3384154590
This work was based on kame-20010528-freebsd43-snap.tgz and some critical problem after the snap was out were fixed. There are many many changes since last KAME merge. TODO: - The definitions of SADB_* in sys/net/pfkeyv2.h are still different from RFC2407/IANA assignment because of binary compatibility issue. It should be fixed under 5-CURRENT. - ip6po_m member of struct ip6_pktopts is no longer used. But, it is still there because of binary compatibility issue. It should be removed under 5-CURRENT. Reviewed by: itojun Obtained from: KAME MFC after: 3 weeks
539 lines
15 KiB
Groff
539 lines
15 KiB
Groff
.\" $FreeBSD$
|
|
.\" $KAME: inet6.4,v 1.21 2001/04/05 01:00:18 itojun Exp $
|
|
.\"
|
|
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd January 29, 1999
|
|
.Dt INET6 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm inet6
|
|
.Nd Internet protocol version 6 family
|
|
.Sh SYNOPSIS
|
|
.Fd #include <sys/types.h>
|
|
.Fd #include <netinet/in.h>
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
family is an updated version of
|
|
.Xr inet 4
|
|
family.
|
|
While
|
|
.Xr inet 4
|
|
implements Internet Protocol version 4,
|
|
.Nm
|
|
implements Internet Protocol version 6.
|
|
.Pp
|
|
.Nm
|
|
is a collection of protocols layered atop the
|
|
.Em Internet Protocol version 6
|
|
.Pq Tn IPv6
|
|
transport layer, and utilizing the IPv6 address format.
|
|
The
|
|
.Nm
|
|
family provides protocol support for the
|
|
.Dv SOCK_STREAM , SOCK_DGRAM ,
|
|
and
|
|
.Dv SOCK_RAW
|
|
socket types; the
|
|
.Dv SOCK_RAW
|
|
interface provides access to the
|
|
.Tn IPv6
|
|
protocol.
|
|
.Sh ADDRESSING
|
|
IPv6 addresses are 16 byte quantities, stored in network standard byteorder.
|
|
The include file
|
|
.Aq Pa netinet/in.h
|
|
defines this address
|
|
as a discriminated union.
|
|
.Pp
|
|
Sockets bound to the
|
|
.Nm
|
|
family utilize the following addressing structure:
|
|
.Bd -literal -offset indent
|
|
struct sockaddr_in6 {
|
|
u_int8_t sin6_len;
|
|
u_int8_t sin6_family;
|
|
u_int16_t sin6_port;
|
|
u_int32_t sin6_flowinfo;
|
|
struct in6_addr sin6_addr;
|
|
u_int32_t sin6_scope_id;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Sockets may be created with the local address
|
|
.Dq Dv ::
|
|
.Po
|
|
which is equal to IPv6 address
|
|
.Dv 0:0:0:0:0:0:0:0
|
|
.Pc
|
|
to effect
|
|
.Dq wildcard
|
|
matching on incoming messages.
|
|
.Pp
|
|
The IPv6 specification defines scoped addresses,
|
|
like link-local or site-local addresses.
|
|
A scoped address is ambiguous to the kernel,
|
|
if it is specified without a scope identifier.
|
|
To manipulate scoped addresses properly from the userland,
|
|
programs must use the advanced API defined in RFC2292.
|
|
A compact description of the advanced API is available in
|
|
.Xr ip6 4 .
|
|
If a scoped address is specified without an explicit scope,
|
|
the kernel may raise an error.
|
|
Note that scoped addresses are not for daily use at this moment,
|
|
both from a specification and an implementation point of view.
|
|
.Pp
|
|
The KAME implementation supports an extended numeric IPv6 address notation
|
|
for link-local addresses,
|
|
like
|
|
.Dq Li fe80::1%de0
|
|
to specify
|
|
.Do
|
|
.Li fe80::1
|
|
on
|
|
.Li de0
|
|
interface
|
|
.Dc .
|
|
This notation is supported by
|
|
.Xr getaddrinfo 3
|
|
and
|
|
.Xr getnameinfo 3 .
|
|
Some of normal userland programs, such as
|
|
.Xr telnet 1
|
|
or
|
|
.Xr ftp 1 ,
|
|
are able to use this notation.
|
|
With special programs
|
|
like
|
|
.Xr ping6 8 ,
|
|
you can specify the outgoing interface by an extra command line option
|
|
to disambiguate scoped addresses.
|
|
.Pp
|
|
Scoped addresses are handled specially in the kernel.
|
|
In kernel structures like routing tables or interface structures,
|
|
a scoped address will have its interface index embedded into the address.
|
|
Therefore,
|
|
the address in some kernel structures is not the same as that on the wire.
|
|
The embedded index will become visible through a
|
|
.Dv PF_ROUTE
|
|
socket, kernel memory accesses via
|
|
.Xr kvm 3
|
|
and on some other occasions.
|
|
HOWEVER, users should never use the embedded form.
|
|
For details please consult
|
|
.Pa IMPLEMENTATION
|
|
supplied with KAME kit.
|
|
.Sh PROTOCOLS
|
|
The
|
|
.Nm
|
|
family is comprised of the
|
|
.Tn IPv6
|
|
network protocol, Internet Control
|
|
Message Protocol version 6
|
|
.Pq Tn ICMPv6 ,
|
|
Transmission Control Protocol
|
|
.Pq Tn TCP ,
|
|
and User Datagram Protocol
|
|
.Pq Tn UDP .
|
|
.Tn TCP
|
|
is used to support the
|
|
.Dv SOCK_STREAM
|
|
abstraction while
|
|
.Tn UDP
|
|
is used to support the
|
|
.Dv SOCK_DGRAM
|
|
abstraction.
|
|
Note that
|
|
.Tn TCP
|
|
and
|
|
.Tn UDP
|
|
are common to
|
|
.Xr inet 4
|
|
and
|
|
.Nm .
|
|
A raw interface to
|
|
.Tn IPv6
|
|
is available
|
|
by creating an Internet socket of type
|
|
.Dv SOCK_RAW .
|
|
The
|
|
.Tn ICMPv6
|
|
message protocol is accessible from a raw socket.
|
|
.\" .Pp
|
|
.\" The 128-bit IPv6 address contains both network and host parts.
|
|
.\" However, direct examination of addresses is discouraged.
|
|
.\" For those programs which absolutely need to break addresses
|
|
.\" into their component parts, the following
|
|
.\" .Xr ioctl 2
|
|
.\" commands are provided for a datagram socket in the
|
|
.\" .Nm
|
|
.\" domain; they have the same form as the
|
|
.\" .Dv SIOCIFADDR
|
|
.\" command (see
|
|
.\" .Xr intro 4 ) .
|
|
.\" .Pp
|
|
.\" .Bl -tag -width SIOCSIFNETMASK
|
|
.\" .It Dv SIOCSIFNETMASK
|
|
.\" Set interface network mask.
|
|
.\" The network mask defines the network part of the address;
|
|
.\" if it contains more of the address than the address type would indicate,
|
|
.\" then subnets are in use.
|
|
.\" .It Dv SIOCGIFNETMASK
|
|
.\" Get interface network mask.
|
|
.\" .El
|
|
.\" .Sh ROUTING
|
|
.\" The current implementation of Internet protocols includes some routing-table
|
|
.\" adaptations to provide enhanced caching of certain end-to-end
|
|
.\" information necessary for Transaction TCP and Path MTU Discovery. The
|
|
.\" following changes are the most significant:
|
|
.\" .Bl -enum
|
|
.\" .It
|
|
.\" All IP routes, except those with the
|
|
.\" .Dv RTF_CLONING
|
|
.\" flag and those to multicast destinations, have the
|
|
.\" .Dv RTF_PRCLONING
|
|
.\" flag forcibly enabled (they are thus said to be
|
|
.\" .Dq "protocol cloning" ).
|
|
.\" .It
|
|
.\" When the last reference to an IP route is dropped, the route is
|
|
.\" examined to determine if it was created by cloning such a route. If
|
|
.\" this is the case, the
|
|
.\" .Dv RTF_PROTO3
|
|
.\" flag is turned on, and the expiration timer is initialized to go off
|
|
.\" in net.inet.ip.rtexpire seconds. If such a route is re-referenced,
|
|
.\" the flag and expiration timer are reset.
|
|
.\" .It
|
|
.\" A kernel timeout runs once every ten minutes, or sooner if there are
|
|
.\" soon-to-expire routes in the kernel routing table, and deletes the
|
|
.\" expired routes.
|
|
.\" .El
|
|
.\" .Pp
|
|
.\" A dynamic process is in place to modify the value of
|
|
.\" net.inet.ip.rtexpire if the number of cached routes grows too large.
|
|
.\" If after an expiration run there are still more than
|
|
.\" net.inet.ip.rtmaxcache unreferenced routes remaining, the rtexpire
|
|
.\" value is multiplied by 3/4, and any routes which have longer
|
|
.\" expiration times have those times adjusted. This process is damped
|
|
.\" somewhat by specification of a minimum rtexpire value
|
|
.\" (net.inet.ip.rtminexpire), and by restricting the reduction to once in
|
|
.\" a ten-minute period.
|
|
.\" .Pp
|
|
.\" If some external process deletes the original route from which a
|
|
.\" protocol-cloned route was generated, the ``child route'' is deleted.
|
|
.\" (This is actually a generic mechanism in the routing code support for
|
|
.\" protocol-requested cloning.)
|
|
.\" .Pp
|
|
.\" No attempt is made to manage routes which were not created by protocol
|
|
.\" cloning; these are assumed to be static, under the management of an
|
|
.\" external routing process, or under the management of a link layer
|
|
.\" (e.g.,
|
|
.\" .Tn ARP
|
|
.\" for Ethernets).
|
|
.\" .Pp
|
|
.\" Only certain types of network activity will result in the cloning of a
|
|
.\" route using this mechanism. Specifically, those protocols (such as
|
|
.\" .Tn TCP
|
|
.\" and
|
|
.\" .Tn UDP )
|
|
.\" which themselves cache a long-lasting reference to route for a destination
|
|
.\" will trigger the mechanism; whereas raw
|
|
.\" .Tn IP
|
|
.\" packets, whether locally-generated or forwarded, will not.
|
|
.Ss MIB Variables
|
|
A number of variables are implemented in the net.inet6 branch of the
|
|
.Xr sysctl 3
|
|
MIB.
|
|
In addition to the variables supported by the transport protocols
|
|
(for which the respective manual pages may be consulted),
|
|
the following general variables are defined:
|
|
.Bl -tag -width IPV6CTL_MAXFRAGPACKETS
|
|
.It Dv IPV6CTL_FORWARDING
|
|
.Pq ip6.forwarding
|
|
Boolean: enable/disable forwarding of
|
|
.Tn IPv6
|
|
packets.
|
|
Also, identify if the node is acting as a router.
|
|
Defaults to off.
|
|
.It Dv IPV6CTL_SENDREDIRECTS
|
|
.Pq ip6.redirect
|
|
Boolean: enable/disable sending of
|
|
.Tn ICMPv6
|
|
redirects in response to unforwardable
|
|
.Tn IPv6
|
|
packets.
|
|
This option is ignored unless the node is routing
|
|
.Tn IPv6
|
|
packets,
|
|
and should normally be enabled on all systems.
|
|
Defaults to on.
|
|
.It Dv IPV6CTL_DEFHLIM
|
|
.Pq ip6.hlim
|
|
Integer: default hop limit value to use for outgoing
|
|
.Tn IPv6
|
|
packets.
|
|
This value applies to all the transport protocols on top of
|
|
.Tn IPv6 .
|
|
There are APIs to override the value.
|
|
.It Dv IPV6CTL_MAXFRAGPACKETS
|
|
.Pq ip6.maxfragpackets
|
|
Integer: default maximum number of fragmented packets the node will accept.
|
|
0 means that the node will not accept any fragmented packets.
|
|
-1 means that the node will accept as many fragmented packets as it receives.
|
|
The flag is provided basically for avoiding possible DoS attacks.
|
|
.It Dv IPV6CTL_ACCEPT_RTADV
|
|
.Pq ip6.accept_rtadv
|
|
Boolean: enable/disable receiving of
|
|
.Tn ICMPv6
|
|
router advertisement packets,
|
|
and autoconfiguration of address prefixes and default routers.
|
|
The node must be a host
|
|
.Pq not a router
|
|
for the option to be meaningful.
|
|
Defaults to off.
|
|
.It Dv IPV6CTL_KEEPFAITH
|
|
.Pq ip6.keepfaith
|
|
Boolean: enable/disable
|
|
.Dq FAITH
|
|
TCP relay IPv6-to-IPv4 translator code in the kernel.
|
|
Refer
|
|
.Xr faith 4
|
|
and
|
|
.Xr faithd 8
|
|
for detail.
|
|
Defaults to off.
|
|
.It Dv IPV6CTL_LOG_INTERVAL
|
|
.Pq ip6.log_interval
|
|
Integer: default interval between
|
|
.Tn IPv6
|
|
packet forwarding engine log output
|
|
.Pq in seconds .
|
|
.It Dv IPV6CTL_HDRNESTLIMIT
|
|
.Pq ip6.hdrnestlimit
|
|
Integer: default number of the maximum
|
|
.Tn IPv6
|
|
extension headers
|
|
permitted on incoming
|
|
.Tn IPv6
|
|
packets.
|
|
If set to 0, the node will accept as many extension headers as possible.
|
|
.It Dv IPV6CTL_DAD_COUNT
|
|
.Pq ip6.dad_count
|
|
Integer: default number of
|
|
.Tn IPv6
|
|
DAD
|
|
.Pq duplicated address detection
|
|
probe packets.
|
|
The packets will be generated when
|
|
.Tn IPv6
|
|
interface addresses are configured.
|
|
.It Dv IPV6CTL_AUTO_FLOWLABEL
|
|
.Pq ip6.auto_flowlabel
|
|
Boolean: enable/disable automatic filling of
|
|
.Tn IPv6
|
|
flowlabel field, for outstanding connected transport protocol packets.
|
|
The field might be used by intermediate routers to identify packet flows.
|
|
Defaults to on.
|
|
.It Dv IPV6CTL_DEFMCASTHLIM
|
|
.Pq ip6.defmcasthlim
|
|
Integer: default hop limit value for an
|
|
.Tn IPv6
|
|
multicast packet sourced by the node.
|
|
This value applies to all the transport protocols on top of
|
|
.Tn IPv6 .
|
|
There are APIs to override the value as documented in
|
|
.Xr ip6 4 .
|
|
.It Dv IPV6CTL_GIF_HLIM
|
|
.Pq ip6.gifhlim
|
|
Integer: default maximum hop limit value for an
|
|
.Tn IPv6
|
|
packet generated by
|
|
.Xr gif 4
|
|
tunnel interface.
|
|
.It Dv IPV6CTL_KAME_VERSION
|
|
.Pq ip6.kame_version
|
|
String: identifies the version of KAME
|
|
.Tn IPv6
|
|
stack implemented in the kernel.
|
|
.It Dv IPV6CTL_USE_DEPRECATED
|
|
.Pq ip6.use_deprecated
|
|
Boolean: enable/disable use of deprecated address,
|
|
specified in RFC2462 5.5.4.
|
|
Defaults to on.
|
|
.It Dv IPV6CTL_RR_PRUNE
|
|
.Pq ip6.rr_prune
|
|
Integer: default interval between
|
|
.Tn IPv6
|
|
router renumbering prefix babysitting, in seconds.
|
|
.It Dv IPV6CTL_MAPPED_ADDR
|
|
.Pq ip6.mapped_addr
|
|
Boolean: enable/disable use of
|
|
.Tn IPv4
|
|
mapped address on
|
|
.Dv AF_INET6
|
|
sockets.
|
|
Defaults to on.
|
|
.It Dv IPV6CTL_RTEXPIRE
|
|
.Pq ip6.rtexpire
|
|
Integer: lifetime in seconds of protocol-cloned
|
|
.Tn IP
|
|
routes after the last reference drops (default one hour).
|
|
.\"This value varies dynamically as described above.
|
|
.It Dv IPV6CTL_RTMINEXPIRE
|
|
.Pq ip6.rtminexpire
|
|
Integer: minimum value of ip.rtexpire (default ten seconds).
|
|
.\"This value has no effect on user modifications, but restricts the dynamic
|
|
.\"adaptation described above.
|
|
.It Dv IPV6CTL_RTMAXCACHE
|
|
.Pq ip6.rtmaxcache
|
|
Integer: trigger level of cached, unreferenced, protocol-cloned routes
|
|
which initiates dynamic adaptation (default 128).
|
|
.El
|
|
.Ss Interaction between IPv4/v6 sockets
|
|
The behavior of
|
|
.Dv AF_INET6
|
|
TCP/UDP socket is documented in RFC2553.
|
|
Basically, it says this:
|
|
.Bl -bullet -compact
|
|
.It
|
|
A specific bind on an
|
|
.Dv AF_INET6
|
|
socket
|
|
.Po
|
|
.Xr bind 2
|
|
with an address specified
|
|
.Pc
|
|
should accept IPv6 traffic to that address only.
|
|
.It
|
|
If you perform a wildcard bind
|
|
on an
|
|
.Dv AF_INET6
|
|
socket
|
|
.Po
|
|
.Xr bind 2
|
|
to IPv6 address
|
|
.Li ::
|
|
.Pc ,
|
|
and there is no wildcard bind
|
|
.Dv AF_INET
|
|
socket on that TCP/UDP port, IPv6 traffic as well as IPv4 traffic
|
|
should be routed to that
|
|
.Dv AF_INET6
|
|
socket.
|
|
IPv4 traffic should be seen as if it came from an IPv6 address like
|
|
.Li ::ffff:10.1.1.1 .
|
|
This is called an IPv4 mapped address.
|
|
.It
|
|
If there are both a wildcard bind
|
|
.Dv AF_INET
|
|
socket and a wildcard bind
|
|
.Dv AF_INET6
|
|
socket on one TCP/UDP port, they should behave separately.
|
|
IPv4 traffic should be routed to the
|
|
.Dv AF_INET
|
|
socket and IPv6 should be routed to the
|
|
.Dv AF_INET6
|
|
socket.
|
|
.El
|
|
.Pp
|
|
However, RFC2553 does not define the ordering constraint between calls to
|
|
.Xr bind 2 ,
|
|
nor how IPv4 TCP/UDP port numbers and IPv6 TCP/UDP port numbers
|
|
relate to each other
|
|
.Po
|
|
should they be integrated or separated
|
|
.Pc .
|
|
Implemented behavior is very different from kernel to kernel.
|
|
Therefore, it is unwise to rely too much upon the behavior of
|
|
.Dv AF_INET6
|
|
wildcard bind sockets.
|
|
It is recommended to listen to two sockets, one for
|
|
.Dv AF_INET
|
|
and another for
|
|
.Dv AF_INET6 ,
|
|
when you would like to accept both IPv4 and IPv6 traffic.
|
|
.Pp
|
|
It should also be noted that
|
|
malicious parties can take advantage of the complexity presented above,
|
|
and are able to bypass access control,
|
|
if the target node routes IPv4 traffic to
|
|
.Dv AF_INET6
|
|
socket.
|
|
Users are advised to take care handling connections
|
|
from IPv4 mapped address to
|
|
.Dv AF_INET6
|
|
sockets.
|
|
.\".Pp
|
|
.\"Because of the above, by default,
|
|
.\"KAME/NetBSD and KAME/OpenBSD
|
|
.\"does not route IPv4 traffic to
|
|
.\".Dv AF_INET6
|
|
.\"sockets.
|
|
.\"Listen to two sockets if you want to accept both IPv4 and IPv6 traffic.
|
|
.\"On KAME/NetBSD, IPv4 traffic may be routed with certain
|
|
.\"per-socket/per-node configuration, however, it is not recommended.
|
|
.\"Consult
|
|
.\".Xr ip6 4
|
|
.\"for details.
|
|
.Sh SEE ALSO
|
|
.Xr ioctl 2 ,
|
|
.Xr socket 2 ,
|
|
.Xr sysctl 3 ,
|
|
.Xr icmp6 4 ,
|
|
.Xr intro 4 ,
|
|
.Xr ip6 4 ,
|
|
.Xr tcp 4 ,
|
|
.Xr ttcp 4 ,
|
|
.Xr udp 4
|
|
.Sh STANDARDS
|
|
.Rs
|
|
.%A Tatsuya Jinmei
|
|
.%A Atsushi Onoe
|
|
.%T "An Extension of Format for IPv6 Scoped Addresses"
|
|
.%R internet draft
|
|
.%D June 2000
|
|
.%N draft-ietf-ipngwg-scopedaddr-format-02.txt
|
|
.%O work in progress material
|
|
.Re
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
protocol interfaces are defined in RFC2553 and RFC2292.
|
|
The implementation described herein appeared in the WIDE/KAME project.
|
|
.Sh BUGS
|
|
The IPv6 support is subject to change as the Internet protocols develop.
|
|
Users should not depend on details of the current implementation,
|
|
but rather the services exported.
|
|
.Pp
|
|
Users are suggested to implement
|
|
.Dq version independent
|
|
code as much as possible, as you will need to support both
|
|
.Xr inet 4
|
|
and
|
|
.Nm .
|