NAME

erspan — ERSPAN Type II tunnel network device

SYNOPSIS

pseudo-device gre

DESCRIPTION

The erspan interface provides tunnelling of Ethernet frames across IPv4 and IPv6 networks using the Encapsulated Remote Switch Port Analyzer (ERSPAN) Type II protocol.

ERSPAN is intended as a network based packet capture format rather than a tunnelling protocol. However, ERSPAN Type II is implemented as a network interface driver in OpenBSD to allow existing infrastructure such as bpf(4) and tools such as bpflogd(8) and tcpdump(8) to store and analyse the received packets. erspan interfaces support packet transmission so they can be used as span ports on veb(4) and bridge(4) configurations.

The protocol is based on the Generic Routing and Encapsulation (GRE) protocol. GRE datagrams (IP protocol number 47) consist of a GRE header and an outer IP header for encapsulating another protocol's datagram. The GRE header specifies a version and the type of the encapsulated datagram, allowing for the tunnelling of multiple protocols. ERSPAN Type II uses GRE version 0, sequence numbers, protocol identifier (0x88be), and a custom header before the Ethernet payload, making it distinct from the Ethernet over GRE encapsulation supported by egre(4). However, it is implemented as part of the same driver providing egre(4).

Distinct tunnels between the same endpoints are distinguished by a 10-bit tunnel identifier field in the header.

erspan supports the capture of the encapsulated Ethernet packets via bpf(4) using the DLT_EN10MB data link type, and the encapsulating ERSPAN, GRE, and IP headers using the DLT_LOOP data link type.

erspan interfaces are configured in monitor mode by default, preventing the processing of received packets from entering the network stack.

All GRE packet processing in the system is allowed or denied by setting the net.inet.gre.allow sysctl(8) variable. To allow GRE packet processing, set net.inet.gre.allow to 1.

erspan interfaces can be created at runtime using the ifconfig erspanN create command or by setting up a hostname.if(5) configuration file for netstart(8).

For correct operation, encapsulated traffic must not be routed over the interface itself. This can be implemented by adding a distinct or a more specific route to the tunnel destination than the hosts or networks routed via the tunnel interface. Alternatively, the tunnel traffic may be configured in a separate routing table to the encapsulated traffic.

Programming Interface

erspan interfaces support the following ioctl(2) calls for configuring tunnel options:

SIOCSLIFPHYADDR struct if_laddrreq *: Set the unicast IPv4 or IPv6 addresses for the encapsulating IP packets. The destination address may be left unspecified if the interface is used as a collector for ERSPAN sessions. The addresses may only be configured while the interface is down.
SIOCGLIFPHYADDR struct if_laddrreq *: Get the addresses used for the encapsulating IP packets.
SIOCDIFPHYADDR struct ifreq *: Clear the addresses used for the encapsulating IP packets. The addresses may only be cleared while the interface is down.
SIOCSVNETID struct ifreq *: Configure a virtual network identifier for use as the Session ID in the ERSPAN Type II header. The virtual network identifier may only be configured while the interface is down. The Session ID is a 10-bit value.
SIOCGVNETID struct ifreq *: Get the virtual network identifier used as the Session ID in the ERSPAN Type II header.
SIOCDVNETID struct ifreq *: Clear the virtual as the Session ID in the ERSPAN Type II header. If the Session ID and tunnel destination address are unspecified, the interface will accept packets with any Session ID.
SIOCSLIFPHYRTABLE struct ifreq *: Set the routing table the tunnel traffic operates in. The routing table may only be configured while the interface is down.
SIOCGLIFPHYRTABLE struct ifreq *: Get the routing table the tunnel traffic operates in.
SIOCSLIFPHYTTL struct ifreq *: Set the Time-To-Live field in IPv4 encapsulation headers, or the Hop Limit field in IPv6 encapsulation headers.
SIOCGLIFPHYTTL struct ifreq *: Get the value used in the Time-To-Live field in an IPv4 encapsulation header or the Hop Limit field in an IPv6 encapsulation header.
SIOCSLIFPHYDF struct ifreq *: Configure whether the tunnel traffic sent by the interface can be fragmented or not. This sets the Don't Fragment (DF) bit on IPv4 packets, and disables fragmentation of IPv6 packets.
SIOCGLIFPHYDF struct ifreq *: Get whether the tunnel traffic sent by the interface can be fragmented or not.
SIOCSTXHPRIO struct ifreq *: Set the priority value used in the Type of Service field in IPv4 headers, or the Traffic Class field in IPv6 headers. Values may be from 0 to 7, or IF_HDRPRIO_PACKET to specify that the current priority of a packet should be used.
SIOCGTXHPRIO struct ifreq *: Get the priority value used in the Type of Service field in IPv4 headers, or the Traffic Class field in IPv6 headers.

Security Considerations

ERSPAN does not provide any integrated security features. It should only be deployed on trusted private networks, or protected with IPsec to add authentication and encryption for confidentiality. An encrypted transport is especially recommended when using ERSPAN over a public network.

The Packet Filter pf(4) can be used to filter tunnel traffic with endpoint policies pf.conf(5).

The Time-to-Live (TTL) value of a tunnel can be set to 1 or a low value to restrict the traffic to the local network:

# ifconfig erspanN tunnelttl 1

STANDARDS

S. Hanks, T. Li, D. Farinacci, and P. Traina, Generic Routing Encapsulation (GRE), RFC 1701, October 1994.

HISTORY

The erspan driver first appeared in OpenBSD 7.8.

AUTHORS

David Gwynne <dlg@openbsd.org>