From owner-freebsd-hackers  Wed Apr 17 09:38:29 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA18566
          for hackers-outgoing; Wed, 17 Apr 1996 09:38:29 -0700 (PDT)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA18561
          for <hackers@FreeBSD.ORG>; Wed, 17 Apr 1996 09:38:27 -0700 (PDT)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id LAA22203; Wed, 17 Apr 1996 11:37:43 -0500
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199604171637.LAA22203@brasil.moneng.mei.com>
Subject: Re: ip-in-ip tunnel
To: dirk@methan.chemie.fu-berlin.de (Dirk Froemberg)
Date: Wed, 17 Apr 1996 11:37:43 -0500 (CDT)
Cc: hackers@FreeBSD.ORG, xadmin@methan.chemie.fu-berlin.de,
        alf@bolzen.in-berlin.de
In-Reply-To: <m0u9VAE-0009paC@methan.chemie.fu-berlin.de> from "Dirk Froemberg" at Apr 17, 96 01:12:46 pm
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> Hello!
> 
> We need to set up a ip-in-ip (protocol number 4) tunnel with FreeBSD
> (i. e. tunnel entry should be on a FreeBSD machine).
> 
> Unfortunaly there seems to be no easy way of doing so.
> 
> mrouting has the functionality of tunneling being limited on multicast
> addresses. Although this limitation may easily be removed there
> is no way of adding routes manually (e. g. route add).
> 
> Another approach might be to create a interface doing the encapsulation.
> The implementation of the ip-in-ip-encapsulation itself is not very
> difficult. At the moment we are a stucked "a little bit" in the
> BSD-networking-code.
> 
> Btw. Linux has such interface called "tunl".
> 
> Is anyone working on this?
> 
> 	Best regards Dirk

One of my back burner pet projects is to do something like this.  All the
hard work has been done, FreeBSD supports the "tun*" devices (typically used
for user mode PPP)..  you can snarf one of these guys and read/write
/dev/tun* to get the actual IP traffic on the interface.

I want to use it to create a virtual (secure) network across an insecure
Internet.  This is trivial in concept, not hard to implement, and just a
matter of grinding out code.  What you need:

1. a pair of FreeBSD routers connected to the Internet.
2. create a stream socket between the routers via the Internet.  You may
	argue UDP here, I decided not to.
3. implement a DES crypt layer on top.  I'm cheap so I assume I can manually
	propagate a key.  Use something like CFB64.
3a. you now have a secure communications channel across the Internet...
4. open /dev/tun0, ifconfig it.
5. use IPFW to _prohibit_ any nonlocal traffic from leaving the box via the
	Internet interface.  Mostly to avoid unhappiness from configuration
	errors.
6. set up any other interfaces.
7. voila  :-)

Haven't had time to finish it.

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/546-7968