Fix grammar 'the administrator'
PR: 39093 Submitted by: Mike Makonnen <makonnen@packbell.net>
This commit is contained in:
Tom Rhodes
parent
72d78aeaeb
commit
f7560bd3a7
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=100108
@ -64,44 +64,46 @@ variable in
|
|||||||
.Pp
|
.Pp
|
||||||
To use
|
To use
|
||||||
.Nm ,
|
.Nm ,
|
||||||
administrator needs to configure protocol and addresses used for the outer
|
the administrator needs to configure the protocol and addresses used for the outer
|
||||||
header.
|
header.
|
||||||
This can be done by using
|
This can be done by using
|
||||||
.Xr gifconfig 8 ,
|
.Xr gifconfig 8 ,
|
||||||
or
|
or
|
||||||
.Dv SIOCSIFPHYADDR
|
.Dv SIOCSIFPHYADDR
|
||||||
ioctl.
|
ioctl.
|
||||||
Also, administrator needs to configure protocol and addresses used for the
|
The administrator also needs to configure the protocol and addresses for the
|
||||||
inner header, by using
|
inner header, with
|
||||||
.Xr ifconfig 8 .
|
.Xr ifconfig 8 .
|
||||||
Note that IPv6 link-local address
|
Note that IPv6 link-local addresses
|
||||||
(those start with
|
(those that start with
|
||||||
.Li fe80:: )
|
.Li fe80:: )
|
||||||
will be automatically configured whenever possible.
|
will be automatically be configured whenever possible.
|
||||||
You may need to remove IPv6 link-local address manually using
|
You may need to remove IPv6 link-local addresses manually using
|
||||||
.Xr ifconfig 8 ,
|
.Xr ifconfig 8 ,
|
||||||
when you would like to disable the use of IPv6 as inner header
|
if you want to disable the use of IPv6 as the inner header
|
||||||
(like when you need pure IPv4-over-IPv6 tunnel).
|
(for example, if you need a pure IPv4-over-IPv6 tunnel).
|
||||||
Finally, use routing table to route the packets toward
|
Finally, you must modify the routing table to route the packets through the
|
||||||
.Nm
|
.Nm
|
||||||
interface.
|
interface.
|
||||||
.Pp
|
.Pp
|
||||||
|
The
|
||||||
.Nm
|
.Nm
|
||||||
can be configured to be ECN friendly.
|
pseudo-device can be configured to be ECN friendly.
|
||||||
This can be configured by
|
This can be configured by
|
||||||
.Dv IFF_LINK1 .
|
.Dv IFF_LINK1 .
|
||||||
.Ss ECN friendly behavior
|
.Ss ECN friendly behavior
|
||||||
|
The
|
||||||
.Nm
|
.Nm
|
||||||
can be configured to be ECN friendly, as described in
|
pseudo-device can be configured to be ECN friendly, as described in
|
||||||
.Dv draft-ietf-ipsec-ecn-02.txt .
|
.Dv draft-ietf-ipsec-ecn-02.txt .
|
||||||
This is turned off by default, and can be turned on by
|
This is turned off by default, and can be turned on by the
|
||||||
.Dv IFF_LINK1
|
.Dv IFF_LINK1
|
||||||
interface flag.
|
interface flag.
|
||||||
.Pp
|
.Pp
|
||||||
Without
|
Without
|
||||||
.Dv IFF_LINK1 ,
|
.Dv IFF_LINK1 ,
|
||||||
.Nm
|
.Nm
|
||||||
will show a normal behavior, like described in RFC2893.
|
will show normal behavior, as described in RFC2893.
|
||||||
This can be summarized as follows:
|
This can be summarized as follows:
|
||||||
.Bl -tag -width "Ingress" -offset indent
|
.Bl -tag -width "Ingress" -offset indent
|
||||||
.It Ingress
|
.It Ingress
|
||||||
@ -139,15 +141,15 @@ enable ECN CE bit on the inner.
|
|||||||
Note that the ECN friendly behavior violates RFC2893.
|
Note that the ECN friendly behavior violates RFC2893.
|
||||||
This should be used in mutual agreement with the peer.
|
This should be used in mutual agreement with the peer.
|
||||||
.Ss Security
|
.Ss Security
|
||||||
Malicious party may try to circumvent security filters by using
|
A malicious party may try to circumvent security filters by using
|
||||||
tunnelled packets.
|
tunnelled packets.
|
||||||
For better protection,
|
For better protection,
|
||||||
.Nm
|
.Nm
|
||||||
performs martian filter and ingress filter against outer source address,
|
performs both martian and ingress filtering against the outer source address
|
||||||
on egress.
|
on egress.
|
||||||
Note that martian/ingress filters are no way complete.
|
Note that martian/ingress filters are in no way complete.
|
||||||
You may want to secure your node by using packet filters.
|
You may want to secure your node by using packet filters.
|
||||||
Ingress filter can be turned off by
|
Ingress filtering can be turned off by
|
||||||
.Dv IFF_LINK2
|
.Dv IFF_LINK2
|
||||||
bit.
|
bit.
|
||||||
.\"
|
.\"
|
||||||
@ -192,13 +194,13 @@ to 1.
|
|||||||
.Sh HISTORY
|
.Sh HISTORY
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
device first appeared in WIDE hydrangea IPv6 kit.
|
device first appeared in the WIDE hydrangea IPv6 kit.
|
||||||
.\"
|
.\"
|
||||||
.Sh BUGS
|
.Sh BUGS
|
||||||
There are many tunnelling protocol specifications,
|
There are many tunnelling protocol specifications, all
|
||||||
defined differently from each other.
|
defined differently from each other. The
|
||||||
.Nm
|
.Nm
|
||||||
may not interoperate with peers which are based on different specifications,
|
pseudo-device may not interoperate with peers which are based on different specifications,
|
||||||
and are picky about outer header fields.
|
and are picky about outer header fields.
|
||||||
For example, you cannot usually use
|
For example, you cannot usually use
|
||||||
.Nm
|
.Nm
|
||||||
@ -206,31 +208,32 @@ to talk with IPsec devices that use IPsec tunnel mode.
|
|||||||
.Pp
|
.Pp
|
||||||
The current code does not check if the ingress address
|
The current code does not check if the ingress address
|
||||||
(outer source address)
|
(outer source address)
|
||||||
configured to
|
configured in the
|
||||||
.Nm
|
.Nm
|
||||||
makes sense.
|
interface makes sense.
|
||||||
Make sure to configure an address which belongs to your node.
|
Make sure to specify an address which belongs to your node.
|
||||||
Otherwise, your node will not be able to receive packets from the peer,
|
Otherwise, your node will not be able to receive packets from the peer,
|
||||||
and your node will generate packets with a spoofed source address.
|
and it will generate packets with a spoofed source address.
|
||||||
.Pp
|
.Pp
|
||||||
If the outer protocol is IPv4,
|
If the outer protocol is IPv4,
|
||||||
.Nm
|
.Nm
|
||||||
does not try to perform path MTU discovery for the encapsulated packet
|
does not try to perform path MTU discovery for the encapsulated packet
|
||||||
(DF bit is set to 0).
|
(DF bit is set to 0).
|
||||||
.Pp
|
.Pp
|
||||||
If the outer protocol is IPv6, path MTU discovery for encapsulated packet
|
If the outer protocol is IPv6, path MTU discovery for encapsulated packets
|
||||||
may affect communication over the interface.
|
may affect communication over the interface.
|
||||||
The first bigger-than-pmtu packet may be lost.
|
The first bigger-than-pmtu packet may be lost.
|
||||||
To avoid the problem, you may want to set the interface MTU for
|
To avoid the problem, you may want to set the interface MTU for
|
||||||
.Nm
|
.Nm
|
||||||
to 1240 or smaller, when outer header is IPv6 and inner header is IPv4.
|
to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4.
|
||||||
.Pp
|
.Pp
|
||||||
|
The
|
||||||
.Nm
|
.Nm
|
||||||
does not translate ICMP messages for outer header into inner header.
|
pseudo-device does not translate ICMP messages for the outer header into the inner header.
|
||||||
.Pp
|
.Pp
|
||||||
In the past,
|
In the past,
|
||||||
.Nm
|
.Nm
|
||||||
had a multi-destination behavior, configurable via
|
had a multi-destination behavior, configurable via
|
||||||
.Dv IFF_LINK0
|
.Dv IFF_LINK0
|
||||||
flag.
|
flag.
|
||||||
The behavior was obsoleted and is no longer supported.
|
The behavior is obsolete and is no longer supported.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user