STREAMS Modules tun(7M)
NAME
tun, 6to4, 6to4tun, atun - tunneling STREAMS module
SYNOPSIS
strmod/tun
strmod/atun
strmod/6to4tun
DESCRIPTION
tun, atun and 6to4tun are STREAMS modules that implement an
IP-in-IP tunneling mechanism. IPv6-in-IPv4, IPv4-in-IPv4,
IPv4-in-IPv6 and IPv6-in-IPv6 tunnels are supported.
Tunnels are configured as point-to-point interfaces. Ipv4-
in-Ipv4 allows IPv4 packets to be encapsulated within IPv4
packets. IPv6-in-IPv4 tunnels allow IPv6 packets to be
encapsulated within IPv4 packets. IPv4-in-IPv6 tunnels allow
IPv4 packets to be encapsulated within IPv6 packets. IPv6-
in-IPv6 tunnels allow IPv6 packets to be encapsulated within
IPv6 packets. Both the tunnel source and the tunnel desti-
nation are required to configure these type of tunnels. Con-
figured tunnels support encapsulated multicast packets. See
ifconfig(1M) for examples of these tunnel configurations.
The atun module is used to configure automatic tunnels. It
supports IPv6 packets encapsulated within IPv4 packets. An
IPv4 address is required for the tunnel source of these
interfaces and the IPv4 compatible IPv6 source address
must match this address. IPv6 packets using this interface
must have IPv4 compatible source and destination
addresses. Automatic tunnels are not point-to-point, and
they do not allow multicast packets to be sent. If the des-
tination of an automatic tunnel is a router, the packets
will not be forwarded.
The 6to4tun module is used to configure 6to4 tunnels as
described in RFC 3056. It implements automatic tunneling of
IPv6 within IPv4. This IPv6 transition mechanism allows iso-
lated IPv6 networks or nodes attached to an IPv4 network to
communicate with other IPv6 networks with little configura-
tion. See ifconfig(1M) for an example of how to configure a
6to4 tunnel.
o Network startup scripts look at /etc/hostname.ip.*,
SunOS 5.11 Last change: 19 Aug 2004 1
STREAMS Modules tun(7M)
/etc/hostname6.ip.*,
/etc/hostname.ip6.* and /etc/hostname6.ip6.* to
find the available tunneling interfaces.
o The same tunnel source address (tsrc) and destina-
tion address (tdst) is be used for all
instances (luns) of a specific interface.
o Tunnels do not support snooping. Instead, a filter
made up of the combination of addresses can be used
on the physical interface to capture relevant pack-
ets.
o If there is a tunnel set up between two multicast
routers, then multicast routing should be config-
ured to use the tunnel, rather than a special mul-
ticast routing virtual interface.
APLICATION PROGRAMING INTEFACE
The tunnel module is architected to be plumbed between two
instances of IP.
IOCTLS
The following ioctl() calls may be used to configure a tun-
neling interface. The ioctl()s are defined in
. This structure is defined in .
/* currently tunnels only support IPv4 or IPv6 */
enum iftaproto {
IFTAPINVALID,
IFTAPIPV4,
IFTAPIPV6
};
#define IFTUNSECINFOLEN 8
#define IFTUNVERSION 1
/* tunnel configuration structure */
struct iftunreq {
char iftalifrname[LIFNAMSIZ]; /* if name */
struct sockaddrstorage iftasaddr; /* source address */
struct sockaddrstorage iftadaddr; /* destination address */
uintt iftaflags; /* See below */
/* IP version information is read only */
enum iftaproto iftaupper; /* IP version above tunnel */
enum iftaproto iftalower; /* IP versin below tunnel */
uintt iftavers; /* Version number */
uint32t iftasecinfo[IFTUNSECINFOLEN]; /* Security prefs. */
int16t iftaencaplim; /* Encapsulation limit */
uint8t iftahoplimit; /* Hop limit */
};
SunOS 5.11 Last change: 19 Aug 2004 2
STREAMS Modules tun(7M)
/* These flags are set to indicate which members are valid */
#define IFTUNSRC 0x01
#define IFTUNDST 0x02
#define IFTUNSECURITY 0x04
#define IFTUNENCAP 0x08
#define IFTUNHOPLIMIT 0x10
The iftavers field indicates what IPsec request structure
is overlayed on top of iftasecinfo. The current value of
IFTUNVERSION implies an overlay of ipsecreqt. See
ipsec(7P).
SIOCSTUNPARAM Set tunnel parameters. This ioctl() allows
the tunnel's source or destination address
or hop limit or encapsulation limit to be
set. The IFTUNSRC bit set in taflags
indicates that the tunnel should bound to
the source address supplied in tasaddr.
The source must be a valid configured
interface IP address. The IFTUNDST bit set
in taflags indicates that the tunnel
should bound to the destination address
supplied in tadaddr. The destination
address must be reachable. The IFTUNENCAP
bit set in iftaflags indicates that the
tunnel's encapsulation limit should be set
to the value supplied in iftaencaplim.
The encapsulation limit is valid only for
IPv4-in-IPv6 and IPv6-in-IPv6 tunnels.
Valid encapsulation limit values are 0
through 255. Negative values indicate that
no encapsulation limit is desired. The
IFTUNHOPLIMIT bit set in taflags indi-
cates that the tunnel's hop limit should be
set to the value supplied in
iftahoplimit. In the case of IPv4-in-
IPv4 and IPv6-in-IPv4 tunnels, the hop
limit is placed in the IPv4 header's TL
field. In the case of IPv4-in-IPv6 and
IPv6-in-IPv6 tunnels, the hop limit is
placed in the IPv6 header's hop limit
field.
SIOCGTUNPARAM Get tunnel parameters. Valid fields are
indicated by the returned value of
taflags bitmask. The version of IP
plumbed above or below the tunnel may be
determined by inspecting taupper and
SunOS 5.11 Last change: 19 Aug 2004 3
STREAMS Modules tun(7M)
talower by comparing the members against
the mutually exclusive defined values
IFTAPINVALID, IFTAPIPV4, and IFTAPIPV6.
Tunnels and DLPI
The tunnel module is a DLPI style 2 service provider. All
MPROTO and MPCPROTO type messages are interpreted as
DLPIprimitives. Valid DLPI primitives are defined in
. Refer to dlpi(7P) for more information. An
explicit DLATACHREQ message by the user is required to
associate the opened stream with a particular device (ppa).
The ppa indicates the corresponding device instance (unit)
number. The device is initialized on first attach and deini-
tialized (stopped) on last detach.
The values returned by the module in the DLINFOACK primi-
tive in response to the DLINFOREQ from the user are as
follows:
o The maximum SDU is usually 4196 ("ipmaxmtu -
size of IP header").
o The minimum SDU is 1.
o The dlsap address length is 0 for configured tun-
nels and non-zero for automatic tunnels.
o The MAC type is DLOTHER.
o The sap length value is 0.
o The service mode is DLCLDLS.
o No optional quality of service (QOS) support is
included at present so the QOS fields are 0.
o The provider style is DLSTYLE2.
o The version is DLVERSION2.
o The broadcast address value is 0
Once in the DLATACHED state, the user must send a
DLBINDREQ to associate a particular SAP (Service Access
Pointer) with the stream. The tunneling module interprets
the sap field within the DLBINDREQ as an IP "type" there-
fore the valid value for the sap field is IPDLSAP.
SunOS 5.11 Last change: 19 Aug 2004 4
STREAMS Modules tun(7M)
Once in the DLBOUND state, the user may transmit packets
through the tunnel by sending DLUNITDATAREQ messages to
the tunnel module. Configured tunnels will encapsulate the
packet with the appropriate IP header using the source and
destination specified by tsrc and tdst parameters of
ifconfig(1M). The tunnel module will decapsulate received
packets and route them to the first open and bound stream
having a sap, tsrc and tdst which matches the the config-
ured information. Packets are routed to exactly one open
stream and not duplicated.
The module does not support additional primitives.
DLERORACK with the dlerror set to DLUNSUPORTED will be
returned in the case that an unsupported DLPI primitive is
encountered.
SECURITY
A tunnel creates what appears to be a physical interface to
IP. It can be "trusted" as a physical link only so far as
the underlying security protocols, if used, can be trusted.
If the security associations (see ipsec(7P) are securely set
up then the tunnel can be trusted in that packets that come
off the tunnel came from the peer specified in the tunnel
destination. If this trust exists, per-interface IP forward-
ing can be used to create a Virtual Private Network ("VPN").
See ip(7P).
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsr
Interface Stability Evolving
SEE ALSO
ifconfig(1M), attributes(5),ip(7P), ipsec(7P)
System Administration Guide: IP Services
Gilligan, R. and Nordmark, E., RFC 1933, Transition Mechan-
isms for IPv6 Hosts and Routers, The Internet Society, 1996.
SunOS 5.11 Last change: 19 Aug 2004 5
STREAMS Modules tun(7M)
Conta, A. and Deering, S. RFC 2473, Generic Packet Tun-
neling in IPv6 Specification, The Internet Society, 1998.
Carpenter, B and Moore, K. RVC 3056, Connection of IPv6
Domains via IPv4 Clouds, The Internet Society, 2001
SunOS 5.11 Last change: 19 Aug 2004 6
|
