--- ifconfig.1m.orig 2009-07-07 14:04:24.110370000 -0400 +++ ifconfig.1m.new 2009-07-07 15:30:15.195888000 -0400 @@ -378,45 +378,53 @@ (specified without the interface option as in the previ- ous paragraph), the affected gateway routes are treated as though they had the RTF_BLACKHOLE flag set. All matching packets are discarded because the gateway is unreachable. encaplimit n Set the tunnel encapsulation limit for the interface to - n. This option applies to IPv4-in-IPv6 and IPv6-in-IPv6 - tunnels only. The tunnel encapsulation limit controls - how many more tunnels a packet may enter before it + n. This option applies to IPv4-in-IPv6 and IPv6-in-IPv6 + tunnels only, and it simply modifies the encaplimit link + property of the underlying IPv6 tunnel link (see + dladm(1M)). The tunnel encapsulation limit controls how + many more tunnels a packet may enter before it SunOS 5.11 Last change: 17 Feb 2009 6 System Administration Commands ifconfig(1M) leaves any tunnels, that is, the tunnel nesting level. + This option is obsolete in favor of the dladm(1M) encaplimit + link property. -encaplimit Disable generation of the tunnel encapsulation limit. This option applies only to IPv4-in-IPv6 and IPv6-in- - IPv6 tunnels. + IPv6 tunnels. This simply sets the encaplimit link + property of the underlying IPv6 tunnel link to 0 (see + dladm(1M)). + This option is obsolete in favor of the dladm(1M) encaplimit + link property. encr_auth_algs authentication algorithm For a tunnel, enable IPsec ESP with the authentication algorithm specified. It can be either a number or an algorithm name, including any or none, to indicate no algorithm preference. If an ESP encryption algorithm is specified but the authentication algorithm is not, the default value for the ESP authentication algorithm will be any. @@ -817,29 +825,35 @@ Set the subnet address for an interface. tdst tunnel_dest_address Set the destination address of a tunnel. The address should not be the same as the dest_address of the tun- nel, because no packets leave the system over such a tunnel. + This option is obsolete in favor of the dladm(1M) + create-iptun and modify-iptun subcommands. thoplimit n Set the hop limit for a tunnel interface. The hop limit value is used as the TTL in the IPv4 header for the IPv6-in-IPv4 and IPv4-in-IPv4 tunnels. For IPv6-in-IPv6 and IPv4-in-IPv6 tunnels, the hop limit value is used as - the hop limit in the IPv6 header. + the hop limit in the IPv6 header. This option simply + modifies the hoplimit link property of the underlying IP + tunnel link (see dladm(1M)). + This option is obsolete in favor of the dladm(1M) hoplimit + link property. token address/prefix_length Set the IPv6 token of an interface to be used for address autoconfiguration. example% ifconfig eri0 inet6 token ::1/64 @@ -867,20 +881,22 @@ Disable the use of a "trailer" link level encapsulation. tsrc tunnel_src_address Set the source address of a tunnel. This is the source address on an outer encapsulating IP header. It must be an address of another interface already configured using ifconfig. + This option is obsolete in favor of the dladm(1M) + create-iptun and modify-iptun subcommands. unplumb For a physical or IPMP interface, remove all associated logical IP interfaces and tear down any plumbing needed for IP to use the interface. For an IPMP IP interface, this command will fail if the group is not empty. For a logical interface, the logical interface is removed. An interface must be separately unplumbed for IPv4 and @@ -1013,21 +1029,23 @@ affect it, are described below. interface A string of one of the following forms: o name physical-unit, for example, eri0 or ce1 o name physical-unit:logical-unit, for example, eri0:1 - o ip.tunN or ip6.tunN, for tunnels + o ip.tunN, ip6.tunN, or ip.6to4tunN for implicit + IP tunnel links + If the interface name starts with a dash (-), it is interpreted as a set of options which specify a set of interfaces. In such a case, -a must be part of the options and any of the additional options below can be added in any order. If one of these interface names is given, the commands following it are applied to all of the interfaces that match. -a @@ -1729,208 +1747,103 @@ To configure boot-time defaults for the interface eri0, place the following entry in the /etc/hostname6.eri0 file: addif 2001:0db8:3c4d:55:a00:20ff:fe8e:f3ad/64 up - Configuring IPv6/IPv4 tunnels - An IPv6 over IPv4 tunnel interface can send and receive IPv6 - packets encapsulated in an IPv4 packet. Create tunnels at - both ends pointing to each other. IPv6 over IPv4 tunnels - require the tunnel source and tunnel destination IPv4 and - IPv6 addresses. Solaris 8 supports both automatic and con- - figured tunnels. For automatic tunnels, an IPv4-compatible - IPv6 address is used. The following demonstrates auto-tunnel - configuration: - - example% ifconfig ip.atun0 inet6 plumb - example% ifconfig ip.atun0 inet6 tsrc IPv4-address \ - ::IPv4 address/96 up - - - - - where IPv4-address is the IPv4 address of the interface - through which the tunnel traffic will flow, and IPv4- - address, ::, is the corresponding IPv4- - compatible IPv6 address. - + Configuring IP-over-IP Tunnel Interfaces - The following is an example of a configured tunnel: - - example% ifconfig ip.tun0 inet6 plumb tsrc my-ipv4-address \ - tdst peer-ipv4-address up - - - - - This creates a configured tunnel between my-ipv4-address and - peer-ipv4-address with corresponding link-local addresses. - For tunnels with global or site-local addresses, the logical - tunnel interfaces need to be configured in the following - form: + An IP tunnel is conceptually comprised of two parts: a virtual + link between two or more IP nodes, and an IP interface above this + link which allows the system to transmit and receive IP packets + encapsulated by the underlying link. + + The dladm(1M) command is used to configure tunnel links, and + ifconfig is used to configure IP interfaces over those tunnel + links. An IPv4-over-IPv4 tunnel is created by plumbing an IPv4 + interface over an IPv4 tunnel link. An IPv6-over-IPv4 tunnel is + created by plumbing an IPv6 interface over an IPv6 tunnel link, + etc. + + When IPv6 interfaces are plumbed over IP tunnel links, their IPv6 + addresses are automatically set. For IPv4 and IPv6 tunnels, + source and destination link-local addresses of the form + fe80:: are configured. For IPv4 tunnels, the + interface-id is the IPv4 tunnel source or destination address. + For IPv6 tunnels, the interface-id is the last 64-bits of the + IPv6 tunnel source or destination address. For example, for an + IPv4 tunnel between 10.1.2.3 and 10.4.5.6, the IPv6 link-local + source and destination addresses of the IPv6 interface would be + fe80::a01:203 and fe80::a04:506. For an IPv6 tunnel between + 2000::1234:abcd and 3000::5678:abcd, the IPv6 link-local source + and destination addresses of the interface would be + fe80::1234:abcd and fe80::5678:abcd. These default link-local + addresses may be overridden by specifying the addresses + explicitly as with any other point-to-point interface. + + For 6to4 tunnels, a 6to4 global address of the form + 2002:::1/16 is configured. The tsrc portion is the tunnel + source IPv4 address. The prefix length of the 6to4 interface is + automatically set to 16, as all 6to4 packets (destinations in the + 2002::/16 range) are forwarded to the 6to4 tunnel interface. For + example, for a 6to4 link with a tunnel source of 75.1.2.3, the + IPv6 interface would have an address of 2002:4b01:203::1/16. + + Additional IPv6 addresses may be added using the addif option or + by plumbing additional logical interfaces. + + For backward compatibility, the plumbing of tunnel IP interfaces + with special names will implicitly result in the creation of + tunnel links without invoking dladm create-iptun. These tunnel + names are: + + ip.tunN An IPv4 tunnel + ip6.tunN An IPv6 tunnel + ip.6to4tunN A 6to4 tunnel + + These tunnels are "implicit tunnels", denoted with the 'i' flag + in dladm show-iptun output. The tunnel links over which these + special IP interfaces are plumbed are automatically created, and + they're automatically deleted when the last reference is released + (i.e. the last IP interface is unplumbed). + + The tsrc, tdst, encaplim, and hoplimit options to ifconfig are + obsolete and maintained for backward compatibility. They are + equivalent to their dladm(1m) counterparts. SunOS 5.11 Last change: 17 Feb 2009 27 - - System Administration Commands ifconfig(1M) - example% ifconfig ip.tun0 inet6 addif my-v6-address peer-v6-address up - - - - - For example, - - example% ifconfig ip.tun0 inet6 plumb tsrc 109.146.85.57 \ - tdst 109.146.85.212 up - example% ifconfig ip.tun0 inet6 addif 2::45 2::46 up - - - - - To show all IPv6 interfaces that are up and configured: - - example% ifconfig -au6 - ip.tun0: flags=2200851 - mtu 1480 index 3 - inet tunnel src 109.146.85.57 tunnel dst 109.146.85.212 - tunnel security settings --> use 'ipsecconf -ln -i ip.tun1' - tunnel hop limit 60 - inet6 fe80::6d92:5539/10 --> fe80::6d92:55d4 - ip.tun0:1: flags=2200851 - mtu 1480 index 3 - inet6 2::45/128 --> 2::46 - - - - - In the output above, note the line that begins with "tunnel - security settings". The content of this line varies accord- - ing to whether and how you have set your security settings. - See "Display of Tunnel Security Settings," below. - - Configuring IPv4/IPv6 Tunnels - An IPv4 over IPv6 tunnel interface can send and receive IPv4 - packets encapsulated in an IPv6 packet. Create tunnels at - both ends pointing to each other. IPv4 over IPv6 tunnels - require the tunnel source and tunnel destination IPv6 and - IPv4 addresses. The following demonstrates auto-tunnel con- - figuration: - - example% ifconfig ip6.tun0 inet plumb tsrc my-ipv6-address \ - tdst peer-ipv6-address my-ipv4-address \ - peer-ipv4-address up - - - - - This creates a configured tunnel between my-ipv6-address and - peer-ipv6-address with my-ipv4-address and peer-ipv4-address - - - -SunOS 5.11 Last change: 17 Feb 2009 28 - - - - - - -System Administration Commands ifconfig(1M) - - - - as the endpoints of the point-to-point interface, for exam- - ple: - - example% ifconfig ip6.tun0 inet plumb tsrc fe80::1 tdst fe80::2 \ - 10.0.0.208 10.0.0.210 up - - - - - To show all IPv4 interfaces that are up and configured: - - example% ifconfig -au4 - lo0: flags=1000849 mtu 8232 index 1 - inet 127.0.0.1 netmask ff000000 - eri0: flags=1004843 mtu 1500 \ - index 2 - inet 172.17.128.208 netmask ffffff00 broadcast 172.17.128.255 - ip6.tun0: flags=10008d1 \ - mtu 1460 - index 3 - inet6 tunnel src fe80::1 tunnel dst fe80::2 - tunnel security settings --> use 'ipsecconf -ln -i ip.tun1' - tunnel hop limit 60 tunnel encapsulation limit 4 - inet 10.0.0.208 --> 10.0.0.210 netmask ff000000 - - - - - In the output above, note the line that begins with "tunnel - security settings". The content of this line varies accord- - ing to whether and how you have set your security settings. - See "Display of Tunnel Security Settings," below. - Display of Tunnel Security Settings - The ifconfig output for tunneled interfaces indicates secu- - rity settings, if present, for a tunnel. The content of the - line showing your settings differs depending on how you have - made your settings: - - o If you set your security policy using the ifconfig - -auth_algs, -encr_algs, and -encr_auth_algs options - and do not use ipsecconf(1M), ifconfig displays - your settings for each of these options. - - o If you set your security policy using ipsecconf(1M) - with the tunnel keyword (the preferred method), - ifconfig displays: - - tunnel security settings --> use 'ipsecconf -ln -i ip.tun1' - - - ...in effect, hiding your settings from those - - - -SunOS 5.11 Last change: 17 Feb 2009 29 - - - - - - -System Administration Commands ifconfig(1M) + The ifconfig output for IP tunnel interfaces indicates if IPsec + policy is configured for the underlying IP tunnel link. For + example, a line of the following form will be displayed if IPsec + poliy is present: + tunnel security settings --> use 'ipsecconf -ln -i ip.tun1' - without privileges to view them. - - If you do net set security policy, using either - ifconfig or ipsecconf, there is no tunnel security - setting displayed. + If you do net set security policy, using either ifconfig or + ipsecconf, there is no tunnel security setting displayed. EXAMPLES Example 1 Using the ifconfig Command If your workstation is not attached to an Ethernet, the net- work interface, for example, eri0, should be marked "down" as follows: @@ -1981,102 +1894,78 @@ System Administration Commands ifconfig(1M) Example 5 Configuring an IP-in-IP Tunnel - To configure an IP-in-IP tunnel, first plumb it with the - following command: - - - example% ifconfig ip.tun0 plumb - - + To configure an IP-in-IP tunnel, first create an IP tunnel link + (tunsrc and tundst are hostnames with corresponding IPv4 entries + in /etc/hosts): - Then configure it as a point-to-point interface, supplying - the tunnel source and the tunnel destination: + example% dladm create-iptun -T ipv4 -s tunsrc -d tundst tun0 - example% ifconfig ip.tun0 myaddr mydestaddr tsrc another_myaddr \ - tdst a_dest_addr up + Then plumb a point-to-point interface, supplying the source and + destination addresses (mysrc and thedst are hostnames with + corresponding IPv4 entries in /etc/hosts): + example% ifconfig tun0 plumb mysrc thedst up Use ipsecconf(1M), as described above, to configure tunnel security properties. + Configuring IPv6 tunnels is done by using a tunnel type of ipv6 + with create-iptun. IPv6 interfaces can also be plumbed over + either type of tunnel. - Example 6 Configuring 6to4 Tunnels - - - To configure 6to4 tunnels, use the following commands: - - example% ifconfig ip.6to4tun0 inet6 plumb - example% ifconfig ip.6to4tun0 inet6 tsrc IPv4-address 6to4-address/64 up + Example 6 Configuring 6to4 Tunnels + To configure 6to4 tunnels, first create a 6to4 tunnel link + (myv4addr is a hostname with a corresponding IPv4 entry in + /etc/hosts): - IPv4-address denotes the address of the encapsulating inter- - face. 6to4-address denotes the address of the local IPv6 - address of form 2002:IPv4-address:SUBNET-ID:HOSTID. + example% dladm create-iptun -T 6to4 -s myv4addr my6to4tun0 + Then an IPv6 interface is plumbed over this link: - The long form should be used to resolve any potential con- - flicts that might arise if the system administrator utilizes - an addressing plan where the values for SUBNET-ID or HOSTID - are reserved for something else. + example% ifconfig my6to4tun0 inet6 plumb up + The IPv6 address of the interface is automatically set as + described above. SunOS 5.11 Last change: 17 Feb 2009 31 System Administration Commands ifconfig(1M) - After the interface is plumbed, a 6to4 tunnel can be config- - ured as follows: - - - example% ifconfig ip.6to4tun0 inet6 tsrc IPv4-address up - - - - - This short form sets the address. It uses the convention: - - - 2002:IPv4-address::1 - - - - The SUBNET-ID is 0, and the HOSTID is 1. - - Example 7 Configuring IP Forwarding on an Interface To enable IP forwarding on a single interface, use the fol- lowing command: example% ifconfig eri0 router