       The gif device first appeared in	the WIDE hydrangea IPv6	kit.

BUGS
       There are many tunnelling protocol specifications, all defined  differ-
       ently  from each	other.	The gif	device may not interoperate with peers
       which are based on different specifications, and	are picky about	 outer
       header  fields.	 For  example, you cannot usually use gif to talk with
       IPsec devices that use IPsec tunnel mode.

       If the outer protocol is	IPv4, gif does not try	to  perform  path  MTU
       discovery for the encapsulated packet (DF bit is	set to 0).

       If  the	outer  protocol	 is  IPv6, path	MTU discovery for encapsulated
       packets may affect communication	over the interface.  The first bigger-
       than-pmtu packet	may be lost.  To avoid the problem, you	 may  want  to
       set the interface MTU for gif to	1240 or	smaller, when the outer	header
       is IPv6 and the inner header is IPv4.

       The  gif	 device	 does not translate ICMP messages for the outer	header
       into the	inner header.

       In the past, gif	had a  multi-destination  behavior,  configurable  via
       NOCLAMP	flag.	The  behavior  is obsolete and is no longer supported.
       This flag is now	used to	 determine  whether  performing	 fragmentation
       when the	outer protocol is IPv6.

FreeBSD	15.0			August 27, 2025				GIF(4)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=gif&sektion=4&manpath=FreeBSD+15.0-RELEASE+and+Ports>

home | help