Fix grammar 'the administrator'
PR: 39093 Submitted by: Mike Makonnen <makonnen@packbell.net>
This commit is contained in:
trhodes
parent
71010f6257
commit
3a2f2e6f8f
@ -64,44 +64,46 @@ variable in
|
||||
.Pp
|
||||
To use
|
||||
.Nm ,
|
||||
administrator needs to configure protocol and addresses used for the outer
|
||||
the administrator needs to configure the protocol and addresses used for the outer
|
||||
header.
|
||||
This can be done by using
|
||||
.Xr gifconfig 8 ,
|
||||
or
|
||||
.Dv SIOCSIFPHYADDR
|
||||
ioctl.
|
||||
Also, administrator needs to configure protocol and addresses used for the
|
||||
inner header, by using
|
||||
The administrator also needs to configure the protocol and addresses for the
|
||||
inner header, with
|
||||
.Xr ifconfig 8 .
|
||||
Note that IPv6 link-local address
|
||||
(those start with
|
||||
Note that IPv6 link-local addresses
|
||||
(those that start with
|
||||
.Li fe80:: )
|
||||
will be automatically configured whenever possible.
|
||||
You may need to remove IPv6 link-local address manually using
|
||||
will be automatically be configured whenever possible.
|
||||
You may need to remove IPv6 link-local addresses manually using
|
||||
.Xr ifconfig 8 ,
|
||||
when you would like to disable the use of IPv6 as inner header
|
||||
(like when you need pure IPv4-over-IPv6 tunnel).
|
||||
Finally, use routing table to route the packets toward
|
||||
if you want to disable the use of IPv6 as the inner header
|
||||
(for example, if you need a pure IPv4-over-IPv6 tunnel).
|
||||
Finally, you must modify the routing table to route the packets through the
|
||||
.Nm
|
||||
interface.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
can be configured to be ECN friendly.
|
||||
pseudo-device can be configured to be ECN friendly.
|
||||
This can be configured by
|
||||
.Dv IFF_LINK1 .
|
||||
.Ss ECN friendly behavior
|
||||
The
|
||||
.Nm
|
||||
can be configured to be ECN friendly, as described in
|
||||
pseudo-device can be configured to be ECN friendly, as described in
|
||||
.Dv draft-ietf-ipsec-ecn-02.txt .
|
||||
This is turned off by default, and can be turned on by
|
||||
This is turned off by default, and can be turned on by the
|
||||
.Dv IFF_LINK1
|
||||
interface flag.
|
||||
.Pp
|
||||
Without
|
||||
.Dv IFF_LINK1 ,
|
||||
.Nm
|
||||
will show a normal behavior, like described in RFC2893.
|
||||
will show normal behavior, as described in RFC2893.
|
||||
This can be summarized as follows:
|
||||
.Bl -tag -width "Ingress" -offset indent
|
||||
.It Ingress
|
||||
@ -139,15 +141,15 @@ enable ECN CE bit on the inner.
|
||||
Note that the ECN friendly behavior violates RFC2893.
|
||||
This should be used in mutual agreement with the peer.
|
||||
.Ss Security
|
||||
Malicious party may try to circumvent security filters by using
|
||||
A malicious party may try to circumvent security filters by using
|
||||
tunnelled packets.
|
||||
For better protection,
|
||||
.Nm
|
||||
performs martian filter and ingress filter against outer source address,
|
||||
performs both martian and ingress filtering against the outer source address
|
||||
on egress.
|
||||
Note that martian/ingress filters are no way complete.
|
||||
Note that martian/ingress filters are in no way complete.
|
||||
You may want to secure your node by using packet filters.
|
||||
Ingress filter can be turned off by
|
||||
Ingress filtering can be turned off by
|
||||
.Dv IFF_LINK2
|
||||
bit.
|
||||
.\"
|
||||
@ -192,13 +194,13 @@ to 1.
|
||||
.Sh HISTORY
|
||||
The
|
||||
.Nm
|
||||
device first appeared in WIDE hydrangea IPv6 kit.
|
||||
device first appeared in the WIDE hydrangea IPv6 kit.
|
||||
.\"
|
||||
.Sh BUGS
|
||||
There are many tunnelling protocol specifications,
|
||||
defined differently from each other.
|
||||
There are many tunnelling protocol specifications, all
|
||||
defined differently from each other. The
|
||||
.Nm
|
||||
may not interoperate with peers which are based on different specifications,
|
||||
pseudo-device may not interoperate with peers which are based on different specifications,
|
||||
and are picky about outer header fields.
|
||||
For example, you cannot usually use
|
||||
.Nm
|
||||
@ -206,31 +208,32 @@ to talk with IPsec devices that use IPsec tunnel mode.
|
||||
.Pp
|
||||
The current code does not check if the ingress address
|
||||
(outer source address)
|
||||
configured to
|
||||
configured in the
|
||||
.Nm
|
||||
makes sense.
|
||||
Make sure to configure an address which belongs to your node.
|
||||
interface makes sense.
|
||||
Make sure to specify an address which belongs to your node.
|
||||
Otherwise, your node will not be able to receive packets from the peer,
|
||||
and your node will generate packets with a spoofed source address.
|
||||
and it will generate packets with a spoofed source address.
|
||||
.Pp
|
||||
If the outer protocol is IPv4,
|
||||
.Nm
|
||||
does not try to perform path MTU discovery for the encapsulated packet
|
||||
(DF bit is set to 0).
|
||||
.Pp
|
||||
If the outer protocol is IPv6, path MTU discovery for encapsulated packet
|
||||
If the outer protocol is IPv6, path MTU discovery for encapsulated packets
|
||||
may affect communication over the interface.
|
||||
The first bigger-than-pmtu packet may be lost.
|
||||
To avoid the problem, you may want to set the interface MTU for
|
||||
.Nm
|
||||
to 1240 or smaller, when outer header is IPv6 and inner header is IPv4.
|
||||
to 1240 or smaller, when the outer header is IPv6 and the inner header is IPv4.
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
does not translate ICMP messages for outer header into inner header.
|
||||
pseudo-device does not translate ICMP messages for the outer header into the inner header.
|
||||
.Pp
|
||||
In the past,
|
||||
.Nm
|
||||
had a multi-destination behavior, configurable via
|
||||
.Dv IFF_LINK0
|
||||
flag.
|
||||
The behavior was obsoleted and is no longer supported.
|
||||
The behavior is obsolete and is no longer supported.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user