The gif interface is a generic tunnelling
device for IPv4 and IPv6. It can tunnel IPv[46] traffic over IPv[46].
Therefore, there can be four possible configurations. The behavior of
gif is mainly based on RFC2893 IPv6-over-IPv4
configured tunnel. On NetBSD,
gif can also tunnel ISO traffic over IPv[46] using
EON encapsulation. Note that gif does not perform
GRE encapsulation; use
gre(4) for GRE encapsulation.
The gif interface can also tunnel Ethernet
traffic over IPv4 or IPv6 when combined with a
if_bridge(4) interface using EtherIP protocol. See
if_bridge(4) for detailed setup.
Each gif interface is created at runtime
using interface cloning. This is most easily done with the
“ifconfig
create” command or using the
ifconfig_⟨interface⟩
variable in
rc.conf(5).
To use gif, the administrator needs to
configure the protocol and addresses used for the outer header. This can be
done by using
ifconfig(8) tunnel, or
SIOCSIFPHYADDR ioctl. The administrator also needs
to configure the protocol and addresses for the inner header, with
ifconfig(8). Note that IPv6 link-local addresses (those that
start with fe80::) will be automatically configured
whenever possible. You may need to remove IPv6 link-local addresses manually
using
ifconfig(8), if you want to disable the use of IPv6 as the
inner header (for example, if you need a pure IPv4-over-IPv6 tunnel).
Finally, you must modify the routing table to route the packets through the
gif interface.
The gif interface uses the fixed length,
1280, to determine whether the outgoing IPv6 packets
are split. This means the MTU value configured on the interface will be
ignored when the outer protocol is IPv6. When the
NOCLAMP interface flag is set,
gif uses the same configured value as IPv4
communications. This behavior prevents potential issues when the path MTU is
smaller than the interface MTU. This section describes the reason why the
default behavior is different. The NOCLAMP interface
flag can be set using the following command:
ifconfig gif0
noclamp
and clear the flag using the following:
ifconfig gif0
-noclamp
where gif0 is the actual interface name.
A tunnel interface always has an implicit smaller MTU for the
inner protocol than the outer protocol because of the additional header.
Note that the interface MTU on a gif interface, the
default value is 1280, is used as MTU for the outer
protocol. This means that the MTU for the inner protocol varies depending on
the outer protocol header length. If an outgoing packet bigger than the
inner protocol MTU arrives at a gif interface for
encapsulation, it will be split into fragments. Specifically, if IPv4 is
used as the outer protocol, the inner is 20 octets smaller than the
interface MTU. In the case of the default interface MTU,
1280, inner packets bigger than
1260 will be fragmented. In the case of IPv6, the
inner is 40 octets smaller than the outer.
This fragmentation is not harmful though it can degrade the
performance. Note that while an increased MTU on gif
interface helps to mitigate this reduced performance issue, it can also
cause packet losses on the intermediate narrowest path between the two
communication endpoints in IPv6. IPv6 allows fragmentation only on the
sender, not on the routers in the communication path. A big outgoing packet
will be dropped on a router with a smaller MTU.
In normal IPv6 communication, an ICMPv6 Packet Too Big error will
be sent back to the sender, who can adjust the packet length and re-send it.
This process is performed in the upper protocols than L3, such as TCP, and
makes the packet length shorter so that packets go through the path without
fragmentation. This behavior is known as path MTU discovery.
When using a gif interface, the Packet Too
Big message is generated for the outer protocol. Since the
gif interface does not translate this error to the
inner protocol, the inner protocol sees it just as a packet loss with no
useful information to adjust the length of the next packets. In this
situation, path MTU discovery does not work, and communications of the inner
protocol become stalled.
In order to avoid this, a gif interface
silently splits a packet of over 1240 octets into fragments to make the
outer protocol packets equal or shorter than 1280 octets, even when the
interface MTU is configured as larger than 1280. Note that this occurs only
when the outer protocol is IPv6. 1280 is the
smallest MTU in IPv6 and guarantees no packet loss occurs on intermediate
routers.
As mentioned earlier, the performance is sub-optimal if the actual
path MTU is larger than 1280. A typical confusing
scenario is as follows. The gif interface can have
Ethernet, whose MTU is usually 1500, as the inner protocol. It is called an
EtherIP tunnel, and can be configured by adding the
gif interface as a member of
if_bridge(4) interface. The
if_bridge(4) interface forcibly changes the MTU of the
gif interface with those for the other member
interfaces, which are likely 1500. In this case, a situation in which the
MTU of the gif interface is 1500 but fragmentation
in 1280 octets always occurs.
The default behavior is most conservative to prevent confusing
packet loss. Depending on the network configuration, enabling the
NOCLAMP interface flag might be helpful for better
performance. It is crucial to ensure that the path MTU is equal to or larger
than the interface MTU when enabling this flag.
The gif device can be configured to be ECN
friendly, as described in
draft-ietf-ipsec-ecn-02.txt. This is turned off by
default, and can be turned on by the IFF_LINK1
interface flag.
Without IFF_LINK1,
gif will show normal behavior, as described in
RFC2893. This can be summarized as follows:
- Ingress
- Set outer TOS bit to
0.
- Egress
- Drop outer TOS bit.
With IFF_LINK1,
gif will copy ECN bits (0x02
and 0x01 on IPv4 TOS byte or IPv6 traffic class
byte) on egress and ingress, as follows:
- Ingress
- Copy TOS bits except for ECN CE (masked with
0xfe)
from inner to outer. Set ECN CE bit to 0.
- Egress
- Use inner TOS bits with some change. If outer ECN CE bit is
1, enable ECN CE bit on the inner.
Note that the ECN friendly behavior violates RFC2893. This should
be used in mutual agreement with the peer.
A malicious party may try to circumvent security filters by using
tunnelled packets. For better protection, gif
performs both martian and ingress filtering against the outer source address
on egress. Note that martian/ingress filters are in no way complete. You may
want to secure your node by using packet filters. Ingress filtering can
break tunnel operation in an asymmetrically routed network. It can be turned
off by IFF_LINK2 bit.
By default, gif tunnels may not be nested.
This behavior may be modified at runtime by setting the
sysctl(8) variable
net.link.gif.max_nesting to the desired level of
nesting.
gre(4),
if_bridge(4),
inet(4),
inet6(4),
ifconfig(8)
R. Gilligan and
E. Nordmark, “Transition
Mechanisms for IPv6 Hosts and Routers”,
RFC2893,
http://tools.ietf.org/html/rfc2893,
August 2000.
Sally Floyd,
David L. Black, and K. K.
Ramakrishnan, IPsec Interactions with ECN,
December 1999,
draft-ietf-ipsec-ecn-02.txt.
R. Housley and
S. Hollenbeck, EtherIP: Tunneling
Ethernet Frames in IP Datagrams,
RFC
3378, September 2002.
There are many tunnelling protocol specifications, all defined
differently from each other. The gif device may not
interoperate with peers which are based on different specifications, and are
picky about outer header fields. For example, you cannot usually use
gif to talk with IPsec devices that use IPsec tunnel
mode.
If the outer protocol is IPv4, gif does
not try to perform path MTU discovery for the encapsulated packet (DF bit is
set to 0).
If the outer protocol is IPv6, path MTU discovery for encapsulated
packets may affect communication over the interface. The first
bigger-than-pmtu packet may be lost. To avoid the problem, you may want to
set the interface MTU for gif to 1240 or smaller,
when the outer header is IPv6 and the inner header is IPv4.
The gif device does not translate ICMP
messages for the outer header into the inner header.
In the past, gif had a multi-destination
behavior, configurable via NOCLAMP flag. The
behavior is obsolete and is no longer supported. This flag is now used to
determine whether performing fragmentation when the outer protocol is
IPv6.