NAME

eoip —

MikroTik Ethernet over IP tunnel network device

SYNOPSIS

pseudo-device gre

DESCRIPTION

The eoip interface provides tunnelling of Ethernet frames across IPv4 and IPv6 networks using the MikroTik Ethernet over IP (EoIP) encapsulation protocol.

The protocol is based on the Generic Routing and Encapsulation (GRE) protocol. GRE datagrams (IP protocol number 47) consist of a GRE header and an outer IP header for encapsulating another protocol's datagram. The GRE header specifies a version and the type of the encapsulated datagram, allowing for the tunnelling of multiple protocols. EoIP uses GRE version 1, its own protocol identifier (0x6400) for Ethernet, and has its own keepalive semantics, making it distinct from the Ethernet over GRE version 0 protocol supported by egre(4). However, it is implemented as part of the same driver providing egre(4).

Different tunnels between the same endpoints are distinguished by a 16-bit tunnel identifier field in the header.

All GRE packet processing in the system is allowed or denied by setting the net.inet.gre.allow sysctl(8) variable. To allow GRE packet processing, set net.inet.gre.allow to 1.

eoip interfaces can be created at runtime using the ifconfig eoipN create command or by setting up a hostname.if(5) configuration file for netstart(8).

For correct operation, encapsulated traffic must not be routed over the interface itself. This can be implemented by adding a distinct or a more specific route to the tunnel destination than the hosts or networks routed via the tunnel interface. Alternatively, the tunnel traffic may be configured in a separate routing table to the encapsulated traffic.

Programming Interface

eoip interfaces support the following ioctl(2) calls for configuring tunnel options:

SIOCSLIFPHYADDR struct if_laddrreq *: Set the unicast IPv4 or IPv6 addresses for the encapsulating IP packets. The addresses may only be configured while the interface is down.
SIOCGLIFPHYADDR struct if_laddrreq *: Get the addresses used for the encapsulating IP packets.
SIOCDIFPHYADDR struct ifreq *: Clear the addresses used for the encapsulating IP packets. The addresses may only be cleared while the interface is down.
SIOCSVNETID struct ifreq *: Configure a virtual network identifier for use as the Tunnel Identifier. The virtual network identifier may only be configured while the interface is down. The Tunnel Identifier is a 16-bit value.
SIOCGVNETID struct ifreq *: Get the virtual network identifer used in the GRE Key header.
SIOCSLIFPHYRTABLE struct ifreq *: Set the routing table the tunnel traffic operates in. The routing table may only be configured while the interface is down.
SIOCGLIFPHYRTABLE struct ifreq *: Get the routing table the tunnel traffic operates in.
SIOCSLIFPHYTTL struct ifreq *: Set the Time-To-Live field in IPv4 encapsulation headers, or the Hop Limit field in IPv6 encapsulation headers.
SIOCGLIFPHYTTL struct ifreq *: Get the value used in the Time-To-Live field in a IPv4 encapsulation header or the Hop Limit field in a IPv6 encapsulation header.
SIOCSLIFPHYDF struct ifreq *: Configure whether the tunnel traffic sent by the interface can be fragmented or not. This sets the Don't Fragment (DF) bit on IPv4 packets, and disables fragmentation of IPv6 packets.
SIOCGLIFPHYDF struct ifreq *: Get whether the tunnel traffic sent by the interface can be fragmented or not.
SIOCSTXHPRIO struct ifreq *: Set the priority value used in the Type of Service field in IPv4 headers, or the Traffic Class field in IPv6 headers. Values may be from 0 to 7, or IF_HDRPRIO_PACKET to specify that the current priority of a packet should be used.
SIOCGTXHPRIO struct ifreq *: Get the priority value used in the Type of Service field in IPv4 headers, or the Traffic Class field in IPv6 headers.
SIOCSETKALIVE struct ifkalivereq *: Enable the transmission of keepalive packets to detect tunnel failure. Keepalives may only be configured while the interace is down.
Setting the keepalive period or count to 0 disables keepalives on the tunnel.
SIOCGETKALIVE struct ifkalivereq *: Get the configuration of keepalive packets.

Security Considerations

EoIP does not provide any integrated security features. It should only be deployed on trusted private networks, or protected with IPsec to add authentication and encryption for confidentiality. IPsec is especially recommended when transporting EoIP over the public internet.

The Packet Filter pf(4) can be used to filter tunnel traffic with endpoint policies pf.conf(5).

The Time-to-Live (TTL) value of a tunnel can be set to 1 or a low value to restrict the traffic to the local network:

# ifconfig eoipN tunnelttl 1

EXAMPLES

Host X ---- Host A ------------ tunnel ----------- MikroTik D --- Host E
               \                                      /
                \                                    /
                 +------ Host B ------ Host C ------+

On Host A (OpenBSD):

# route add default B
# ifconfig eoipN create
# ifconfig eoipN tunnel A D
# ifconfig eoipN up
# route add E D

On Host D (MikroTik):

[admin@MikroTik] > interface eoip
[admin@MikroTik] /interface eoip> add name="eoipN" \
\... local-address=D remote-address=A
[admin@MikroTik] /interface eoip> enable eoipN

STANDARDS

S. Hanks, T. Li, D. Farinacci, and P. Traina, Generic Routing Encapsulation (GRE), RFC 1701, October 1994.

AUTHORS

David Gwynne <dlg@openbsd.org>