etherip(4) - OpenBSD manual pages (original) (raw)

NAME

etherip —EtherIP tunnel interface

SYNOPSIS

pseudo-device etherip

DESCRIPTION

The etherip driver provides point-to-point tunnel interfaces for carrying Ethernet frames across IPv4 and IPv6 networks using RFC 3378 EtherIP encapsulation.

An etherip interface can be created using the ifconfig etheripN create command or by setting up ahostname.if(5) configuration file fornetstart(8). It must be configured with the addresses used for the outer header. This can be done usingifconfig(8)'s tunnel command (which uses theSIOCSLIFPHYADDR ioctl). Thesysctl(2) variable net.inet.etherip.allow must be set to 1, unless ipsec(4) is being used to protect the traffic.

etherip interfaces can configured as part of an Ethernet bridge, such as veb(4), tpmr(4), andbridge(4), to extend the connectivity of Ethernet networks across IP networks, possibly across the Internet.

The EtherIP protocol does not provide any integrated security features. EtherIP should only be deployed on trusted private networks, or protected with IPsec to add authentication and encryption for confidentiality. IPsec is especially recommended when transporting EtherIP over the public Internet. EtherIP encapsulated packets may be protected with IPsec by specifying the appropriate IPsec flows between the two endpoints. To only protect the encapsulated EtherIP traffic between the tunnel endpoints, the IP transport protocol 97 (etherip) selector may be used inipsec.conf(5) oriked.conf(5).

EXAMPLES

Given two physically separate Ethernet networks,etherip can be used as follows to make them appear as the same local area network. If host gw1 has the external IP address 192.0.2.10 and is connected to network1 on em1, and host gw2 has the external IP address 198.51.100.14 and is connected to network2 on ix1, the following configuration can be used to bridge network1 and network2.

First create a bridge using aveb(4) interface, adding the etherip interface and internal Ethernet interface to the bridge.

On gw1:

gw1# ifconfig etherip0 create tunnel 192.0.2.10 198.51.100.14 gw1# ifconfig veb0 create add etherip0 add em1

On gw2:

gw2# ifconfig etherip0 create tunnel 198.51.100.14 192.0.2.10 gw2# ifconfig veb0 create add etherip0 add ix1

Create Security Associations (SAs) between the external IP address of each bridge and matching ingress flows by using the followingipsec.conf(5) file on gw1:

esp from 198.51.100.14 to 192.0.2.10 spi 0x4242:0x4243
authkey file "auth1:auth2" enckey file "enc1:enc2" flow esp proto etherip from 198.51.100.14 to 192.0.2.10

Now load these rules into the kernel by issuing theipsecctl(8) command:

gw1# ipsecctl -f ipsec.conf

Appropriateipsec.conf(5) for gw2:

esp from 198.51.100.14 to 192.0.2.10 spi 0x4243:0x4242
authkey file "auth2:auth1" enckey file "enc2:enc1" flow esp proto etherip from 198.51.100.14 to 192.0.2.10

And load them:

gw2# ipsecctl -f ipsec.conf

Finally, bring all the interfaces up (if not already up).

On gw1:

gw1# ifconfig em1 up gw1# ifconfig etherip0 up gw1# ifconfig veb0 up

On gw2:

gw1# ifconfig ix1 up gw1# ifconfig etherip0 up gw1# ifconfig veb0 up

SEE ALSO

sysctl(2), bridge(4), inet(4), inet6(4), ipsec(4), tpmr(4), veb(4), hostname.if(5),iked.conf(5),ipsec.conf(5), ifconfig(8),netstart(8)

STANDARDS

R. Housley andS. Hollenbeck, EtherIP: Tunneling Ethernet Frames in IP Datagrams,RFC 3378, September 2002.

HISTORY

The etherip device first appeared inOpenBSD 5.9.

The etherip driver was written byKazuya Goda <goda@openbsd.org>.