GIF(4)							   BSD Kernel Interfaces Manual 						    GIF(4)

NAME

     gif -- generic tunnel interface

SYNOPSIS

     pseudo-device gif

DESCRIPTION

     The gif interface is a generic tunneling pseudo device for IPv4 and IPv6.	It can tunnel IPv[46] traffic over IPv[46].  Therefore, there can
     be four possible configurations.  The behavior of gif is mainly based on RFC 2893 IPv6-over-IPv4 configured tunnel.  gif can also tunnel ISO
     traffic over IPv[46] using EON encapsulation.

     To use gif, the administrator must first create the interface and then configure protocol and addresses used for the outer header.  This can
     be done by using ifconfig(8) create and tunnel subcommands, or SIOCIFCREATE and SIOCSIFPHYADDR ioctls.  Also, administrator needs to config-
     ure protocol and addresses used for the inner header, by using ifconfig(8).  Note that IPv6 link-local address (those start with fe80::) will
     be automatically configured whenever possible.  You may need to remove IPv6 link-local address manually using ifconfig(8), when you would
     like to disable the use of IPv6 as inner header (like when you need pure IPv4-over-IPv6 tunnel).  Finally, use routing table to route the
     packets toward gif interface.

     gif can be configured to be ECN friendly.	This can be configured by IFF_LINK1.

   ECN friendly behavior
     gif can be configured to be ECN friendly, as described in draft-ietf-ipsec-ecn-02.txt.  This is turned off by default, and can be turned on
     by IFF_LINK1 interface flag.

     Without IFF_LINK1, gif will show a normal behavior, like described in RFC 2893.  This can be summarized as follows:

	   Ingress  Set outer TOS bit to 0.

	   Egress   Drop outer TOS bit.

     With IFF_LINK1, gif will copy ECN bits (0x02 and 0x01 on IPv4 TOS byte or IPv6 traffic class byte) on egress and ingress, as follows:

	   Ingress  Copy TOS bits except for ECN CE (masked with 0xfe) from inner to outer.  set ECN CE bit to 0.

	   Egress   Use inner TOS bits with some change.  If outer ECN CE bit is 1, enable ECN CE bit on the inner.

     Note that the ECN friendly behavior violates RFC 2893.  This should be used in mutual agreement with the peer.

   Packet format
     Every inner packet is encapsulated in an outer packet.  The inner packet may be IPv4, IPv6, or ISO CLNP.  The outer packet may be IPv4 or
     IPv6, and has all the usual IP headers, including a protocol field that identifies the type of inner packet.

     When the inner packet is IPv4, the protocol field of the outer packet is 4 (IPPROTO_IPV4).  When the inner packet is IPv6, the protocol field
     of the outer packet is 41 (IPPROTO_IPV6).	When the inner packet is ISO CNLP, the protocol field of the outer packet is 80 (IPPROTO_EON).

   Security
     Malicious party may try to circumvent security filters by using tunneled packets.	For better protection, gif performs martian filter and
     ingress filter against outer source address, on egress.  Note that martian/ingress filters are no way complete.  You may want to secure your
     node by using packet filters.  Ingress filter can be turned off by IFF_LINK2 bit.

EXAMPLES

     Configuration example:

     Host X--NetBSD A  ----------------tunnel---------- cisco D------Host E
							   |
		 					  /
		  +-----Router B--------Router C---------+

     On NetBSD system A (NetBSD):

	# route add default B
	# ifconfig gifN create
	# ifconfig gifN A netmask 0xffffffff tunnel A D up
	# route add E 0
	# route change E -ifp gif0

     On Host D (Cisco):

	Interface TunnelX
	 ip unnumbered D   ! e.g. address from Ethernet interface
	 tunnel source D   ! e.g. address from Ethernet interface
	 tunnel destination A
	ip route C <some interface and mask>
	ip route A mask C
	ip route X mask tunnelX

     or on Host D (NetBSD):

	# route add default C
	# ifconfig gifN D A

     If all goes well, you should see packets flowing.

     If you want to reach Host A over the tunnel (from the Cisco D), then you have to have an alias on Host A for e.g. the Ethernet interface
     like: ifconfig <etherif> alias Y and on the cisco ip route Y mask tunnelX.

SEE ALSO

     etherip(4), inet(4), inet6(4), ifconfig(8)

     C. Perkins, "IP Encapsulation within IP", RFC 2003, ftp://ftp.isi.edu/in-notes/rfc2003.txt, October 1996.

     R. Gilligan and E. Nordmark, "Transition Mechanisms for IPv6 Hosts and Routers", RFC 2893, ftp://ftp.isi.edu/in-notes/rfc2893.txt, August
     2000.

     Sally Floyd, David L. Black, and K. K. Ramakrishnan, IPsec Interactions with ECN, http://datatracker.ietf.org/internet-drafts/draft-ietf-
     ipsec-ecn/, December 1999.

     F. Baker and P. Savola, "Ingress Filtering for Multihomed Networks", RFC 3704, ftp://ftp.isi.edu/in-notes/rfc3704.txt, March 2004.

STANDARDS

     IPv4 over IPv4 encapsulation is compatible with RFC 2003.	IPv6 over IPv4 encapsulation is compatible with RFC 2893.

HISTORY

     The gif device first appeared in WIDE hydrangea IPv6 kit.

BUGS

     There are many tunneling protocol specifications, defined differently from each other.  gif may not interoperate with peers which are based
     on different specifications, and are picky about outer header fields.  For example, you cannot usually use gif to talk with IPsec devices
     that use IPsec tunnel mode.

     The current code does not check if the ingress address (outer source address) configured to gif makes sense.  Make sure to configure an
     address which belongs to your node.  Otherwise, your node will not be able to receive packets from the peer, and your node will generate
     packets with a spoofed source address.

     If the outer protocol is IPv6, path MTU discovery for encapsulated packet may affect communication over the interface.

     In the past, gif had a multi-destination behavior, configurable via IFF_LINK0 flag.  The behavior was obsoleted and is no longer supported.

BSD
								 January 15, 2009							       BSD