Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tag: netbsd_snap_20…
Fetching contributors…

Cannot retrieve contributors at this time

635 lines (510 sloc) 26.988 kb
$KAME: FAQ,v 1.72 2001/10/20 06:34:55 jinmei Exp $
Q: What is the KAME project?
The KAME Project is a joint effort to create single solid software set,
especially targeted at IPv6/IPsec. Talented researchers from several
Japanese major companies joined the project. This joint effort will
avoid unnecessary duplicated development in the same area, and
effectively provides a high quality, advanced featured package.
The project aims to revamp BSD sys/net* tree, and:
- to provide a FREE IPv6 protocol stack for research/commercial use.
(under BSD copyright)
- to provide FREE IPsec to all over the world. (For free software,
crypto export from Japan seems to be legal.)
- to provide FREE reference code for advanced internetworking.
(Advanced packet queuing, ATM, mobility, and whatever interesting.)
To understand more about the KAME project itself, please proceed to
Q: I'm in trouble and would like to get help.
Please route your questions to public mailing lists, like or Make sure to include
all of your configuration details, version numbers and ways to
repeat your issue, by going through the topmost portion of
Q: How can I contribute?
- Implement "ports" or "pkgsrc" for IPv6 apps
Sometimes nontrivial steps are needed to install IPv6 applications,
because IPv6 patches are redistributed separately from the original
application. Please create FreeBSD/OpenBSD "ports", or NetBSD
"pkgsrc" and contribute those to *BSD projects.
- Submit bug reports
PLEASE go through the top of
and supply enough information.
- Review documents
Since the KAME core team does not have a native English speaker,
documents in English include many typos, wording mistakes,
and so forth. We would be very grateful if you review our
documents and send us updates.
- Design a logo/T-shirt :-)
Q: What is the standard document the KAME code is based upon?
Which version of IPv6/IPsec does KAME support?
The KAME project tries to support the latest specification possible.
For list of currently-supported standard documents, please refer to
IMPLEMENTATION in the distribution kit, or
Q: Why does KAME separate ping6 from ping (for IPv4), and traceroute6 from
traceroute (for IPv4)?
There have been many discussions on why we separate ping6(8)
and ping(8). Some people argued that it would be more
convenient to uniform the ping command for both IPv4 and
IPv6. The followings are an answer to the request.
From a developer's point of view: since the underlying raw socket API
is totally different between IPv4 and IPv6, we would end
up having two types of code base. There would actually be
less benefit to unify the two commands into a single
command from the developer's standpoint.
From an operator's point of view: unlike ordinary network
applications like web, mail, and remote login tools, we are
usually aware of address family when using network management
tools. We do not just want to know the reachability to the
host, but want to know the reachability to the host via a
particular network protocol such as IPv6. Thus, even if we
had a unified ping(8) command for both IPv4 and IPv6, we would
usually type a -6 or -4 option (or something like those) to
specify the particular address family. This essentially means
that we have two different commands.
Q: Are there other documents/FAQ lists I may want to check?
- Depending on which BSD you are using, you will want to check the
project webpages, like,, or
- If you are using a KAME patch kit (like weekly snap, not the
integrated *BSD releases), you really need to go through all the
documents shipped in tar.gz.
- has links to a set of good documents.
-, and (if you can read
Japanese texts).
Q: Which operating systems/vendor routers use KAME stack?
Operating systems:
- OpenBSD,
- NetBSD,
- FreeBSD,
- Apple Darwin
Vendor routers:
- Hitachi GR2000,
- (more)
Q: How portable is the KAME stack? Is it possible to port it to embedded
operating systems like VxWorks?
KAME stack assumes that the following items are available:
- mbuf for holding packet data
- software interrupts to handle incoming packets
- timer interrupts like timeout(9)
- spl for concurrency control with interrupting threads
i.e. we assume 4.4BSD kernel programming environment. We don't have
time to port it to VxWorks or any other operating systems, so if you
want to do it you need to port it on your own.
We have heard of an Win95/98 port of KAME IPsec stack in the past.
Also it is apparent that some of the vendor routers are using KAME
stack on top of VxWorks.
Q: How should "gif" be pronounced?
To be answered.
Q: I heard that the *BSDs have integrated KAME code already.
Do I still need to install KAME patches?
Depends on your goal. Roughly speaking,
- If you want IPv6 for normal day-to-day use, you will be happy with
*BSD integrated code (no need for KAME patches).
- If you want a bleeding-edge IPv6 code (including experimental and
unstable ones) you'd need to install KAME patches. talks about this
topic in more detail.
Q: How/where can I get recent KAME stable (not snap) releases?
Since the KAME stack has been merged into all *BSD releases
officially, the KAME project will not release stable releases
from the project. These official *BSD releases should be
considered as stable releases instead.
Q: I replaced the kernel and rebooted, and lost IPv4 connectivity. Why?
There are several possibilities, but it is almost always
due to kernel configuration differences. If you have
been using a specific kernel configuration for your IPv4
kernel, and you have installed a GENERIC.v6 kernel, you lose
your special configurations.
One good way to deal with this problem is to, (1) copy
your original configuration file FOO into FOO.v6, (2)
incorporate the difference between GENERIC and GENERIC.v6 into
FOO.v6, (3) carefully look at FOO.v6 and configure a new
kernel from that one.
Q: Is anything special required for network interface card drivers?
(freebsd and bsdi) For efficient processing of IPv6 chained headers,
KAME assumes the network driver will pass the packet to upper layers
(IPv6 code), in the following form:
(1) single internal mbuf
(2) single external (cluster) mbuf
(3) multiple external (cluster) mbufs
Some of traditional drivers will pass the packet to upper layers in
two linked internal mbufs. In this case, the driver must be modified.
You can check this situation by using netstat -sn.
If you see the following line ("two or more mbufs") for your ethernet
card in netstat output (ip6 section), your driver needs to be modified.
Mbuf statistics:
58 one mbufs
two or more mbuf:
foo0 = 2 <--- foo0 needs modification
6486 one ext mbufs
0 two or more ext mbufs
The modification is very simple. You should check the use of MINCLSIZE
in the driver, change that to MHLEN. In this way you can avoid two
linked internal mbufs.
Multicast support is required for IPv6, since IPv6 uses
multicast for hardware address (MAC address) resolution.
Therefore, your network driver has to have multicast support,
and have IFF_MULTICAST properly set. Also be sure to check if
the driver handles multicast ioctls, like SIOCADDMULTI.
Even though it is better to have a hardware multicast packet
filter, it is not mandatory; in most cases it is just fine
to use promiscuous mode as the last resort, if there's no
multicast packet filter support.
Q: /etc/rc scripts do not work after replacing vanilla *BSD kernel by KAME
/etc/rc scripts usually use tools in /sbin, like /sbin/ifconfig.
In some cases, they do not work on a KAME kernel. Be very sure to
use tools in /usr/local/v6 instead.
Note, however, depending on the ordering of /etc/rc initialization,
/usr may not be ready when the network interfaces get initialized
(for NFS-mounted /usr support).
It may be safer to put network interface initialization into
/etc/rc.local, and remove all network configurations from /etc/rc.conf
and/or /etc/netstart (you won't be able to use diskless configuration,
Q: Why do link-local addresses in the kernel structure have
s6_addr[2] and s6_addr[3] filled?
Due to the "scoped address" design in the IPv6 spec, the
kernel must treat link-local addresses in a special manner.
Link-local address has to be memorized with the incoming
interface. KAME uses s6_addr[2-3] to keep the interface index
(ifp->if_index) in the kernel structure.
Note that this is only for internal kernel structures.
Any data coming out of socket file descriptor is not
affected. KAME uses advanced API (rfc2292) for passing/getting
interface index from/to userland.
Also note that this hack may go away in the near future,
by introduction of the sin6_ifindex field in sockaddr_in6
See the IMPLEMENTATION document for a full description.
Q: Does KAME support site-local addresses?
Yes and no.
KAME can handle site-local address, but it is not aware of
the site boundary. Therefore, KAME cannot become a site-border
Site-local addressing (the spec itself, not KAME) has a
bunch of issues/twists to be solved, such as site-border management
and name servers. We are trying very hard to solve them.
On many of KAME-ready BSD systems, reject routes are installed in
/etc/rc for fec0::/10 as a precaution. If you plan to use site-local
addresses, you first need to remove the route.
Q: How can I implement address-family independent applications?
Q: How can I modify my application to support IPv6 as well as IPv4?
We have a short newsletter for that, titled "implementing AF-
independent application". Please visit
Craig Metz, "Protocol Independence Using the Sockets API",
Proceedings of the freenix track: 2000 USENIX annual
technical conference, June 2000.
Q: route6d dies with "IPV6_ADD_MEMBERSHIP" failure.
This error occurs when you have configured an interface
that is not capable of handling IPv6 packets. This includes
the slip interface (sl0) and some other interfaces. Please
remove those interfaces from the kernel configuration file.
Q: Which IPv6 routing daemon should I use?
For easy installation, route6d (implemented by Akira Kato) is
simple and easy-to-use, but not very configurable.
For production use, try zebra from
Q: How can I connect my host to the worldwide IPv6 network?
Visit, all the information you need is there. has detailed discussions
on how you can be connected to 6bone. It also has a cgi script to
help you send a connection request.
Q: When I invoke ifconfig or netstat, garbled output is generated.
I suspect that you are invoking old (original) ifconfig or netstat.
Currently the KAME kit does not overwrite existing userland
tools. Instead, tools provided by KAME will be installed
into /usr/local/v6/bin and alike. Therefore, to use
IPv6-enabled tools, you must invoke /usr/local/v6/sbin/ifconfig
or such. You can of course add /usr/local/v6/bin to your
command search path. Consult the manpage for your shell.
Q: How can I restrict RIPng route announcement for some particular interfaces?
First of all, you should choose appropriate routing daemon.
route6d (by Akira Kato) is designed to be simple and easy,
so it has no configuration option for ignoring some of the
interfaces. You cannot use this for the purpose.
hroute6d (contributed from Hitachi) has a very complex
configuration file, which makes it possible to skip some
of the interfaces.
bgpd (contributed from Toshiba) also uses a configuration
file. You can specify not to listen and/or advertise RIPng
messages on the specified interfaces.
Other routing daemons (zebra/mrt/whatever) may have
configuration options, so please refer to the document
specific to the tool you chosen.
Q: I would like to configure IPsec for IPv4 only, and I do not need IPv6.
Is it possible to configure KAME for this?
Of course, it should work. Try configure a kernel without
"options INET6".
If it does not work well, add "options INET6" and ignore
any IPv6 related things appear on messages/command
options/whatever. It is safe to ignore those things.
Q: IPv6 ping from other OSes does not seem to work.
Are you using link-local address for that? (fe80::x) If
so, be sure to clear the 2nd 16-bit field to 0. KAME kernels
use those bits internally, and some older versions of ifconfig show
the value, but the value MUST NOT appear on the wire.
If ifconfig command shows that your KAME host has the
following address:
the address the host actually has is
Also, on many of existing operating systems, it is suggested (or even
mandatory) to specify the outgoing link, when you try to ping
(or ping6) link-local addresses. This is to disambiguate link-local
addresses on multiple links.
Q: How do I configure a IPv6-over-IPv4 tunnel?
The simplest way to do this is to configure outer IPv4 address only, by
the following command:
hostA# gifconfig gif0 a.a.a.1 b.b.b.1
hostB# gifconfig gif0 b.b.b.1 a.a.a.1
As a gif interface has a link-local address, it is not
necessary to configure inner IPv6 addresses. Routing
daemons will work just fine and packets will get forwarded
between the two routers. If you want to configure a global IPv6
address on such a host, configure it to an ethernet interface.
NOTE: on netbsd and openbsd, gifconfig is integrated into ifconfig(8).
Q: Some of my IPv6-ready programs show strange behavior after kernel update.
As the IPv6 socket API is still an moving target, the KAME team
sometimes have to change important structure definitions
used in the socket API. We have experienced changes in struct
sockaddr_in6 several times already.
If you have installed your IPv6-ready programs before the
change, and the kernel is built from the KAME tree after
the change, your programs will not work properly. Be sure
to update, or re-compile, userland tools too.
We try to announce important changes to snap-users mailing
list. Please subscribe to snap-users mailing list, if you
are willing to use SNAP kits. See
for detail.
Q: How do I configure IPsec? covers the topic.
Q: I would like to connect from an IPv6-only host to an IPv4-only host.
You MUST have a translator box between those two host, for
protocol conversion.
covers the topic.
socks64, which is a modified version of socks5, can be used
so that IPv6-only host can make a proxy connection via a
"socks64 server" on a dual-stack host. For implementation
please visit
Q: How can I enable FAITH IPv6-to-IPv4 tcp relay?
Please consult KAME faithd/README.* for details.
Q: How do I configure ATM PVC?
KAME includes ATM PVC support, from the ALTQ package. No SVC support is
implemented. A very limited variety of ATM cards are supported. covers this topic
(though it is a bit dated).
Q: I think I have problem with my tunnel; how do I track it?
assume that your tunnel interface is "gif0".
try: ping6 -I gif0 -n ff02::1
If you get replies from two different nodes, your tunnel is
working right. It can be routing problem. The two nodes
are your node and the peer's node.
If you get replies from single node only, you have a problem
with your tunnel. It could be a packet filter between your node
and peer (like a firewall), IPv4 routing screwup, or anything.
You need to make sure that IPv4 protocol # 41 goes through.
If you have a packet filter blocking you, ask your network
administrator to open up the filters.
Another hint: always use "-n" when you try ping6 or
traceroute6. Reverse lookup timeouts can make it harder to track
Q: My operating system does not have gifconfig(8).
On FreeBSD 4.4, NetBSD, and OpenBSD, gifconfig(8) is integrated
into ifconfig(8), using the "tunnel" keyword (older OpenBSD
releases use "giftunnel" keyword).
Q: I would like to know the merge status of KAME kit to *BSD.
Q: How can I differentiate IPv6 http connections from IPv4 ones on my
web page? (In other words, how can I provide dancing stuff for IPv6
users only, like
If you are using an apache webserver, you can refer to environment
variable REMOTE_ADDR to know the address of the client (in textual
numeric representation). For example, the following perl script
fragment would print "IPv6 <address>" or "not IPv6 <address>"
depending on the clients' address.
if ($ENV{'REMOTE_ADDR'} =~ /^[a-fA-F0-9:]+$/) {
print "IPv6 " . $ENV{'REMOTE_ADDR'} . "\n";
} else {
print "not IPv6 " . $ENV{'REMOTE_ADDR'} . "\n";
Q: Won't you release new IPv6 patch for apache1.3.x?
We are focused to develop/enhance apache2.x. Our IPv6 patch never be
merged into apache1.3.x original distribution since some include
files for mod_xxx are highly depend on IPv4 so our IPv6 patch
is strongly influence 3rd party's modules. Apache2.x already
supports IPv6 and changes its APIs. takes over the maintainance. Latest
IPv6 patch are available at
Q: Why don't KAME's getaddrinfo/getnameinfo support PF_LOCAL?
We do not really like to support PF_LOCAL, unless there's
clear standard behavior for the AF_LOCAL case. For an AF
independent programming point of view, unlink(2) call issue is
really bitching us. NI_NUMERICxx, AI_NAMEREQD and
AI_NUMERICxx has no valid meaning on PF_LOCAL. Also, we
cannot just add incompatible functionality from others. Note
that glibc now drops it for security risks with /tmp race
conditions (they supported PF_LOCAL in the past), so we are
now compatible with glibc at this point.
getaddrinfo/getnameinfo behavior itself is rather vaguely
defined in the standards (POSIX drafts as well as RFC2553/bis),
and we don't want to add more jitter to them.
Additionally, we've never heard of practical examples of
applications that need to the support of PF_LOCAL in get*info.
We don't think it is a good idea just to pursue superficial
uniformity without concrete usages, especially when we do not
have a standard specification of it.
If it is really really necessary to play with it, we can probably
do that on KAME tree - but not on *BSD-current nor *BSD official
Q: Is there an API or other mechanism for a user level program (e.g.
telnet) to inquire of the kernel whether AH/ESP is in use (i.e.
whether a security association exists between the local host and a
remote host)?
At this moment there's no API to tell if the traffic (packet) was
encrypted or not, from the kernel to userland. It is a bit difficult
API to implement/design, as the granularity is different between IP
packet and sockets (TCP stream), and it is unclear what to tell the
userland (per-packet, or per-stream?).
What you can do now is to use setsockopt(IP_IPSEC_POLICY) and inject
policy like "in ipsec esp/transport//require" (use ipsec_set_policy(3)
to convert textual policy representation into binary). This way, you
can make sure that inbound packet is always encrypted (non-encrypted
packets get dropped). See sbin/ping for usage example.
This is a KAME-only API. There's no standard API for this, AFAIK.
Q: I see a lot of messages like follows when I try to throw packets to
a gif tunnel interface:
nd6_output: failed to add route fora neighbor(ADDR), errno=17
The message gets generated when the kernel fails to create a neighbor
cache entry for NUD. The source of the problem is considered
operational. You need to change your configuration to solve the
problem (NOTE: with recent KAME kits, the message won't get generated
due to a couple of changes we made).
We are convinced that a tunnel interface has to have the either of
the following configuration:
ifconfig gif0 inet6 A B prefixlen 128 alias
ifconfig gif0 inet6 A prefixlen 64 alias
NOT the following:
ifconfig gif0 inet6 A B prefixlen 64 alias
since the last example is ambiguous when B is within A/64. The message
gets generated when you use the last (3rd) configuration, which is
not correct in our interpretation.
Q: I see a lot of messages like follows:
nd6_ns_input: invalid hlim(NUM) from FROM to TO on IF
The message gets generated when someone configures an IPv6 router
wrongly and neighbor solicitation messages are leaking from the router.
If you have time, send a note to the owner of the machine indicated
in FROM.
The message gets generated only with older KAME SNAP kit, or *BSD
releases. Kernel upgrade is suggested if you are using KAME SNAP kit.
Q: I have problem dianosing IPsec issues. Are there any good tools?
tcpdump and netstat -sn are your friend. Always try to take packet
dumps during your tests. Also, you can reveal many things with the
following operations:
% netstat -sn >/tmp/1
% (some operation)
% netstat -sn >/tmp/2
% diff -c1 /tmp/1 /tmp/2
Q: What is the crypto export/import situation in Japan?
NOTE: the following description does not reflect intentions
of KAME participating companies, employers of KAME core
team or KAME contributors, or such. The KAME project and other
parties are completely separate entity. Please do not
As far as I checked, there's no legal restriction for
exporting/import crypto software, if it is done without
Japan seems to be in the Wassenaar agreement, and the Wassenaar
agreement is reflected to the Japan's export/import control
law. It says that business parties must acquire approval
for crypto export orders larger than 50000JPY.
We checked with several attorneys to get answers which varied
widely. The answer reflected how aggressive/defensive the
attorney is :-)
See "crypto law survey page",, for more
information. (the page is really great)
Q: Can I download KAME without infringing crypto law?
The question can be separated into two parts: export from
Japan and import to your country.
For export from Japan, it looks that there's no restriction,
for free software. See the previous item for more info.
For import to your country, please check "crypto law survey
page" for your country. Please proceed to
Q: Under what kind of license is the KAME kit redistributed?
The KAME kit itself obeys the following BSD-like AS-IS license.
Contributed or derived software may be distributed under other licenses,
so please look at each of the files.
Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the project nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
Q: What is "KAME"? Why did you choose the name?
KAME is "turtle" in Japanese. Then, you may wonder why it is
"turtle"... :-) See answers below.
Official answer #1: Our office is located at Karigome
village, Fujisawa, Kanagawa JAPAN. Take the very first
two letters and last two letters from KArigoME. Yea, you
got KAME.
Official answer #2: In Asian/Indian mythology, the world
is on a tray supported by elephants, and the elephants are
on a giant turtle and a giant snake. The universe consists
of the turtle and the snake. We are trying to shake the
universe by our code, so the name is KAME.
Real answer: We got together in IPv6 hacking workshop at
JAIST university ( One of core
member, itojun, got very tired of tracking bugs. There
was big stuffed turtle ( in the
laboratory. Itojun hugged the turtle and mumbled, "Mr
turtle please help me debug my code...".
( This
is the real reason for the name.
Q: Official stuffed turtles?
We have distributed official stuffed turtles at IETFs and other
events, however, they are out of stock already. Too bad. Plat'home
( may still have some, so order them over the web
(not sure about overseas shipping).
History: Nakajima corporation (specialized in stuffed animals)
had a really cute turtle, but they were discontinued. Some people
at KAME project and friends have ordered 2400 of them for re-issue.
The official turtles had a special label on them, which has the
URL of the KAME project webpage.
Q: T-shirt? Mugs?
Sorry, not yet. We need someone who can draw/design :-)
Jump to Line
Something went wrong with that request. Please try again.