Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
STF(4)			 BSD Kernel Interfaces Manual			STF(4)

     stf -- 6to4 tunnel	interface

     device stf

     The stf interface supports	"6to4" IPv6 in IPv4 encapsulation.  It can
     tunnel IPv6 traffic over IPv4, as specified in RFC3056.

     For ordinary nodes	in 6to4	site, you do not need stf interface.  The stf
     interface is necessary for	site border router (called "6to4 router" in
     the specification).

     Each stf interface	is created at runtime using interface cloning.	This
     is	most easily done with the ifconfig(8) create command or	using the
     cloned_interfaces variable	in rc.conf(5).

     Due to the	way 6to4 protocol is specified,	stf interface requires certain
     configuration to work properly.  Single (no more than 1) valid 6to4 ad-
     dress needs to be configured to the interface.  "A	valid 6to4 address" is
     an	address	which has the following	properties.  If	any of the following
     properties	are not	satisfied, stf raises runtime error on packet trans-
     mission.  Read the	specification for more details.

     o	 matches 2002:xxyy:zzuu::/48 where xxyy:zzuu is	a hexadecimal notation
	 of an IPv4 address for	the node.  IPv4	address	can be taken from any
	 of interfaces your node has.  Since the specification forbids the use
	 of IPv4 private address, the address needs to be a global IPv4	ad-

     o	 Subnet	identifier portion (48th to 63rd bit) and interface identifier
	 portion (lower	64 bits) are properly filled to	avoid address colli-

     If	you would like the node	to behave as a relay router, the prefix	length
     for the IPv6 interface address needs to be	16 so that the node would con-
     sider any 6to4 destination	as "on-link".  If you would like to restrict
     6to4 peers	to be inside certain IPv4 prefix, you may want to configure
     IPv6 prefix length	as "16 + IPv4 prefix length".  stf interface will
     check the IPv4 source address on packets, if the IPv6 prefix length is
     larger than 16.

     stf can be	configured to be ECN friendly.	This can be configured by
     IFF_LINK1.	 See gif(4) for	details.

     Please note that 6to4 specification is written as "accept tunnelled
     packet from everyone" tunnelling device.  By enabling stf device, you are
     making it much easier for malicious parties to inject fabricated IPv6
     packet to your node.  Also, malicious party can inject an IPv6 packet
     with fabricated source address to make your node generate improper	tun-
     nelled packet.  Administrators must take caution when enabling the	inter-
     face.  To prevent possible	attacks, stf interface filters out the follow-
     ing packets.  Note	that the checks	are no way complete:

     o	 Packets with IPv4 unspecified address as outer	IPv4 source/destina-
	 tion (

     o	 Packets with loopback address as outer	IPv4 source/destination

     o	 Packets with IPv4 multicast address as	outer IPv4 source/destination

     o	 Packets with limited broadcast	address	as outer IPv4 source/destina-
	 tion (

     o	 Packets with private address as outer IPv4 source/destination

     o	 Packets with subnet broadcast address as outer	IPv4 source/destina-
	 tion.	The check is made against subnet broadcast addresses for all
	 of the	directly connected subnets.

     o	 Packets that does not pass ingress filtering.	Outer IPv4 source ad-
	 dress must meet the IPv4 topology on the routing table.  Ingress fil-
	 ter can be turned off by IFF_LINK2 bit.

     o	 The same set of rules are applied against the IPv4 address embedded
	 into inner IPv6 address, if the IPv6 address matches 6to4 prefix.

     It	is recommended to filter/audit incoming	IPv4 packet with IP protocol
     number 41,	as necessary.  It is also recommended to filter/audit encapsu-
     lated IPv6	packets	as well.  You may also want to run normal ingress fil-
     ter against inner IPv6 address to avoid spoofing.

     By	setting	the IFF_LINK0 flag on the stf interface, it is possible	to
     disable the input path, making the	direct attacks from the	outside	impos-
     sible.  Note, however, there are other security risks exist.  If you wish
     to	use the	configuration, you must	not advertise your 6to4	address	to

     The following sysctl(8) variables can be used to control the behavior of
     the stf.  The default value is shown next to each variable. 0
	     The RFC3056 requires the use of globally unique 32-bit IPv4 ad-
	     dresses.  This sysctl variable controls the behaviour of this re-
	     quirement.	 When it set to	not 0, stf allows the use of private
	     IPv4 addresses described in the RFC1918.  This may	be useful for
	     an	Intranet environment or	when some mechanisms of	network	ad-
	     dress translation (NAT) are used.

     Note that 8504:0506 is equal to,	written	in hexadecimals.

     # ifconfig	ne0 inet netmask 0xffffff00
     # ifconfig	stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \
	     prefixlen 16 alias

     The following configuration accepts packets from IPv4 source
     only.  It emits 6to4 packet only for IPv6 destination 2002:0901::/32
     (IPv4 destination will match

     # ifconfig	ne0 inet netmask 0xffff0000
     # ifconfig	stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86 \
	     prefixlen 32 alias

     The following configuration uses the stf interface	as an output-only de-
     vice.  You	need to	have alternative IPv6 connectivity (other than 6to4)
     to	use this configuration.	 For outbound traffic, you can reach other
     6to4 networks efficiently via stf.	 For inbound traffic, you will not re-
     ceive any 6to4-tunneled packets (less security drawbacks).	 Be careful
     not to advertise your 6to4	prefix to others (2002:8504:0506::/48),	and
     not to use	your 6to4 prefix as a source.

     # ifconfig	ne0 inet netmask 0xffffff00
     # ifconfig	stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \
	     prefixlen 16 alias	deprecated link0
     # route add -inet6	2002:: -prefixlen 16 ::1
     # route change -inet6 2002:: -prefixlen 16	::1 -ifp stf0

     gif(4), inet(4), inet6(4)

     Brian Carpenter and Keith Moore, Connection of IPv6 Domains via IPv4
     Clouds, RFC, 3056,	February 2001.

     Jun-ichiro	itojun Hagino, Possible	abuse against IPv6 transition
     technologies, draft-itojun-ipv6-transition-abuse-01.txt, July 2000, work
     in	progress.

     The stf device first appeared in WIDE/KAME	IPv6 stack.

     No	more than one stf interface is allowed for a node, and no more than
     one IPv6 interface	address	is allowed for an stf interface.  It is	to
     avoid source address selection conflicts between IPv6 layer and IPv4
     layer, and	to cope	with ingress filtering rule on the other side.	This
     is	a feature to make stf work right for all occasions.

BSD			       December	28, 2012			   BSD


Want to link to this manual page? Use this URL:

home | help