ETHERIP(4) - Device Drivers Manual #
ETHERIP(4) - Device Drivers Manual
NAME #
etherip - EtherIP tunnel interface
SYNOPSIS #
pseudo-device etherip
DESCRIPTION #
The etherip interface is a pseudo-device for tunnelling Ethernet frames across IP[46] networks using RFC 3378 EtherIP encapsulation.
An
etherip
interface can be created using the
ifconfig etheripN create
command or by setting up a
hostname.if(5)
configuration file for
netstart(8).
It must be configured with the addresses used for the outer header.
This can be done using
ifconfig(8)’s
tunnel
command (which uses the
SIOCSLIFPHYADDR
ioctl).
The
etherip
interface must be made a member of a
bridge(4).
The
sysctl(2)
variable
net.inet.etherip.allow
must be set to 1, unless
ipsec(4)
is being used to protect the traffic.
Ethernet frames are then encapsulated and sent across the network
to another
bridge(4),
which decapsulates the datagram and processes the resulting Ethernet
frame as if it had originated on a normal Ethernet interface.
This effectively allows a layer 2 network to be extended from one point to
another, possibly through the Internet.
This mechanism may be used in
conjunction with IPsec by specifying the appropriate IPsec flows
between the two bridges.
To only protect the bridge traffic between
the two bridges, the transport protocol 97 (etherip) selector may be
used in
ipsec.conf(5).
Otherwise, the Ethernet frames will be sent in the clear between the
two bridges.
EXAMPLES #
Given two physically separate Ethernet networks, a bridge can be used as follows to make them appear as the same local area network. If bridge1 on network1 has the external IP address 1.2.3.4 on em0, bridge2 on network2 has the external IP address 4.3.2.1 on em0, and both bridges have em1 on their internal network (network1 and network2, respectively), the following configuration can be used to bridge network1 and network2.
First create the bridge interface, adding the encapsulation interface and internal Ethernet interface to the bridge interface:
# ifconfig bridge0 add etherip0 add em1
Create and configure the etherip0 interface:
(on bridge 1) # ifconfig etherip0 tunnel 1.2.3.4 4.3.2.1
(on bridge 2) # ifconfig etherip0 tunnel 4.3.2.1 1.2.3.4
Create Security Associations (SAs) between the external IP address of each bridge and matching ingress flows by using the following ipsec.conf(5) file on bridge1:
esp from 1.2.3.4 to 4.3.2.1 spi 0x4242:0x4243 \
authkey file "auth1:auth2" enckey file "enc1:enc2"
flow esp proto etherip from 1.2.3.4 to 4.3.2.1
Now load these rules into the kernel by issuing the ipsecctl(8) command:
# ipsecctl -f ipsec.conf
Appropriate ipsec.conf(5) for bridge2:
esp from 4.3.2.1 to 1.2.3.4 spi 0x4243:0x4242 \
authkey file "auth2:auth1" enckey file "enc2:enc1"
flow esp proto etherip from 4.3.2.1 to 1.2.3.4
And load them:
# ipsecctl -f ipsec.conf
To use dynamic (as opposed to static) keying, use this ipsec.conf(5) on bridge1:
ike esp proto etherip from 1.2.3.4 to 4.3.2.1
And on bridge2:
ike esp proto etherip from 4.3.2.1 to 1.2.3.4
Bring up the internal interface (if not already up) and encapsulation interface:
# ifconfig em1 up
# ifconfig etherip0 up
Finally, bring the bridge interface up and allow it to start processing frames:
# ifconfig bridge0 up
The internal interface on each bridge need not have an IP address: the bridge can function without it.
Note: It is possible to put the above commands in the hostname.if(5) files, using the ‘!’ operator.
SEE ALSO #
sysctl(2), bridge(4), inet(4), inet6(4), ipsec(4), hostname.if(5), ifconfig(8), netstart(8)
STANDARDS #
R. Housley, S. Hollenbeck, EtherIP: Tunneling Ethernet Frames in IP Datagrams, RFC 3378, September 2002.
HISTORY #
The etherip device first appeared in OpenBSD 5.9.
AUTHORS #
The etherip driver was written by Kazuya Goda <goda@openbsd.org>.
OpenBSD 7.5 - January 12, 2018