stf(4)

NAME

stf - 6to4 tunnel interface

SYNOPSIS

device stf

DESCRIPTION

The stf interface supports ``6to4'' IPv6 in IPv4 encapsula

tion. It can
tunnel IPv6 traffic over IPv4, as specified in RFC3056.

For ordinary nodes in 6to4 site, you do not need stf inter

face. The stf
interface is necessary for site border router (called ``6to4

router'' in
the specification).

Each stf interface is created at runtime using interface

cloning. This
is most easily done with the ifconfig(8) create command or

using the
cloned_interfaces variable in rc.conf(5).

Due to the way 6to4 protocol is specified, stf interface re

quires certain
configuration to work properly. Single (no more than 1)

valid 6to4
address needs to be configured to the interface. ``A valid

6to4
address'' is an address which has the following properties.

If any of
the following properties are not satisfied, stf raises run

time error on
packet transmission. Read the specification for more de

tails.

+o matches 2002:xxyy:zzuu::/48 where xxyy:zzuu is a hex

adecimal notation

of an IPv4 address for the node. IPv4 address can be

taken from any
of interfaces your node has. Since the specification

forbids the use
of IPv4 private address, the address needs to be a glob

al IPv4
address.

+o Subnet identifier portion (48th to 63rd bit) and inter

face identifier

portion (lower 64 bits) are properly filled to avoid ad

dress collisions.

If you would like the node to behave as a relay router, the

prefix length
for the IPv6 interface address needs to be 16 so that the

node would consider any 6to4 destination as ``on-link''. If you would

like to restrict
6to4 peers to be inside certain IPv4 prefix, you may want to

configure
IPv6 prefix length as ``16 + IPv4 prefix length''. stf in

terface will
check the IPv4 source address on packets, if the IPv6 prefix

length is
larger than 16.

stf can be configured to be ECN friendly. This can be con

figured by
IFF_LINK1. See gif(4) for details.

Please note that 6to4 specification is written as ``accept

tunnelled
packet from everyone'' tunnelling device. By enabling stf

device, you
are making it much easier for malicious parties to inject

fabricated IPv6
packet to your node. Also, malicious party can inject an

IPv6 packet
with fabricated source address to make your node generate

improper tunnelled packet. Administrators must take caution when en

abling the interface. To prevent possible attacks, stf interface filters

out the following packets. Note that the checks are no way complete:

+o Packets with IPv4 unspecified address as outer IPv4

source/destina

tion (0.0.0.0/8)

+o Packets with loopback address as outer IPv4 source/des

tination

(127.0.0.0/8)

+o Packets with IPv4 multicast address as outer IPv4

source/destination

(224.0.0.0/4)

+o Packets with limited broadcast address as outer IPv4

source/destina

tion (255.0.0.0/8)

+o Packets with private address as outer IPv4 source/desti

nation

(10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

+o Packets with subnet broadcast address as outer IPv4

source/destina

tion. The check is made against subnet broadcast ad

dresses for all
of the directly connected subnets.

+o Packets that does not pass ingress filtering. Outer

IPv4 source

address must meet the IPv4 topology on the routing

table. Ingress
filter can be turned off by IFF_LINK2 bit.

+o The same set of rules are applied against the IPv4 ad

dress embedded

into inner IPv6 address, if the IPv6 address matches

6to4 prefix.

It is recommended to filter/audit incoming IPv4 packet with

IP protocol
number 41, as necessary. It is also recommended to fil

ter/audit encapsulated IPv6 packets as well. You may also want to run normal

ingress filter against inner IPv6 address to avoid spoofing.

By setting the IFF_LINK0 flag on the stf interface, it is

possible to
disable the input path, making the direct attacks from the

outside impossible. Note, however, there are other security risks exist.

If you wish
to use the configuration, you must not advertise your 6to4

address to
others.

EXAMPLES

Note that 8504:0506 is equal to 133.4.5.6, written in hex

adecimals.

# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86

prefixlen 16 alias

The following configuration accepts packets from IPv4 source

9.1.0.0/16
only. It emits 6to4 packet only for IPv6 destination

2002:0901::/32
(IPv4 destination will match 9.1.0.0/16).

# ifconfig ne0 inet 9.1.2.3 netmask 0xffff0000
# ifconfig stf0 inet6 2002:0901:0203:0000:a00:5aff:fe38:6f86

prefixlen 32 alias

The following configuration uses the stf interface as an

output-only
device. You need to have alternative IPv6 connectivity

(other than 6to4)
to use this configuration. For outbound traffic, you can

reach other
6to4 networks efficiently via stf. For inbound traffic, you

will not
receive any 6to4-tunneled packets (less security drawbacks).

Be careful
not to advertise your 6to4 prefix to others

(2002:8504:0506::/48), and
not to use your 6to4 prefix as a source.

# ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
# ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86

prefixlen 16 alias deprecated link0
# route add -inet6 2002:: -prefixlen 16 ::1
# route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0

SEE ALSO

gif(4), inet(4), inet6(4)

http://www.6bone.net/6bone_6to4.html

Brian Carpenter and Keith Moore, Connection of IPv6 Domains

via IPv4
Clouds, RFC, 3056, February 2001.

Jun-ichiro itojun Hagino, Possible abuse against IPv6

transition
technologies, draft-itojun-ipv6-transition-abuse-01.txt, Ju

ly 2000, work
in progress.

HISTORY

The stf device first appeared in WIDE/KAME IPv6 stack.

BUGS

No more than one stf interface is allowed for a node, and no

more than
one IPv6 interface address is allowed for an stf interface.

It is to
avoid source address selection conflicts between IPv6 layer

and IPv4
layer, and to cope with ingress filtering rule on the other

side. This
is a feature to make stf work right for all occasions.

BSD April 27, 2001

BSD