freebsd-nq/share/man/man4/inet6.4
Hajimu UMEMOTO 3384154590 Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
  - The definitions of SADB_* in sys/net/pfkeyv2.h are still different
    from RFC2407/IANA assignment because of binary compatibility
    issue.  It should be fixed under 5-CURRENT.
  - ip6po_m member of struct ip6_pktopts is no longer used.  But, it
    is still there because of binary compatibility issue.  It should
    be removed under 5-CURRENT.

Reviewed by:	itojun
Obtained from:	KAME
MFC after:	3 weeks
2001-06-11 12:39:29 +00:00

539 lines
15 KiB
Groff

.\" $FreeBSD$
.\" $KAME: inet6.4,v 1.21 2001/04/05 01:00:18 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd January 29, 1999
.Dt INET6 4
.Os
.Sh NAME
.Nm inet6
.Nd Internet protocol version 6 family
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <netinet/in.h>
.Sh DESCRIPTION
The
.Nm
family is an updated version of
.Xr inet 4
family.
While
.Xr inet 4
implements Internet Protocol version 4,
.Nm
implements Internet Protocol version 6.
.Pp
.Nm
is a collection of protocols layered atop the
.Em Internet Protocol version 6
.Pq Tn IPv6
transport layer, and utilizing the IPv6 address format.
The
.Nm
family provides protocol support for the
.Dv SOCK_STREAM , SOCK_DGRAM ,
and
.Dv SOCK_RAW
socket types; the
.Dv SOCK_RAW
interface provides access to the
.Tn IPv6
protocol.
.Sh ADDRESSING
IPv6 addresses are 16 byte quantities, stored in network standard byteorder.
The include file
.Aq Pa netinet/in.h
defines this address
as a discriminated union.
.Pp
Sockets bound to the
.Nm
family utilize the following addressing structure:
.Bd -literal -offset indent
struct sockaddr_in6 {
u_int8_t sin6_len;
u_int8_t sin6_family;
u_int16_t sin6_port;
u_int32_t sin6_flowinfo;
struct in6_addr sin6_addr;
u_int32_t sin6_scope_id;
};
.Ed
.Pp
Sockets may be created with the local address
.Dq Dv ::
.Po
which is equal to IPv6 address
.Dv 0:0:0:0:0:0:0:0
.Pc
to effect
.Dq wildcard
matching on incoming messages.
.Pp
The IPv6 specification defines scoped addresses,
like link-local or site-local addresses.
A scoped address is ambiguous to the kernel,
if it is specified without a scope identifier.
To manipulate scoped addresses properly from the userland,
programs must use the advanced API defined in RFC2292.
A compact description of the advanced API is available in
.Xr ip6 4 .
If a scoped address is specified without an explicit scope,
the kernel may raise an error.
Note that scoped addresses are not for daily use at this moment,
both from a specification and an implementation point of view.
.Pp
The KAME implementation supports an extended numeric IPv6 address notation
for link-local addresses,
like
.Dq Li fe80::1%de0
to specify
.Do
.Li fe80::1
on
.Li de0
interface
.Dc .
This notation is supported by
.Xr getaddrinfo 3
and
.Xr getnameinfo 3 .
Some of normal userland programs, such as
.Xr telnet 1
or
.Xr ftp 1 ,
are able to use this notation.
With special programs
like
.Xr ping6 8 ,
you can specify the outgoing interface by an extra command line option
to disambiguate scoped addresses.
.Pp
Scoped addresses are handled specially in the kernel.
In kernel structures like routing tables or interface structures,
a scoped address will have its interface index embedded into the address.
Therefore,
the address in some kernel structures is not the same as that on the wire.
The embedded index will become visible through a
.Dv PF_ROUTE
socket, kernel memory accesses via
.Xr kvm 3
and on some other occasions.
HOWEVER, users should never use the embedded form.
For details please consult
.Pa IMPLEMENTATION
supplied with KAME kit.
.Sh PROTOCOLS
The
.Nm
family is comprised of the
.Tn IPv6
network protocol, Internet Control
Message Protocol version 6
.Pq Tn ICMPv6 ,
Transmission Control Protocol
.Pq Tn TCP ,
and User Datagram Protocol
.Pq Tn UDP .
.Tn TCP
is used to support the
.Dv SOCK_STREAM
abstraction while
.Tn UDP
is used to support the
.Dv SOCK_DGRAM
abstraction.
Note that
.Tn TCP
and
.Tn UDP
are common to
.Xr inet 4
and
.Nm .
A raw interface to
.Tn IPv6
is available
by creating an Internet socket of type
.Dv SOCK_RAW .
The
.Tn ICMPv6
message protocol is accessible from a raw socket.
.\" .Pp
.\" The 128-bit IPv6 address contains both network and host parts.
.\" However, direct examination of addresses is discouraged.
.\" For those programs which absolutely need to break addresses
.\" into their component parts, the following
.\" .Xr ioctl 2
.\" commands are provided for a datagram socket in the
.\" .Nm
.\" domain; they have the same form as the
.\" .Dv SIOCIFADDR
.\" command (see
.\" .Xr intro 4 ) .
.\" .Pp
.\" .Bl -tag -width SIOCSIFNETMASK
.\" .It Dv SIOCSIFNETMASK
.\" Set interface network mask.
.\" The network mask defines the network part of the address;
.\" if it contains more of the address than the address type would indicate,
.\" then subnets are in use.
.\" .It Dv SIOCGIFNETMASK
.\" Get interface network mask.
.\" .El
.\" .Sh ROUTING
.\" The current implementation of Internet protocols includes some routing-table
.\" adaptations to provide enhanced caching of certain end-to-end
.\" information necessary for Transaction TCP and Path MTU Discovery. The
.\" following changes are the most significant:
.\" .Bl -enum
.\" .It
.\" All IP routes, except those with the
.\" .Dv RTF_CLONING
.\" flag and those to multicast destinations, have the
.\" .Dv RTF_PRCLONING
.\" flag forcibly enabled (they are thus said to be
.\" .Dq "protocol cloning" ).
.\" .It
.\" When the last reference to an IP route is dropped, the route is
.\" examined to determine if it was created by cloning such a route. If
.\" this is the case, the
.\" .Dv RTF_PROTO3
.\" flag is turned on, and the expiration timer is initialized to go off
.\" in net.inet.ip.rtexpire seconds. If such a route is re-referenced,
.\" the flag and expiration timer are reset.
.\" .It
.\" A kernel timeout runs once every ten minutes, or sooner if there are
.\" soon-to-expire routes in the kernel routing table, and deletes the
.\" expired routes.
.\" .El
.\" .Pp
.\" A dynamic process is in place to modify the value of
.\" net.inet.ip.rtexpire if the number of cached routes grows too large.
.\" If after an expiration run there are still more than
.\" net.inet.ip.rtmaxcache unreferenced routes remaining, the rtexpire
.\" value is multiplied by 3/4, and any routes which have longer
.\" expiration times have those times adjusted. This process is damped
.\" somewhat by specification of a minimum rtexpire value
.\" (net.inet.ip.rtminexpire), and by restricting the reduction to once in
.\" a ten-minute period.
.\" .Pp
.\" If some external process deletes the original route from which a
.\" protocol-cloned route was generated, the ``child route'' is deleted.
.\" (This is actually a generic mechanism in the routing code support for
.\" protocol-requested cloning.)
.\" .Pp
.\" No attempt is made to manage routes which were not created by protocol
.\" cloning; these are assumed to be static, under the management of an
.\" external routing process, or under the management of a link layer
.\" (e.g.,
.\" .Tn ARP
.\" for Ethernets).
.\" .Pp
.\" Only certain types of network activity will result in the cloning of a
.\" route using this mechanism. Specifically, those protocols (such as
.\" .Tn TCP
.\" and
.\" .Tn UDP )
.\" which themselves cache a long-lasting reference to route for a destination
.\" will trigger the mechanism; whereas raw
.\" .Tn IP
.\" packets, whether locally-generated or forwarded, will not.
.Ss MIB Variables
A number of variables are implemented in the net.inet6 branch of the
.Xr sysctl 3
MIB.
In addition to the variables supported by the transport protocols
(for which the respective manual pages may be consulted),
the following general variables are defined:
.Bl -tag -width IPV6CTL_MAXFRAGPACKETS
.It Dv IPV6CTL_FORWARDING
.Pq ip6.forwarding
Boolean: enable/disable forwarding of
.Tn IPv6
packets.
Also, identify if the node is acting as a router.
Defaults to off.
.It Dv IPV6CTL_SENDREDIRECTS
.Pq ip6.redirect
Boolean: enable/disable sending of
.Tn ICMPv6
redirects in response to unforwardable
.Tn IPv6
packets.
This option is ignored unless the node is routing
.Tn IPv6
packets,
and should normally be enabled on all systems.
Defaults to on.
.It Dv IPV6CTL_DEFHLIM
.Pq ip6.hlim
Integer: default hop limit value to use for outgoing
.Tn IPv6
packets.
This value applies to all the transport protocols on top of
.Tn IPv6 .
There are APIs to override the value.
.It Dv IPV6CTL_MAXFRAGPACKETS
.Pq ip6.maxfragpackets
Integer: default maximum number of fragmented packets the node will accept.
0 means that the node will not accept any fragmented packets.
-1 means that the node will accept as many fragmented packets as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Dv IPV6CTL_ACCEPT_RTADV
.Pq ip6.accept_rtadv
Boolean: enable/disable receiving of
.Tn ICMPv6
router advertisement packets,
and autoconfiguration of address prefixes and default routers.
The node must be a host
.Pq not a router
for the option to be meaningful.
Defaults to off.
.It Dv IPV6CTL_KEEPFAITH
.Pq ip6.keepfaith
Boolean: enable/disable
.Dq FAITH
TCP relay IPv6-to-IPv4 translator code in the kernel.
Refer
.Xr faith 4
and
.Xr faithd 8
for detail.
Defaults to off.
.It Dv IPV6CTL_LOG_INTERVAL
.Pq ip6.log_interval
Integer: default interval between
.Tn IPv6
packet forwarding engine log output
.Pq in seconds .
.It Dv IPV6CTL_HDRNESTLIMIT
.Pq ip6.hdrnestlimit
Integer: default number of the maximum
.Tn IPv6
extension headers
permitted on incoming
.Tn IPv6
packets.
If set to 0, the node will accept as many extension headers as possible.
.It Dv IPV6CTL_DAD_COUNT
.Pq ip6.dad_count
Integer: default number of
.Tn IPv6
DAD
.Pq duplicated address detection
probe packets.
The packets will be generated when
.Tn IPv6
interface addresses are configured.
.It Dv IPV6CTL_AUTO_FLOWLABEL
.Pq ip6.auto_flowlabel
Boolean: enable/disable automatic filling of
.Tn IPv6
flowlabel field, for outstanding connected transport protocol packets.
The field might be used by intermediate routers to identify packet flows.
Defaults to on.
.It Dv IPV6CTL_DEFMCASTHLIM
.Pq ip6.defmcasthlim
Integer: default hop limit value for an
.Tn IPv6
multicast packet sourced by the node.
This value applies to all the transport protocols on top of
.Tn IPv6 .
There are APIs to override the value as documented in
.Xr ip6 4 .
.It Dv IPV6CTL_GIF_HLIM
.Pq ip6.gifhlim
Integer: default maximum hop limit value for an
.Tn IPv6
packet generated by
.Xr gif 4
tunnel interface.
.It Dv IPV6CTL_KAME_VERSION
.Pq ip6.kame_version
String: identifies the version of KAME
.Tn IPv6
stack implemented in the kernel.
.It Dv IPV6CTL_USE_DEPRECATED
.Pq ip6.use_deprecated
Boolean: enable/disable use of deprecated address,
specified in RFC2462 5.5.4.
Defaults to on.
.It Dv IPV6CTL_RR_PRUNE
.Pq ip6.rr_prune
Integer: default interval between
.Tn IPv6
router renumbering prefix babysitting, in seconds.
.It Dv IPV6CTL_MAPPED_ADDR
.Pq ip6.mapped_addr
Boolean: enable/disable use of
.Tn IPv4
mapped address on
.Dv AF_INET6
sockets.
Defaults to on.
.It Dv IPV6CTL_RTEXPIRE
.Pq ip6.rtexpire
Integer: lifetime in seconds of protocol-cloned
.Tn IP
routes after the last reference drops (default one hour).
.\"This value varies dynamically as described above.
.It Dv IPV6CTL_RTMINEXPIRE
.Pq ip6.rtminexpire
Integer: minimum value of ip.rtexpire (default ten seconds).
.\"This value has no effect on user modifications, but restricts the dynamic
.\"adaptation described above.
.It Dv IPV6CTL_RTMAXCACHE
.Pq ip6.rtmaxcache
Integer: trigger level of cached, unreferenced, protocol-cloned routes
which initiates dynamic adaptation (default 128).
.El
.Ss Interaction between IPv4/v6 sockets
The behavior of
.Dv AF_INET6
TCP/UDP socket is documented in RFC2553.
Basically, it says this:
.Bl -bullet -compact
.It
A specific bind on an
.Dv AF_INET6
socket
.Po
.Xr bind 2
with an address specified
.Pc
should accept IPv6 traffic to that address only.
.It
If you perform a wildcard bind
on an
.Dv AF_INET6
socket
.Po
.Xr bind 2
to IPv6 address
.Li ::
.Pc ,
and there is no wildcard bind
.Dv AF_INET
socket on that TCP/UDP port, IPv6 traffic as well as IPv4 traffic
should be routed to that
.Dv AF_INET6
socket.
IPv4 traffic should be seen as if it came from an IPv6 address like
.Li ::ffff:10.1.1.1 .
This is called an IPv4 mapped address.
.It
If there are both a wildcard bind
.Dv AF_INET
socket and a wildcard bind
.Dv AF_INET6
socket on one TCP/UDP port, they should behave separately.
IPv4 traffic should be routed to the
.Dv AF_INET
socket and IPv6 should be routed to the
.Dv AF_INET6
socket.
.El
.Pp
However, RFC2553 does not define the ordering constraint between calls to
.Xr bind 2 ,
nor how IPv4 TCP/UDP port numbers and IPv6 TCP/UDP port numbers
relate to each other
.Po
should they be integrated or separated
.Pc .
Implemented behavior is very different from kernel to kernel.
Therefore, it is unwise to rely too much upon the behavior of
.Dv AF_INET6
wildcard bind sockets.
It is recommended to listen to two sockets, one for
.Dv AF_INET
and another for
.Dv AF_INET6 ,
when you would like to accept both IPv4 and IPv6 traffic.
.Pp
It should also be noted that
malicious parties can take advantage of the complexity presented above,
and are able to bypass access control,
if the target node routes IPv4 traffic to
.Dv AF_INET6
socket.
Users are advised to take care handling connections
from IPv4 mapped address to
.Dv AF_INET6
sockets.
.\".Pp
.\"Because of the above, by default,
.\"KAME/NetBSD and KAME/OpenBSD
.\"does not route IPv4 traffic to
.\".Dv AF_INET6
.\"sockets.
.\"Listen to two sockets if you want to accept both IPv4 and IPv6 traffic.
.\"On KAME/NetBSD, IPv4 traffic may be routed with certain
.\"per-socket/per-node configuration, however, it is not recommended.
.\"Consult
.\".Xr ip6 4
.\"for details.
.Sh SEE ALSO
.Xr ioctl 2 ,
.Xr socket 2 ,
.Xr sysctl 3 ,
.Xr icmp6 4 ,
.Xr intro 4 ,
.Xr ip6 4 ,
.Xr tcp 4 ,
.Xr ttcp 4 ,
.Xr udp 4
.Sh STANDARDS
.Rs
.%A Tatsuya Jinmei
.%A Atsushi Onoe
.%T "An Extension of Format for IPv6 Scoped Addresses"
.%R internet draft
.%D June 2000
.%N draft-ietf-ipngwg-scopedaddr-format-02.txt
.%O work in progress material
.Re
.Sh HISTORY
The
.Nm
protocol interfaces are defined in RFC2553 and RFC2292.
The implementation described herein appeared in the WIDE/KAME project.
.Sh BUGS
The IPv6 support is subject to change as the Internet protocols develop.
Users should not depend on details of the current implementation,
but rather the services exported.
.Pp
Users are suggested to implement
.Dq version independent
code as much as possible, as you will need to support both
.Xr inet 4
and
.Nm .