1 1.1 itojun Configuring FAITH IPv6-to-IPv4 TCP relay 2 1.1 itojun 3 1.1 itojun Kazu Yamamoto and Jun-ichiro itojun Hagino 4 1.11 itojun $KAME: README,v 1.9 2002/05/09 14:10:06 itojun Exp $ 5 1.1 itojun 6 1.1 itojun 7 1.1 itojun Introduction 8 1.1 itojun ============ 9 1.1 itojun 10 1.1 itojun FAITH is a IPv6-to-IPv4 TCP relay. It performs tcp relay just as some of 11 1.1 itojun firewall-oriented gateway does, but between IPv6 and IPv4 with address 12 1.4 itojun translation. 13 1.4 itojun TCP connections has to be made from IPv6 node to IPv4 node. FAITH will 14 1.1 itojun not relay connections for the opposite direction. 15 1.1 itojun To perform relays, FAITH daemon needs to be executed on a router between 16 1.1 itojun your local IPv6 site and outside IPv4 network. The daemon needs to be 17 1.1 itojun invoked per each TCP services (TCP port number). 18 1.1 itojun 19 1.1 itojun IPv4 node "dest" = 123.4.5.6 20 1.1 itojun | 21 1.1 itojun [[[[ outside IPv4 ocean ]]]] 22 1.1 itojun | 23 1.1 itojun node that runs FAITH-daemon (usually a router) 24 1.1 itojun | 25 1.1 itojun ==+=====+===+==== IPv6, or IPv4/v6 network in your site ^ 26 1.1 itojun | | | connection 27 1.1 itojun clients IPv6 node "src" | 28 1.1 itojun 29 1.1 itojun You will have to allocate an IPv6 address prefix to map IPv4 addresses into. 30 1.9 itojun The following description uses 3ffe:0501:ffff:0000:: as example. 31 1.1 itojun Please use a prefix which belongs to your site. 32 1.1 itojun FAITH will make it possible to make a IPv6 TCP connection From IPv6 node 33 1.1 itojun "src", toward IPv4 node "dest", by specifying FAITH-mapped address 34 1.9 itojun 3ffe:0501:ffff:0000::123.4.5.6 35 1.9 itojun (which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506). 36 1.10 lukem The address mapping can be performed by hand:-), by special nameserver on 37 1.1 itojun the network, or by special resolver on the source node. 38 1.1 itojun 39 1.1 itojun 40 1.1 itojun Setup 41 1.1 itojun ===== 42 1.1 itojun 43 1.1 itojun The following example assumes: 44 1.9 itojun - You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix. 45 1.1 itojun - You are willing to provide IPv6-to IPv4 TCP relay for telnet. 46 1.1 itojun 47 1.1 itojun <<On the translating router on which faithd runs>> 48 1.1 itojun 49 1.1 itojun (1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via 50 1.1 itojun inet6d, disable that daemon. Comment out the line from "inet6d.conf" 51 1.1 itojun and send the HUP signal to "inet6d". 52 1.1 itojun 53 1.1 itojun (2) Execute sysctl as root to enable FAITH support in the kernel. 54 1.1 itojun 55 1.1 itojun # sysctl -w net.inet6.ip6.keepfaith=1 56 1.1 itojun 57 1.1 itojun (3) Route packets toward FAITH prefix into "faith0" interface. 58 1.1 itojun 59 1.9 itojun # ifconfig faith0 up 60 1.9 itojun # route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1 61 1.9 itojun # route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0 62 1.1 itojun 63 1.1 itojun (4) Execute "faithd" by root as follows: 64 1.1 itojun 65 1.5 itojun # faithd telnet /usr/libexec/telnetd telnetd 66 1.1 itojun 67 1.1 itojun 1st argument is a service name you are willing to provide TCP relay. 68 1.1 itojun (it can be specified either by number "23" or by string "telnet") 69 1.1 itojun 2nd argument is a path name for local IPv6 TCP server. If there is a 70 1.1 itojun connection toward the router itself, this program will be invoked. 71 1.1 itojun 3rd and the following arguments are arguments for the local IPv6 TCP 72 1.1 itojun server. (3rd argument is typically the program name without its path.) 73 1.1 itojun 74 1.1 itojun More examples: 75 1.1 itojun 76 1.5 itojun # faithd ftpd /usr/libexec/ftpd ftpd -l 77 1.1 itojun # faithd sshd 78 1.1 itojun 79 1.9 itojun If inetd(8) on your platform have special support for faithd, it is possible 80 1.9 itojun to setup faithd services via inetd(8). Consult manpage for details. 81 1.9 itojun 82 1.1 itojun 83 1.1 itojun <<Routing>> 84 1.1 itojun 85 1.1 itojun (4) Make sure that packets whose destinations match the prefix can 86 1.1 itojun reach from the IPv6 host to the translating router. 87 1.1 itojun 88 1.1 itojun <<On the IPv6 host>> 89 1.1 itojun 90 1.1 itojun There are two ways to translate IPv4 address to IPv6 address: 91 1.1 itojun (a) Faked by DNS 92 1.1 itojun (b) Faked by /etc/hosts. 93 1.1 itojun 94 1.1 itojun (5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie. 95 1.1 itojun 96 1.1 itojun (5.b) Add an entry into /etc/hosts so that you can resolve hostname into 97 1.13 grant faked IPv6 address. For example, add the following line for 98 1.13 grant www.NetBSD.org: 99 1.1 itojun 100 1.12 grant 3ffe:0501:ffff:0000::140.160.140.252 www.NetBSD.org 101 1.1 itojun 102 1.1 itojun <<On the translating router on which faithd runs.>> 103 1.1 itojun 104 1.1 itojun (6) To see if "faithd" works, watch "/var/log/daemon". Note: please 105 1.1 itojun setup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored 106 1.1 itojun in "/var/log/daemon". 107 1.1 itojun 108 1.1 itojun <e.g.> 109 1.1 itojun daemon.* /var/log/daemon 110 1.1 itojun 111 1.1 itojun 112 1.9 itojun Access control 113 1.9 itojun ============== 114 1.9 itojun 115 1.9 itojun Since faithd implements TCP relaying service, it is critical to implement 116 1.9 itojun proper access control to cope with malicious use. Bad guy may try to 117 1.9 itojun use your relay router to circumvent access controls, or may try to 118 1.9 itojun abuse your network (like sending SPAMs from IPv4 address that belong to you). 119 1.9 itojun Install IPv6 packet filter directives that would reject traffic from 120 1.9 itojun unwanted source. If you are using inetd-based setup, you may be able to 121 1.9 itojun use access control mechanisms in inetd. 122 1.9 itojun 123 1.9 itojun 124 1.1 itojun Advanced configuration 125 1.1 itojun ====================== 126 1.1 itojun 127 1.1 itojun If you would like to restrict IPv4 destination for translation, you may 128 1.1 itojun want to do the following: 129 1.1 itojun 130 1.9 itojun # route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1 131 1.9 itojun # route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \ 132 1.9 itojun -ifp faith0 133 1.1 itojun 134 1.1 itojun By this way, you can restrict IPv4 destination to 123.0.0.0/8. 135 1.9 itojun You may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which 136 1.9 itojun is not in 3ffe:0501:ffff:0000::123.0.0.0/104. This will be left as excerside 137 1.1 itojun for the reader. 138 1.1 itojun 139 1.1 itojun By doing this, you will be able to provide your IPv4 web server to outside 140 1.1 itojun IPv6 customers, without risks of unwanted open relays. 141 1.1 itojun 142 1.6 itojun [[[[ IPv6 network outside ]]]] | 143 1.1 itojun | | connection 144 1.1 itojun node that runs FAITH-daemon (usually a router) v 145 1.1 itojun | 146 1.6 itojun ========+======== IPv4/v6 network in your site 147 1.1 itojun | (123.0.0.0/8) 148 1.1 itojun IPv4 web server 149
Indexes created Tue Sep 30 20:09:53 GMT 2025