The
gif interface is a generic tunneling pseudo device for IPv4 and IPv6. It can tunnel IPv[46] traffic over IPv[46]. Therefore, there can be four possible configurations. The behavior of
gif is mainly based on RFC 2893 IPv6-over-IPv4 configured tunnel.
gif can also tunnel ISO traffic over IPv[46] using EON encapsulation.
To use
gif, the administrator must first create the interface and then configure protocol and addresses used for the outer header. This can be done by using
ifconfig(8) create and
tunnel subcommands, or
SIOCIFCREATE and
SIOCSIFPHYADDR ioctls. Also, administrator needs to configure protocol and addresses used for the inner header, by using
ifconfig(8). Note that IPv6 link-local address (those start with
fe80::) will be automatically configured whenever possible. You may need to remove IPv6 link-local address manually using
ifconfig(8), when you would like to disable the use of IPv6 as inner header (like when you need pure IPv4-over-IPv6 tunnel). Finally, use routing table to route the packets toward
gif interface.
gif can be configured to be ECN friendly. This can be configured by
IFF_LINK1.
ECN friendly behavior
gif can be configured to be ECN friendly, as described in
draft-ietf-ipsec-ecn-02.txt. This is turned off by default, and can be turned on by
IFF_LINK1 interface flag.
Without
IFF_LINK1,
gif will show a normal behavior, like described in RFC 2893. This can be summarized as follows:
Ingress
Set outer TOS bit to 0.
Egress
Drop outer TOS bit.
With
IFF_LINK1,
gif will copy ECN bits (
0x02 and
0x01 on IPv4 TOS byte or IPv6 traffic class byte) on egress and ingress, as follows:
Ingress
Copy TOS bits except for ECN CE (masked with 0xfe) from inner to outer. set ECN CE bit to 0.
Egress
Use inner TOS bits with some change. If outer ECN CE bit is 1, enable ECN CE bit on the inner.
Note that the ECN friendly behavior violates RFC 2893. This should be used in mutual agreement with the peer.
Packet format
Every inner packet is encapsulated in an outer packet. The inner packet may be IPv4, IPv6, or ISO CLNP. The outer packet may be IPv4 or IPv6, and has all the usual IP headers, including a protocol field that identifies the type of inner packet.
When the inner packet is IPv4, the protocol field of the outer packet is 4 (
IPPROTO_IPV4). When the inner packet is IPv6, the protocol field of the outer packet is 41 (
IPPROTO_IPV6). When the inner packet is ISO CNLP, the protocol field of the outer packet is 80 (
IPPROTO_EON).
Security
Malicious party may try to circumvent security filters by using tunneled packets. For better protection, gif performs martian filter and ingress filter against outer source address, on egress. Note that martian/ingress filters are no way complete. You may want to secure your node by using packet filters. Ingress filter can be turned off by IFF_LINK2 bit.