The stf interface supports “6to4” IPv6 in IPv4 encapsulation. It can tunnel IPv6 traffic over IPv4, as
specified in RFC3056.
For ordinary nodes in 6to4 site, you do not need stf interface. The stf interface is necessary for site
border router (called “6to4 router” in the specification).
Each stf interface is created at runtime using interface cloning. This is most easily done with the
ifconfig(8) create command or using the cloned_interfaces variable in rc.conf(5).
Due to the way 6to4 protocol is specified, stf interface requires certain configuration to work properly.
Single (no more than 1) valid 6to4 address needs to be configured to the interface. “A valid 6to4
address” is an address which has the following properties. If any of the following properties are not
satisfied, stf raises runtime error on packet transmission. Read the specification for more details.
• matches 2002:xxyy:zzuu::/48 where xxyy:zzuu is a hexadecimal notation of an IPv4 address for the
node. IPv4 address can be taken from any of interfaces your node has. Since the specification
forbids the use of IPv4 private address, the address needs to be a global IPv4 address.
• Subnet identifier portion (48th to 63rd bit) and interface identifier portion (lower 64 bits) are
properly filled to avoid address collisions.
If you would like the node to behave as a relay router, the prefix length for the IPv6 interface address
needs to be 16 so that the node would consider any 6to4 destination as “on-link”. If you would like to
restrict 6to4 peers to be inside certain IPv4 prefix, you may want to configure IPv6 prefix length as “16
+ IPv4 prefix length”. stf interface will check the IPv4 source address on packets, if the IPv6 prefix
length is larger than 16.
stf can be configured to be ECN friendly. This can be configured by IFF_LINK1. See gif(4) for details.
Please note that 6to4 specification is written as “accept tunnelled packet from everyone” tunnelling
device. By enabling stf device, you are making it much easier for malicious parties to inject fabricated
IPv6 packet to your node. Also, malicious party can inject an IPv6 packet with fabricated source address
to make your node generate improper tunnelled packet. Administrators must take caution when enabling the
interface. To prevent possible attacks, stf interface filters out the following packets. Note that the
checks are no way complete:
• Packets with IPv4 unspecified address as outer IPv4 source/destination (0.0.0.0/8)
• Packets with loopback address as outer IPv4 source/destination (127.0.0.0/8)
• Packets with IPv4 multicast address as outer IPv4 source/destination (224.0.0.0/4)
• Packets with limited broadcast address as outer IPv4 source/destination (255.0.0.0/8)
• Packets with private address as outer IPv4 source/destination (10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16)
• Packets with subnet broadcast address as outer IPv4 source/destination. The check is made against
subnet broadcast addresses for all of the directly connected subnets.
• Packets that does not pass ingress filtering. Outer IPv4 source address must meet the IPv4 topology
on the routing table. Ingress filter can be turned off by IFF_LINK2 bit.
• The same set of rules are applied against the IPv4 address embedded into inner IPv6 address, if the
IPv6 address matches 6to4 prefix.
It is recommended to filter/audit incoming IPv4 packet with IP protocol number 41, as necessary. It is
also recommended to filter/audit encapsulated IPv6 packets as well. You may also want to run normal
ingress filter against inner IPv6 address to avoid spoofing.
By setting the IFF_LINK0 flag on the stf interface, it is possible to disable the input path, making the
direct attacks from the outside impossible. Note, however, there are other security risks exist. If you
wish to use the configuration, you must not advertise your 6to4 address to others.
Install Now
PNG Icons
Emojis