diff options
Diffstat (limited to 'documentation/content/en/books/developers-handbook/ipv6/_index.po')
| -rw-r--r-- | documentation/content/en/books/developers-handbook/ipv6/_index.po | 2135 |
1 files changed, 2135 insertions, 0 deletions
diff --git a/documentation/content/en/books/developers-handbook/ipv6/_index.po b/documentation/content/en/books/developers-handbook/ipv6/_index.po new file mode 100644 index 0000000000..aa7d2bd4aa --- /dev/null +++ b/documentation/content/en/books/developers-handbook/ipv6/_index.po @@ -0,0 +1,2135 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR The FreeBSD Project +# This file is distributed under the same license as the FreeBSD Documentation package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: FreeBSD Documentation VERSION\n" +"POT-Creation-Date: 2025-05-01 19:56-0300\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: Title = +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:1 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:16 +#, no-wrap +msgid "IPv6 Internals" +msgstr "" + +#. type: YAML Front Matter: title +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:1 +#, no-wrap +msgid "Chapter 8. IPv6 Internals" +msgstr "" + +#. type: Title == +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:54 +#, no-wrap +msgid "IPv6/IPsec Implementation" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:58 +msgid "" +"This section should explain IPv6 and IPsec related implementation " +"internals. These functionalities are derived from http://www.kame.net/[KAME " +"project]" +msgstr "" + +#. type: Title === +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:60 +#, no-wrap +msgid "IPv6" +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:62 +#, no-wrap +msgid "Conformance" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:66 +msgid "" +"The IPv6 related functions conforms, or tries to conform to the latest set " +"of IPv6 specifications. For future reference we list some of the relevant " +"documents below (_NOTE_: this is not a complete list - this is too hard to " +"maintain...)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:68 +msgid "" +"For details please refer to specific chapter in the document, RFCs, manual " +"pages, or comments in the source code." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:72 +msgid "" +"Conformance tests have been performed on the KAME STABLE kit at TAHI " +"project. Results can be viewed at http://www.tahi.org/report/KAME/[http://" +"www.tahi.org/report/KAME/]. We also attended University of New Hampshire " +"IOL tests (http://www.iol.unh.edu/[http://www.iol.unh.edu/]) in the past, " +"with our past snapshots." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:74 +msgid "RFC1639: FTP Operation Over Big Address Records (FOOBAR)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:76 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:113 +msgid "" +"RFC2428 is preferred over RFC1639. FTP clients will first try RFC2428, then " +"RFC1639 if failed." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:78 +msgid "RFC1886: DNS Extensions to support IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:79 +msgid "RFC1933: Transition Mechanisms for IPv6 Hosts and Routers" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:81 +msgid "IPv4 compatible address is not supported." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:82 +msgid "automatic tunneling (described in 4.3 of this RFC) is not supported." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:84 +msgid "" +"man:gif[4] interface implements IPv[46]-over-IPv[46] tunnel in a generic " +"way, and it covers \"configured tunnel\" described in the spec. See " +"crossref:ipv6[gif,23.5.1.5] in this document for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:86 +msgid "RFC1981: Path MTU Discovery for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:87 +msgid "RFC2080: RIPng for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:89 +msgid "usr.sbin/route6d support this." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:91 +msgid "RFC2292: Advanced Sockets API for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:93 +msgid "" +"For supported library functions/kernel APIs, see [.filename]#sys/netinet6/" +"ADVAPI#." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:95 +msgid "RFC2362: Protocol Independent Multicast-Sparse Mode (PIM-SM)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:97 +msgid "" +"RFC2362 defines packet formats for PIM-SM. [.filename]#draft-ietf-pim-" +"ipv6-01.txt# is written based on this." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:99 +msgid "RFC2373: IPv6 Addressing Architecture" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:101 +msgid "" +"supports node required addresses, and conforms to the scope requirement." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:103 +msgid "RFC2374: An IPv6 Aggregatable Global Unicast Address Format" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:105 +msgid "supports 64-bit length of Interface ID." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:107 +msgid "RFC2375: IPv6 Multicast Address Assignments" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:109 +msgid "Userland applications use the well-known addresses assigned in the RFC." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:111 +msgid "RFC2428: FTP Extensions for IPv6 and NATs" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:115 +msgid "RFC2460: IPv6 specification" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:116 +msgid "RFC2461: Neighbor discovery for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:118 +msgid "" +"See crossref:ipv6[neighbor-discovery,23.5.1.2] in this document for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:120 +msgid "RFC2462: IPv6 Stateless Address Autoconfiguration" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:122 +msgid "See crossref:ipv6[ipv6-pnp,23.5.1.4] in this document for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:124 +msgid "RFC2463: ICMPv6 for IPv6 specification" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:126 +msgid "See crossref:ipv6[icmpv6,23.5.1.9] in this document for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:128 +msgid "RFC2464: Transmission of IPv6 Packets over Ethernet Networks" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:129 +msgid "RFC2465: MIB for IPv6: Textual Conventions and General Group" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:131 +msgid "" +"Necessary statistics are gathered by the kernel. Actual IPv6 MIB support is " +"provided as a patchkit for ucd-snmp." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:133 +msgid "RFC2466: MIB for IPv6: ICMPv6 group" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:135 +msgid "" +"Necessary statistics are gathered by the kernel. Actual IPv6 MIB support is " +"provided as patchkit for ucd-snmp." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:137 +msgid "RFC2467: Transmission of IPv6 Packets over FDDI Networks" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:138 +msgid "RFC2497: Transmission of IPv6 packet over ARCnet Networks" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:139 +msgid "RFC2553: Basic Socket Interface Extensions for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:142 +msgid "" +"IPv4 mapped address (3.7) and special behavior of IPv6 wildcard bind socket " +"(3.8) are supported. See crossref:ipv6[ipv6-wildcard-socket,23.5.1.12] in " +"this document for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:144 +msgid "RFC2675: IPv6 Jumbograms" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:146 +msgid "See crossref:ipv6[ipv6-jumbo,23.5.1.7] in this document for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:148 +msgid "RFC2710: Multicast Listener Discovery for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:149 +msgid "RFC2711: IPv6 router alert option" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:150 +msgid "" +"[.filename]#draft-ietf-ipngwg-router-renum-08#: Router renumbering for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:151 +msgid "" +"[.filename]#draft-ietf-ipngwg-icmp-namelookups-02#: IPv6 Name Lookups " +"Through ICMP" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:152 +msgid "" +"[.filename]#draft-ietf-ipngwg-icmp-name-lookups-03#: IPv6 Name Lookups " +"Through ICMP" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:153 +msgid "[.filename]#draft-ietf-pim-ipv6-01.txt#: PIM for IPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:155 +msgid "" +"man:pim6dd[8] implements dense mode. man:pim6sd[8] implements sparse mode." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:157 +msgid "" +"[.filename]#draft-itojun-ipv6-tcp-to-anycast-00#: Disconnecting TCP " +"connection toward IPv6 anycast address" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:158 +msgid "[.filename]#draft-yamamoto-wideipv6-comm-model-00#" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:160 +msgid "See crossref:ipv6[ipv6-sas,23.5.1.6] in this document for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:162 +msgid "" +"[.filename]#draft-ietf-ipngwg-scopedaddr-format-00.txt#: An Extension of " +"Format for IPv6 Scoped Addresses" +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:164 +#, no-wrap +msgid "Neighbor Discovery" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:169 +msgid "" +"Neighbor Discovery is fairly stable. Currently Address Resolution, " +"Duplicated Address Detection, and Neighbor Unreachability Detection are " +"supported. In the near future we will be adding Proxy Neighbor " +"Advertisement support in the kernel and Unsolicited Neighbor Advertisement " +"transmission command as admin tool." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:174 +msgid "" +"If DAD fails, the address will be marked \"duplicated\" and message will be " +"generated to syslog (and usually to console). The \"duplicated\" mark can " +"be checked with man:ifconfig[8]. It is administrators' responsibility to " +"check for and recover from DAD failures. The behavior should be improved in " +"the near future." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:178 +msgid "" +"Some of the network driver loops multicast packets back to itself, even if " +"instructed not to do so (especially in promiscuous mode). In such cases DAD " +"may fail, because DAD engine sees inbound NS packet (actually from the node " +"itself) and considers it as a sign of duplicate. You may want to look at " +"#if condition marked \"heuristics\" in sys/netinet6/" +"nd6_nbr.c:nd6_dad_timer() as workaround (note that the code fragment in " +"\"heuristics\" section is not spec conformant)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:180 +msgid "" +"Neighbor Discovery specification (RFC2461) does not talk about neighbor " +"cache handling in the following cases:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:182 +msgid "" +"when there was no neighbor cache entry, node received unsolicited RS/NS/NA/" +"redirect packet without link-layer address" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:183 +msgid "" +"neighbor cache handling on medium without link-layer address (we need a " +"neighbor cache entry for IsRouter bit)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:186 +msgid "" +"For first case, we implemented workaround based on discussions on IETF " +"ipngwg mailing list. For more details, see the comments in the source code " +"and email thread started from (IPng 7155), dated Feb 6 1999." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:189 +msgid "" +"IPv6 on-link determination rule (RFC2461) is quite different from " +"assumptions in BSD network code. At this moment, no on-link determination " +"rule is supported where default router list is empty (RFC2461, section 5.2, " +"last sentence in 2nd paragraph - note that the spec misuse the word \"host\" " +"and \"node\" in several places in the section)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:194 +msgid "" +"To avoid possible DoS attacks and infinite loops, only 10 options on ND " +"packet is accepted now. Therefore, if you have 20 prefix options attached " +"to RA, only the first 10 prefixes will be recognized. If this troubles you, " +"please ask it on FREEBSD-CURRENT mailing list and/or modify nd6_maxndopt in " +"[.filename]#sys/netinet6/nd6.c#. If there are high demands we may provide " +"sysctl knob for the variable." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:196 +#, no-wrap +msgid "Scope Index" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:201 +msgid "" +"IPv6 uses scoped addresses. Therefore, it is very important to specify " +"scope index (interface index for link-local address, or site index for site-" +"local address) with an IPv6 address. Without scope index, scoped IPv6 " +"address is ambiguous to the kernel, and kernel will not be able to determine " +"the outbound interface for a packet." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:206 +msgid "" +"Ordinary userland applications should use advanced API (RFC2292) to specify " +"scope index, or interface index. For similar purpose, sin6_scope_id member " +"in sockaddr_in6 structure is defined in RFC2553. However, the semantics for " +"sin6_scope_id is rather vague. If you care about portability of your " +"application, we suggest you to use advanced API rather than sin6_scope_id." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:209 +msgid "" +"In the kernel, an interface index for link-local scoped address is embedded " +"into 2nd 16bit-word (3rd and 4th byte) in IPv6 address. For example, you " +"may see something like:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:213 +#, no-wrap +msgid "\tfe80:1::200:f8ff:fe01:6317\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:218 +msgid "" +"in the routing table and interface address structure (struct in6_ifaddr). " +"The address above is a link-local unicast address which belongs to a network " +"interface whose interface identifier is 1. The embedded index enables us to " +"identify IPv6 link local addresses over multiple interfaces effectively and " +"with only a little code change." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:223 +msgid "" +"Routing daemons and configuration programs, like man:route6d[8] and " +"man:ifconfig[8], will need to manipulate the \"embedded\" scope index. " +"These programs use routing sockets and ioctls (like SIOCGIFADDR_IN6) and the " +"kernel API will return IPv6 addresses with 2nd 16bit-word filled in. The " +"APIs are for manipulating kernel internal structure. Programs that use " +"these APIs have to be prepared about differences in kernels anyway." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:230 +msgid "" +"When you specify scoped address to the command line, NEVER write the " +"embedded form (such as ff02:1::1 or fe80:2::fedc). This is not supposed to " +"work. Always use standard form, like ff02::1 or fe80::fedc, with command " +"line option for specifying interface (like `ping -6 -I ne0 ff02::1`). In " +"general, if a command does not have command line option to specify outgoing " +"interface, that command is not ready to accept scoped address. This may " +"seem to be opposite from IPv6's premise to support \"dentist office\" " +"situation. We believe that specifications need some improvements for this." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:234 +msgid "" +"Some of the userland tools support extended numeric IPv6 syntax, as " +"documented in [.filename]#draft-ietf-ipngwg-scopedaddr-format-00.txt#. You " +"can specify outgoing link, by using name of the outgoing interface like " +"\"fe80::1%ne0\". This way you will be able to specify link-local scoped " +"address without much trouble." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:237 +msgid "" +"To use this extension in your program, you will need to use " +"man:getaddrinfo[3], and man:getnameinfo[3] with NI_WITHSCOPEID. The " +"implementation currently assumes 1-to-1 relationship between a link and an " +"interface, which is stronger than what specs say." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:239 +#, no-wrap +msgid "Plug and Play" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:245 +msgid "" +"Most of the IPv6 stateless address autoconfiguration is implemented in the " +"kernel. Neighbor Discovery functions are implemented in the kernel as a " +"whole. Router Advertisement (RA) input for hosts is implemented in the " +"kernel. Router Solicitation (RS) output for endhosts, RS input for routers, " +"and RA output for routers are implemented in the userland." +msgstr "" + +#. type: Title ===== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:246 +#, no-wrap +msgid "Assignment of link-local, and special addresses" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:251 +msgid "" +"IPv6 link-local address is generated from IEEE802 address (Ethernet MAC " +"address). Each of interface is assigned an IPv6 link-local address " +"automatically, when the interface becomes up (IFF_UP). Also, direct route " +"for the link-local address is added to routing table." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:253 +msgid "Here is an output of netstat command:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:260 +#, no-wrap +msgid "" +"Internet6:\n" +"Destination Gateway Flags Netif Expire\n" +"fe80:1::%ed0/64 link#1 UC ed0\n" +"fe80:2::%ep0/64 link#2 UC ep0\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:265 +msgid "" +"Interfaces that has no IEEE802 address (pseudo interfaces like tunnel " +"interfaces, or ppp interfaces) will borrow IEEE802 address from other " +"interfaces, such as Ethernet interfaces, whenever possible. If there is no " +"IEEE802 hardware attached, a last resort pseudo-random value, MD5(hostname), " +"will be used as source of link-local address. If it is not suitable for " +"your usage, you will need to configure the link-local address manually." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:268 +msgid "" +"If an interface is not capable of handling IPv6 (such as lack of multicast " +"support), link-local address will not be assigned to that interface. See " +"section 2 for details." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:272 +msgid "" +"Each interface joins the solicited multicast address and the link-local all-" +"nodes multicast addresses (e.g., fe80::1:ff01:6317 and ff02::1, " +"respectively, on the link the interface is attached). In addition to a link-" +"local address, the loopback address (::1) will be assigned to the loopback " +"interface. Also, ::1/128 and ff01::/32 are automatically added to routing " +"table, and loopback interface joins node-local multicast group ff01::1." +msgstr "" + +#. type: Title ===== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:273 +#, no-wrap +msgid "Stateless address autoconfiguration on Hosts" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:277 +msgid "" +"In IPv6 specification, nodes are separated into two categories: _routers_ " +"and _hosts_. Routers forward packets addressed to others, hosts does not " +"forward the packets. net.inet6.ip6.forwarding defines whether this node is " +"router or host (router if it is 1, host if it is 0)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:286 +msgid "" +"When a host hears Router Advertisement from the router, a host may " +"autoconfigure itself by stateless address autoconfiguration. This behavior " +"can be controlled by net.inet6.ip6.accept_rtadv (host autoconfigures itself " +"if it is set to 1). By autoconfiguration, network address prefix for the " +"receiving interface (usually global address prefix) is added. Default route " +"is also configured. Routers periodically generate Router Advertisement " +"packets. To request an adjacent router to generate RA packet, a host can " +"transmit Router Solicitation. To generate a RS packet at any time, use the " +"_rtsol_ command. man:rtsold[8] daemon is also available. man:rtsold[8] " +"generates Router Solicitation whenever necessary, and it works great for " +"nomadic usage (notebooks/laptops). If one wishes to ignore Router " +"Advertisements, use sysctl to set net.inet6.ip6.accept_rtadv to 0." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:288 +msgid "" +"To generate Router Advertisement from a router, use the man:rtadvd[8] daemon." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:290 +msgid "" +"Note that, IPv6 specification assumes the following items, and nonconforming " +"cases are left unspecified:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:292 +msgid "Only hosts will listen to router advertisements" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:293 +msgid "Hosts have single network interface (except loopback)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:296 +msgid "" +"Therefore, this is unwise to enable net.inet6.ip6.accept_rtadv on routers, " +"or multi-interface host. A misconfigured node can behave strange " +"(nonconforming configuration allowed for those who would like to do some " +"experiments)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:298 +msgid "To summarize the sysctl knob:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:312 +#, no-wrap +msgid "" +"\taccept_rtadv\tforwarding\trole of the node\n" +"\t---\t\t---\t\t---\n" +"\t0\t\t0\t\thost (to be manually configured)\n" +"\t0\t\t1\t\trouter\n" +"\t1\t\t0\t\tautoconfigured host\n" +"\t\t\t\t\t(spec assumes that host has single\n" +"\t\t\t\t\tinterface only, autoconfigured host\n" +"\t\t\t\t\twith multiple interface is\n" +"\t\t\t\t\tout-of-scope)\n" +"\t1\t\t1\t\tinvalid, or experimental\n" +"\t\t\t\t\t(out-of-scope of spec)\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:317 +msgid "" +"RFC2462 has validation rule against incoming RA prefix information option, " +"in 5.5.3 (e). This is to protect hosts from malicious (or misconfigured) " +"routers that advertise very short prefix lifetime. There was an update from " +"Jim Bound to ipngwg mailing list (look for \"(ipng 6712)\" in the archive) " +"and it is implemented Jim's update." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:319 +msgid "" +"See crossref:ipv6[neighbor-discovery,23.5.1.2] in the document for " +"relationship between DAD and autoconfiguration." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:321 +#, no-wrap +msgid "Generic Tunnel Interface" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:325 +msgid "" +"GIF (Generic InterFace) is a pseudo interface for configured tunnel. " +"Details are described in man:gif[4]. Currently" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:327 +msgid "v6 in v6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:328 +msgid "v6 in v4" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:329 +msgid "v4 in v6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:330 +msgid "v4 in v4" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:335 +msgid "" +"are available. Use man:gifconfig[8] to assign physical (outer) source and " +"destination address to gif interfaces. Configuration that uses same address " +"family for inner and outer IP header (v4 in v4, or v6 in v6) is dangerous. " +"It is very easy to configure interfaces and routing tables to perform " +"infinite level of tunneling. _Please be warned_." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:338 +msgid "" +"gif can be configured to be ECN-friendly. See crossref:ipv6[ipsec-" +"ecn,23.5.4.5] for ECN-friendliness of tunnels, and man:gif[4] for how to " +"configure." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:341 +msgid "" +"If you would like to configure an IPv4-in-IPv6 tunnel with gif interface, " +"read man:gif[4] carefully. You will need to remove IPv6 link-local address " +"automatically assigned to the gif interface." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:343 +#, no-wrap +msgid "Source Address Selection" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:347 +msgid "" +"Current source selection rule is scope oriented (there are some exceptions - " +"see below). For a given destination, a source IPv6 address is selected by " +"the following rule:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:349 +msgid "" +"If the source address is explicitly specified by the user (e.g., via the " +"advanced API), the specified address is used." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:350 +msgid "" +"If there is an address assigned to the outgoing interface (which is usually " +"determined by looking up the routing table) that has the same scope as the " +"destination address, the address is used." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:352 +msgid "This is the most typical case." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:353 +msgid "" +"If there is no address that satisfies the above condition, choose a global " +"address assigned to one of the interfaces on the sending node." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:354 +msgid "" +"If there is no address that satisfies the above condition, and destination " +"address is site local scope, choose a site local address assigned to one of " +"the interfaces on the sending node." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:355 +msgid "" +"If there is no address that satisfies the above condition, choose the " +"address associated with the routing table entry for the destination. This is " +"the last resort, which may cause scope violation." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:361 +msgid "" +"For instance, ::1 is selected for ff01::1, fe80:1::200:f8ff:fe01:6317 for " +"fe80:1::2a0:24ff:feab:839b (note that embedded interface index - described " +"in crossref:ipv6[ipv6-scope-index,23.5.1.3] - helps us choose the right " +"source address. Those embedded indices will not be on the wire). If the " +"outgoing interface has multiple address for the scope, a source is selected " +"longest match basis (rule 3). Suppose 2001:0DB8:808:1:200:f8ff:fe01:6317 " +"and 2001:0DB8:9:124:200:f8ff:fe01:6317 are given to the outgoing interface. " +"2001:0DB8:808:1:200:f8ff:fe01:6317 is chosen as the source for the " +"destination 2001:0DB8:800::1." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:368 +msgid "" +"Note that the above rule is not documented in the IPv6 spec. It is " +"considered \"up to implementation\" item. There are some cases where we do " +"not use the above rule. One example is connected TCP session, and we use " +"the address kept in tcb as the source. Another example is source address " +"for Neighbor Advertisement. Under the spec (RFC2461 7.2.2) NA's source " +"should be the target address of the corresponding NS's target. In this case " +"we follow the spec rather than the above longest-match rule." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:374 +msgid "" +"For new connections (when rule 1 does not apply), deprecated addresses " +"(addresses with preferred lifetime = 0) will not be chosen as source address " +"if other choices are available. If no other choices are available, " +"deprecated address will be used as a last resort. If there are multiple " +"choice of deprecated addresses, the above scope rule will be used to choose " +"from those deprecated addresses. If you would like to prohibit the use of " +"deprecated address for some reason, configure net.inet6.ip6.use_deprecated " +"to 0. The issue related to deprecated address is described in RFC2462 5.5.4 " +"(NOTE: there is some debate underway in IETF ipngwg on how to use " +"\"deprecated\" address)." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:376 +#, no-wrap +msgid "Jumbo Payload" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:380 +msgid "" +"The Jumbo Payload hop-by-hop option is implemented and can be used to send " +"IPv6 packets with payloads longer than 65,535 octets. But currently no " +"physical interface whose MTU is more than 65,535 is supported, so such " +"payloads can be seen only on the loopback interface (i.e., lo0)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:382 +msgid "" +"If you want to try jumbo payloads, you first have to reconfigure the kernel " +"so that the MTU of the loopback interface is more than 65,535 bytes; add the " +"following to the kernel configuration file:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:384 +msgid "`options \"LARGE_LOMTU\" #To test jumbo payload`" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:386 +msgid "and recompile the new kernel." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:390 +msgid "" +"Then you can test jumbo payloads by the man:ping[8] command with -6, -b and " +"-s options. The -b option must be specified to enlarge the size of the " +"socket buffer and the -s option specifies the length of the packet, which " +"should be more than 65,535. For example, type as follows:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:394 +#, no-wrap +msgid "% ping -6 -b 70000 -s 68000 ::1\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:399 +msgid "" +"The IPv6 specification requires that the Jumbo Payload option must not be " +"used in a packet that carries a fragment header. If this condition is " +"broken, an ICMPv6 Parameter Problem message must be sent to the sender. " +"specification is followed, but you cannot usually see an ICMPv6 error caused " +"by this requirement." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:403 +msgid "" +"When an IPv6 packet is received, the frame length is checked and compared to " +"the length specified in the payload length field of the IPv6 header or in " +"the value of the Jumbo Payload option, if any. If the former is shorter " +"than the latter, the packet is discarded and statistics are incremented. " +"You can see the statistics as output of man:netstat[8] command with `-s -p " +"ip6' option:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:410 +#, no-wrap +msgid "" +"% netstat -s -p ip6\n" +"\t ip6:\n" +"\t\t(snip)\n" +"\t\t1 with data size < data length\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:414 +msgid "" +"So, kernel does not send an ICMPv6 error unless the erroneous packet is an " +"actual Jumbo Payload, that is, its packet size is more than 65,535 bytes. " +"As described above, currently no physical interface with such a huge MTU is " +"supported, so it rarely returns an ICMPv6 error." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:417 +msgid "" +"TCP/UDP over jumbogram is not supported at this moment. This is because we " +"have no medium (other than loopback) to test this. Contact us if you need " +"this." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:420 +msgid "" +"IPsec does not work on jumbograms. This is due to some specification twists " +"in supporting AH with jumbograms (AH header size influences payload length, " +"and this makes it real hard to authenticate inbound packet with jumbo " +"payload option as well as AH)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:424 +msgid "" +"There are fundamental issues in *BSD support for jumbograms. We would like " +"to address those, but we need more time to finalize these. To name a few:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:428 +msgid "" +"mbuf pkthdr.len field is typed as \"int\" in 4.4BSD, so it will not hold " +"jumbogram with len > 2G on 32bit architecture CPUs. If we would like to " +"support jumbogram properly, the field must be expanded to hold 4G + IPv6 " +"header + link-layer header. Therefore, it must be expanded to at least " +"int64_t (u_int32_t is NOT enough)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:430 +msgid "" +"We mistakingly use \"int\" to hold packet length in many places. We need to " +"convert them into larger integral type. It needs a great care, as we may " +"experience overflow during packet length computation." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:431 +msgid "" +"We mistakingly check for ip6_plen field of IPv6 header for packet payload " +"length in various places. We should be checking mbuf pkthdr.len instead. " +"ip6_input() will perform sanity check on jumbo payload option on input, and " +"we can safely use mbuf pkthdr.len afterwards." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:432 +msgid "TCP code needs a careful update in bunch of places, of course." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:433 +#, no-wrap +msgid "Loop Prevention in Header Processing" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:444 +msgid "" +"IPv6 specification allows arbitrary number of extension headers to be placed " +"onto packets. If we implement IPv6 packet processing code in the way BSD " +"IPv4 code is implemented, kernel stack may overflow due to long function " +"call chain. sys/netinet6 code is carefully designed to avoid kernel stack " +"overflow, so sys/netinet6 code defines its own protocol switch structure, as " +"\"struct ip6protosw\" (see [.filename]#netinet6/ip6protosw.h#). There is no " +"such update to IPv4 part (sys/netinet) for compatibility, but small change " +"is added to its pr_input() prototype. So \"struct ipprotosw\" is also " +"defined. As a result, if you receive IPsec-over-IPv4 packet with massive " +"number of IPsec headers, kernel stack may blow up. IPsec-over-IPv6 is " +"okay. (Of-course, for those all IPsec headers to be processed, each such " +"IPsec header must pass each IPsec check. So an anonymous attacker will not " +"be able to do such an attack.)" +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:446 +#, no-wrap +msgid "ICMPv6" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:450 +msgid "" +"After RFC2463 was published, IETF ipngwg has decided to disallow ICMPv6 " +"error packet against ICMPv6 redirect, to prevent ICMPv6 storm on a network " +"medium. This is already implemented into the kernel." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:451 +#, no-wrap +msgid "Applications" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:454 +msgid "" +"For userland programming, we support IPv6 socket API as specified in " +"RFC2553, RFC2292 and upcoming Internet drafts." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:459 +msgid "" +"TCP/UDP over IPv6 is available and quite stable. You can enjoy " +"man:telnet[1], man:ftp[1], man:rlogin[1], man:rsh[1], man:ssh[1], etc. " +"These applications are protocol independent. That is, they automatically " +"chooses IPv4 or IPv6 according to DNS." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:460 +#, no-wrap +msgid "Kernel Internals" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:463 +msgid "" +"While ip_forward() calls ip_output(), ip6_forward() directly calls " +"if_output() since routers must not divide IPv6 packets into fragments." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:467 +msgid "" +"ICMPv6 should contain the original packet as long as possible up to 1280. " +"UDP6/IP6 port unreach, for instance, should contain all extension headers " +"and the *unchanged* UDP6 and IP6 headers. So, all IP6 functions except TCP " +"never convert network byte order into host byte order, to save the original " +"packet." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:471 +msgid "" +"tcp_input(), udp6_input() and icmp6_input() can not assume that IP6 header " +"is preceding the transport headers due to extension headers. So, " +"in6_cksum() was implemented to handle packets whose IP6 header and transport " +"header is not continuous. TCP/IP6 nor UDP6/IP6 header structures do not " +"exist for checksum calculation." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:474 +msgid "" +"To process IP6 header, extension headers and transport headers easily, " +"network drivers are now required to store packets in one internal mbuf or " +"one or more external mbufs. A typical old driver prepares two internal " +"mbufs for 96 - 204 bytes data, however, now such packet data is stored in " +"one external mbuf." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:478 +msgid "" +"`netstat -s -p ip6` tells you whether or not your driver conforms such " +"requirement. In the following example, \"cce0\" violates the requirement. " +"(For more information, refer to Section 2.)" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:488 +#, no-wrap +msgid "" +"Mbuf statistics:\n" +" 317 one mbuf\n" +" two or more mbuf::\n" +" lo0 = 8\n" +"\t\t\tcce0 = 10\n" +" 3282 one ext mbuf\n" +" 0 two or more ext mbuf\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:493 +msgid "" +"Each input function calls IP6_EXTHDR_CHECK in the beginning to check if the " +"region between IP6 and its header is continuous. IP6_EXTHDR_CHECK calls " +"m_pullup() only if the mbuf has M_LOOP flag, that is, the packet comes from " +"the loopback interface. m_pullup() is never called for packets coming from " +"physical network interfaces." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:495 +msgid "Both IP and IP6 reassemble functions never call m_pullup()." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:497 +#, no-wrap +msgid "IPv4 Mapped Address and IPv6 Wildcard Socket" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:501 +msgid "" +"RFC2553 describes IPv4 mapped address (3.7) and special behavior of IPv6 " +"wildcard bind socket (3.8). The spec allows you to:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:503 +msgid "Accept IPv4 connections by AF_INET6 wildcard bind socket." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:504 +msgid "" +"Transmit IPv4 packet over AF_INET6 socket by using special form of the " +"address like ::ffff:10.1.1.1." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:507 +msgid "" +"but the spec itself is very complicated and does not specify how the socket " +"layer should behave. Here we call the former one \"listening side\" and the " +"latter one \"initiating side\", for reference purposes." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:509 +msgid "" +"You can perform wildcard bind on both of the address families, on the same " +"port." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:511 +msgid "The following table show the behavior of FreeBSD 4.x." +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:520 +#, no-wrap +msgid "" +"listening side initiating side\n" +" (AF_INET6 wildcard (connection to ::ffff:10.1.1.1)\n" +" socket gets IPv4 conn.)\n" +" --- ---\n" +"FreeBSD 4.x configurable supported\n" +" default: enabled\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:523 +msgid "" +"The following sections will give you more details, and how you can configure " +"the behavior." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:525 +msgid "Comments on listening side:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:532 +msgid "" +"It looks that RFC2553 talks too little on wildcard bind issue, especially on " +"the port space issue, failure mode and relationship between AF_INET/INET6 " +"wildcard bind. There can be several separate interpretation for this RFC " +"which conform to it but behaves differently. So, to implement portable " +"application you should assume nothing about the behavior in the kernel. " +"Using man:getaddrinfo[3] is the safest way. Port number space and wildcard " +"bind issues were discussed in detail on ipv6imp mailing list, in mid March " +"1999 and it looks that there is no concrete consensus (means, up to " +"implementers). You may want to check the mailing list archives." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:534 +msgid "" +"If a server application would like to accept IPv4 and IPv6 connections, " +"there will be two alternatives." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:539 +msgid "" +"One is using AF_INET and AF_INET6 socket (you will need two sockets). Use " +"man:getaddrinfo[3] with AI_PASSIVE into ai_flags, and man:socket[2] and " +"man:bind[2] to all the addresses returned. By opening multiple sockets, you " +"can accept connections onto the socket with proper address family. IPv4 " +"connections will be accepted by AF_INET socket, and IPv6 connections will be " +"accepted by AF_INET6 socket." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:545 +msgid "" +"Another way is using one AF_INET6 wildcard bind socket. Use " +"man:getaddrinfo[3] with AI_PASSIVE into ai_flags and with AF_INET6 into " +"ai_family, and set the 1st argument hostname to NULL. And man:socket[2] and " +"man:bind[2] to the address returned. (should be IPv6 unspecified addr). " +"You can accept either of IPv4 and IPv6 packet via this one socket." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:549 +msgid "" +"To support only IPv6 traffic on AF_INET6 wildcard binded socket portably, " +"always check the peer address when a connection is made toward AF_INET6 " +"listening socket. If the address is IPv4 mapped address, you may want to " +"reject the connection. You can check the condition by using " +"IN6_IS_ADDR_V4MAPPED() macro." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:551 +msgid "" +"To resolve this issue more easily, there is system dependent " +"man:setsockopt[2] option, IPV6_BINDV6ONLY, used like below." +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:555 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:602 +#, no-wrap +msgid "\tint on;\n" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:558 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:605 +#, no-wrap +msgid "" +"\tsetsockopt(s, IPPROTO_IPV6, IPV6_BINDV6ONLY,\n" +"\t\t (char *)&on, sizeof (on)) < 0));\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:561 +msgid "When this call succeed, then this socket only receive IPv6 packets." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:563 +msgid "Comments on initiating side:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:565 +msgid "" +"Advise to application implementers: to implement a portable IPv6 application " +"(which works on multiple IPv6 kernels), we believe that the following is the " +"key to the success:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:567 +msgid "NEVER hardcode AF_INET nor AF_INET6." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:568 +msgid "" +"Use man:getaddrinfo[3] and man:getnameinfo[3] throughout the system. Never " +"use gethostby*(), getaddrby*(), inet_*() or getipnodeby*(). (To update " +"existing applications to be IPv6 aware easily, sometime getipnodeby*() will " +"be useful. But if possible, try to rewrite the code to use " +"man:getaddrinfo[3] and man:getnameinfo[3].)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:569 +msgid "" +"If you would like to connect to destination, use man:getaddrinfo[3] and try " +"all the destination returned, like man:telnet[1] does." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:570 +msgid "" +"Some of the IPv6 stack is shipped with buggy man:getaddrinfo[3]. Ship a " +"minimal working version with your application and use that as last resort." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:576 +msgid "" +"If you would like to use AF_INET6 socket for both IPv4 and IPv6 outgoing " +"connection, you will need to use man:getipnodebyname[3]. When you would " +"like to update your existing application to be IPv6 aware with minimal " +"effort, this approach might be chosen. But please note that it is a " +"temporal solution, because man:getipnodebyname[3] itself is not recommended " +"as it does not handle scoped IPv6 addresses at all. For IPv6 name " +"resolution, man:getaddrinfo[3] is the preferred API. So you should rewrite " +"your application to use man:getaddrinfo[3], when you get the time to do it." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:580 +msgid "" +"When writing applications that make outgoing connections, story goes much " +"simpler if you treat AF_INET and AF_INET6 as totally separate address " +"family. {set,get}sockopt issue goes simpler, DNS issue will be made " +"simpler. We do not recommend you to rely upon IPv4 mapped address." +msgstr "" + +#. type: Title ===== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:581 +#, no-wrap +msgid "unified tcp and inpcb code" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:585 +msgid "" +"FreeBSD 4.x uses shared tcp code between IPv4 and IPv6 (from sys/netinet/" +"tcp*) and separate udp4/6 code. It uses unified inpcb structure." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:588 +msgid "" +"The platform can be configured to support IPv4 mapped address. Kernel " +"configuration is summarized as follows:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:590 +msgid "" +"By default, AF_INET6 socket will grab IPv4 connections in certain condition, " +"and can initiate connection to IPv4 destination embedded in IPv4 mapped IPv6 " +"address." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:591 +msgid "You can disable it on entire system with sysctl like below." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:593 +msgid "`sysctl net.inet6.ip6.mapped_addr=0`" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:595 +msgid "====== Listening Side" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:598 +msgid "" +"Each socket can be configured to support special AF_INET6 wildcard bind " +"(enabled by default). You can disable it on each socket basis with " +"man:setsockopt[2] like below." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:608 +msgid "" +"Wildcard AF_INET6 socket grabs IPv4 connection if and only if the following " +"conditions are satisfied:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:610 +msgid "there is no AF_INET socket that matches the IPv4 connection" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:611 +msgid "" +"the AF_INET6 socket is configured to accept IPv4 traffic, i.e., " +"getsockopt(IPV6_BINDV6ONLY) returns 0." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:613 +msgid "There is no problem with open/close ordering." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:615 +msgid "====== Initiating Side" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:617 +msgid "" +"FreeBSD 4.x supports outgoing connection to IPv4 mapped address " +"(::ffff:10.1.1.1), if the node is configured to support IPv4 mapped address." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:618 +#, no-wrap +msgid "sockaddr_storage" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:624 +msgid "" +"When RFC2553 was about to be finalized, there was discussion on how struct " +"sockaddr_storage members are named. One proposal is to prepend \"__\" to " +"the members (like \"__ss_len\") as they should not be touched. The other " +"proposal was not to prepend it (like \"ss_len\") as we need to touch those " +"members directly. There was no clear consensus on it." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:626 +msgid "As a result, RFC2553 defines struct sockaddr_storage as follows:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:634 +#, no-wrap +msgid "" +"\tstruct sockaddr_storage {\n" +"\t\tu_char\t__ss_len;\t/* address length */\n" +"\t\tu_char\t__ss_family;\t/* address family */\n" +"\t\t/* and bunch of padding */\n" +"\t};\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:637 +msgid "On the contrary, XNET draft defines as follows:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:645 +#, no-wrap +msgid "" +"\tstruct sockaddr_storage {\n" +"\t\tu_char\tss_len;\t\t/* address length */\n" +"\t\tu_char\tss_family;\t/* address family */\n" +"\t\t/* and bunch of padding */\n" +"\t};\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:648 +msgid "" +"In December 1999, it was agreed that RFC2553bis should pick the latter " +"(XNET) definition." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:650 +msgid "" +"Current implementation conforms to XNET definition, based on RFC2553bis " +"discussion." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:653 +msgid "" +"If you look at multiple IPv6 implementations, you will be able to see both " +"definitions. As an userland programmer, the most portable way of dealing " +"with it is to:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:655 +msgid "" +"ensure ss_family and/or ss_len are available on the platform, by using GNU " +"autoconf," +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:656 +msgid "" +"have -Dss_family=__ss_family to unify all occurrences (including header " +"file) into __ss_family, or" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:657 +msgid "never touch __ss_family. cast to sockaddr * and use sa_family like:" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:662 +#, no-wrap +msgid "" +"\tstruct sockaddr_storage ss;\n" +"\tfamily = ((struct sockaddr *)&ss)->sa_family\n" +msgstr "" + +#. type: Title === +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:664 +#, no-wrap +msgid "Network Drivers" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:667 +msgid "" +"Now following two items are required to be supported by standard drivers:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:669 +msgid "" +"mbuf clustering requirement. In this stable release, we changed MINCLSIZE " +"into MHLEN+1 for all the operating systems in order to make all the drivers " +"behave as we expect." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:670 +msgid "" +"multicast. If man:ifmcstat[8] yields no multicast group for a interface, " +"that interface has to be patched." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:673 +msgid "" +"If any of the drivers do not support the requirements, then the drivers " +"cannot be used for IPv6 and/or IPsec communication. If you find any problem " +"with your card using IPv6/IPsec, then, please report it to the {freebsd-" +"bugs}." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:676 +msgid "" +"(NOTE: In the past we required all PCMCIA drivers to have a call to " +"in6_ifattach(). We have no such requirement any more)" +msgstr "" + +#. type: Title === +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:677 +#, no-wrap +msgid "Translator" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:680 +msgid "We categorize IPv4/IPv6 translator into 4 types:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:682 +msgid "" +"_Translator A_ --- It is used in the early stage of transition to make it " +"possible to establish a connection from an IPv6 host in an IPv6 island to an " +"IPv4 host in the IPv4 ocean." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:683 +msgid "" +"_Translator B_ --- It is used in the early stage of transition to make it " +"possible to establish a connection from an IPv4 host in the IPv4 ocean to an " +"IPv6 host in an IPv6 island." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:684 +msgid "" +"_Translator C_ --- It is used in the late stage of transition to make it " +"possible to establish a connection from an IPv4 host in an IPv4 island to an " +"IPv6 host in the IPv6 ocean." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:685 +msgid "" +"_Translator D_ --- It is used in the late stage of transition to make it " +"possible to establish a connection from an IPv6 host in the IPv6 ocean to an " +"IPv4 host in an IPv4 island." +msgstr "" + +#. type: Title === +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:687 +#, no-wrap +msgid "IPsec" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:690 +msgid "IPsec is mainly organized by three components." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:692 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:695 +#, no-wrap +msgid "Policy Management" +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:693 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:705 +#, no-wrap +msgid "Key Management" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:694 +msgid "AH and ESP handling" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:702 +msgid "" +"The kernel implements experimental policy management code. There are two " +"way to manage security policy. One is to configure per-socket policy using " +"man:setsockopt[2]. In this cases, policy configuration is described in " +"man:ipsec_set_policy[3]. The other is to configure kernel packet filter-" +"based policy using PF_KEY interface, via man:setkey[8]." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:704 +msgid "" +"The policy entry is not re-ordered with its indexes, so the order of entry " +"when you add is very significant." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:709 +msgid "" +"The key management code implemented in this kit (sys/netkey) is a home-brew " +"PFKEY v2 implementation. This conforms to RFC2367." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:713 +msgid "" +"The home-brew IKE daemon, \"racoon\" is included in the kit (kame/kame/" +"racoon). Basically you will need to run racoon as daemon, then set up a " +"policy to require keys (like `ping -P 'out ipsec esp/transport//use'`). The " +"kernel will contact racoon daemon as necessary to exchange keys." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:714 +#, no-wrap +msgid "AH and ESP Handling" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:722 +msgid "" +"IPsec module is implemented as \"hooks\" to the standard IPv4/IPv6 " +"processing. When sending a packet, ip{,6}_output() checks if ESP/AH " +"processing is required by checking if a matching SPD (Security Policy " +"Database) is found. If ESP/AH is needed, {esp,ah}{4,6}_output() will be " +"called and mbuf will be updated accordingly. When a packet is received, " +"{esp,ah}4_input() will be called based on protocol number, i.e., " +"(*inetsw[proto])(). {esp,ah}4_input() will decrypt/check authenticity of " +"the packet, and strips off daisy-chained header and padding for ESP/AH. It " +"is safe to strip off the ESP/AH header on packet reception, since we will " +"never use the received packet in \"as is\" form." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:725 +msgid "" +"By using ESP/AH, TCP4/6 effective data segment size will be affected by " +"extra daisy-chained headers inserted by ESP/AH. Our code takes care of the " +"case." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:729 +msgid "" +"Basic crypto functions can be found in directory \"sys/crypto\". ESP/AH " +"transform are listed in {esp,ah}_core.c with wrapper functions. If you wish " +"to add some algorithm, add wrapper function in {esp,ah}_core.c, and add your " +"crypto algorithm code into sys/crypto." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:731 +msgid "" +"Tunnel mode is partially supported in this release, with the following " +"restrictions:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:733 +msgid "" +"IPsec tunnel is not combined with GIF generic tunneling interface. It needs " +"a great care because we may create an infinite loop between ip_output() and " +"tunnelifp->if_output(). Opinion varies if it is better to unify them, or not." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:734 +msgid "" +"MTU and Don't Fragment bit (IPv4) considerations need more checking, but " +"basically works fine." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:735 +msgid "" +"Authentication model for AH tunnel must be revisited. We will need to " +"improve the policy management engine, eventually." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:736 +#, no-wrap +msgid "Conformance to RFCs and IDs" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:739 +msgid "" +"The IPsec code in the kernel conforms (or, tries to conform) to the " +"following standards:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:741 +msgid "\"old IPsec\" specification documented in [.filename]#rfc182[5-9].txt#" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:744 +msgid "" +"\"new IPsec\" specification documented in [.filename]#rfc240[1-6].txt#, " +"[.filename]#rfc241[01].txt#, [.filename]#rfc2451.txt# and [.filename]#draft-" +"mcdonald-simple-ipsec-api-01.txt# (draft expired, but you can take from " +"link:ftp://ftp.kame.net/pub/internet-drafts/[ ftp://ftp.kame.net/pub/" +"internet-drafts/]). (NOTE: IKE specifications, [.filename]#rfc241[7-9].txt# " +"are implemented in userland, as \"racoon\" IKE daemon)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:746 +msgid "Currently supported algorithms are:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:748 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:785 +msgid "old IPsec AH" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:750 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:763 +msgid "null crypto checksum (no document, just for debugging)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:751 +msgid "keyed MD5 with 128bit crypto checksum ([.filename]#rfc1828.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:752 +msgid "keyed SHA1 with 128bit crypto checksum (no document)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:753 +msgid "HMAC MD5 with 128bit crypto checksum ([.filename]#rfc2085.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:754 +msgid "HMAC SHA1 with 128bit crypto checksum (no document)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:756 +msgid "old IPsec ESP" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:758 +msgid "null encryption (no document, similar to [.filename]#rfc2410.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:759 +msgid "DES-CBC mode ([.filename]#rfc1829.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:761 +msgid "new IPsec AH" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:764 +msgid "keyed MD5 with 96bit crypto checksum (no document)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:765 +msgid "keyed SHA1 with 96bit crypto checksum (no document)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:766 +msgid "HMAC MD5 with 96bit crypto checksum ([.filename]#rfc2403.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:767 +msgid "HMAC SHA1 with 96bit crypto checksum ([.filename]#rfc2404.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:769 +msgid "new IPsec ESP" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:771 +msgid "null encryption ([.filename]#rfc2410.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:772 +msgid "" +"DES-CBC with derived IV ([.filename]#draft-ietf-ipsec-ciph-des-" +"derived-01.txt#, draft expired)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:773 +msgid "DES-CBC with explicit IV ([.filename]#rfc2405.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:774 +msgid "3DES-CBC with explicit IV ([.filename]#rfc2451.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:775 +msgid "BLOWFISH CBC ([.filename]#rfc2451.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:776 +msgid "CAST128 CBC ([.filename]#rfc2451.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:777 +msgid "RC5 CBC ([.filename]#rfc2451.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:778 +msgid "each of the above can be combined with:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:780 +msgid "ESP authentication with HMAC-MD5(96bit)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:781 +msgid "ESP authentication with HMAC-SHA1(96bit)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:783 +msgid "The following algorithms are NOT supported:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:787 +msgid "" +"HMAC MD5 with 128bit crypto checksum + 64bit replay prevention " +"([.filename]#rfc2085.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:788 +msgid "" +"keyed SHA1 with 160bit crypto checksum + 32bit padding " +"([.filename]#rfc1852.txt#)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:791 +msgid "" +"IPsec (in kernel) and IKE (in userland as \"racoon\") has been tested at " +"several interoperability test events, and it is known to interoperate with " +"many other implementations well. Also, current IPsec implementation as " +"quite wide coverage for IPsec crypto algorithms documented in RFC (we cover " +"algorithms without intellectual property issues only)." +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:793 +#, no-wrap +msgid "ECN Consideration on IPsec Tunnels" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:796 +msgid "" +"ECN-friendly IPsec tunnel is supported as described in [.filename]#draft-" +"ipsec-ecn-00.txt#." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:801 +msgid "" +"Normal IPsec tunnel is described in RFC2401. On encapsulation, IPv4 TOS " +"field (or, IPv6 traffic class field) will be copied from inner IP header to " +"outer IP header. On decapsulation outer IP header will be simply dropped. " +"The decapsulation rule is not compatible with ECN, since ECN bit on the " +"outer IP TOS/traffic class field will be lost." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:804 +msgid "" +"To make IPsec tunnel ECN-friendly, we should modify encapsulation and " +"decapsulation procedure. This is described in http://www.aciri.org/floyd/" +"papers/draft-ipsec-ecn-00.txt[ http://www.aciri.org/floyd/papers/draft-ipsec-" +"ecn-00.txt], chapter 3." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:806 +msgid "" +"IPsec tunnel implementation can give you three behaviors, by setting " +"net.inet.ipsec.ecn (or net.inet6.ipsec6.ecn) to some value:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:808 +msgid "RFC2401: no consideration for ECN (sysctl value -1)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:809 +msgid "ECN forbidden (sysctl value 0)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:810 +msgid "ECN allowed (sysctl value 1)" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:812 +msgid "" +"Note that the behavior is configurable in per-node manner, not per-SA manner " +"(draft-ipsec-ecn-00 wants per-SA configuration, but it looks too much for " +"me)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:814 +msgid "" +"The behavior is summarized as follows (see source code for more detail):" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:821 +#, no-wrap +msgid "" +"encapsulate decapsulate\n" +" --- ---\n" +"RFC2401 copy all TOS bits drop TOS bits on outer\n" +" from inner to outer. (use inner TOS bits as is)\n" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:825 +#, no-wrap +msgid "" +"ECN forbidden copy TOS bits except for ECN drop TOS bits on outer\n" +" (masked with 0xfc) from inner (use inner TOS bits as is)\n" +" to outer. set ECN bits to 0.\n" +msgstr "" + +#. type: delimited block . 4 +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:830 +#, no-wrap +msgid "" +"ECN allowed copy TOS bits except for ECN use inner TOS bits with some\n" +" CE (masked with 0xfe) from change. if outer ECN CE bit\n" +" inner to outer. is 1, enable ECN CE bit on\n" +" set ECN CE bit to 0. the inner.\n" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:833 +msgid "General strategy for configuration is as follows:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:835 +msgid "" +"if both IPsec tunnel endpoint are capable of ECN-friendly behavior, you " +"should better configure both end to \"ECN allowed\" (sysctl value 1)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:836 +msgid "" +"if the other end is very strict about TOS bit, use \"RFC2401\" (sysctl value " +"-1)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:837 +msgid "in other cases, use \"ECN forbidden\" (sysctl value 0)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:839 +msgid "The default behavior is \"ECN forbidden\" (sysctl value 0)." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:841 +msgid "For more information, please refer to:" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:843 +msgid "" +"http://www.aciri.org/floyd/papers/draft-ipsec-ecn-00.txt[ http://" +"www.aciri.org/floyd/papers/draft-ipsec-ecn-00.txt], RFC2481 (Explicit " +"Congestion Notification), src/sys/netinet6/{ah,esp}_input.c" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:845 +msgid "" +"(Thanks goes to Kenjiro Cho mailto:kjc@csl.sony.co.jp[kjc@csl.sony.co.jp] " +"for detailed analysis)" +msgstr "" + +#. type: Title ==== +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:846 +#, no-wrap +msgid "Interoperability" +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:850 +msgid "" +"Here are (some of) platforms that KAME code have tested IPsec/IKE " +"interoperability in the past. Note that both ends may have modified their " +"implementation, so use the following list just for reference purposes." +msgstr "" + +#. type: Plain text +#: documentation/content/en/books/developers-handbook/ipv6/_index.adoc:851 +msgid "" +"Altiga, Ashley-laurent (vpcom.com), Data Fellows (F-Secure), Ericsson ACC, " +"FreeS/WAN, HITACHI, IBM AIX(R), IIJ, Intel, Microsoft(R) Windows NT(R), NIST " +"(linux IPsec + plutoplus), Netscreen, OpenBSD, RedCreek, Routerware, SSH, " +"Secure Computing, Soliton, Toshiba, VPNet, Yamaha RT100i" +msgstr "" |