NameDateSize

..20-Dec-2016224

faithd.8H A D08-Mar-201510 KiB

faithd.cH A D08-Mar-201520.3 KiB

faithd.hH A D08-Mar-20152.4 KiB

ftp.cH A D08-Mar-201523.7 KiB

MakefileH A D08-Mar-2015921

prefix.cH A D08-Mar-20157.3 KiB

prefix.hH A D08-Mar-20152.1 KiB

READMEH A D08-Mar-20155 KiB

tcp.cH A D08-Mar-20158.5 KiB

test/H20-Dec-20163

README

1Configuring FAITH IPv6-to-IPv4 TCP relay
2
3Kazu Yamamoto and Jun-ichiro itojun Hagino
4$KAME: README,v 1.10 2003/01/06 21:40:33 sumikawa Exp $
5$FreeBSD$
6
7
8Introduction
9============
10
11FAITH is an IPv6-to-IPv4 TCP relay.  It performs tcp relay just as some of
12firewall-oriented gateway does, but between IPv6 and IPv4 with address
13translation.
14TCP connections has to be made from IPv6 node to IPv4 node.  FAITH will
15not relay connections for the opposite direction.
16To perform relays, FAITH daemon needs to be executed on a router between
17your local IPv6 site and outside IPv4 network.  The daemon needs to be
18invoked per each TCP services (TCP port number).
19
20	IPv4 node "dest" = 123.4.5.6
21		|
22	[[[[ outside IPv4 ocean ]]]]
23		|
24	node that runs FAITH-daemon (usually a router)
25		|
26	==+=====+===+==== IPv6, or IPv4/v6 network in your site ^
27	  |	    |						| connection
28	clients	  IPv6 node "src"				|
29
30You will have to allocate an IPv6 address prefix to map IPv4 addresses into.
31The following description uses 3ffe:0501:ffff:0000:: as example.
32Please use a prefix which belongs to your site.
33FAITH will make it possible to make an IPv6 TCP connection From IPv6 node
34"src", toward IPv4 node "dest", by specifying FAITH-mapped address
353ffe:0501:ffff:0000::123.4.5.6
36(which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506).
37The address mapping can be performed by hand:-), by special nameserver on
38the network, or by special resolver on the source node.
39
40
41Setup
42=====
43
44The following example assumes:
45- You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix.
46- You are willing to provide IPv6-to IPv4 TCP relay for telnet.
47
48<<On the translating router on which faithd runs>>
49
50(1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via
51    inet6d, disable that daemon.  Comment out the line from "inet6d.conf"
52    and send the HUP signal to "inet6d".
53
54(2) Execute sysctl as root to enable FAITH support in the kernel.
55
56        # sysctl net.inet6.ip6.keepfaith=1
57
58(3) Route packets toward FAITH prefix into "faith0" interface.
59
60	# ifconfig faith0 up
61	# route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1
62	# route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0
63
64(4) Execute "faithd" by root as follows:
65
66	# faithd telnet /usr/libexec/telnetd telnetd
67
68    1st argument is a service name you are willing to provide TCP relay.
69	(it can be specified either by number "23" or by string "telnet")
70    2nd argument is a path name for local IPv6 TCP server.  If there is a
71    connection toward the router itself, this program will be invoked.
72    3rd and the following arguments are arguments for the local IPv6 TCP
73    server.  (3rd argument is typically the program name without its path.)
74
75    More examples:
76
77	# faithd ftpd /usr/libexec/ftpd ftpd -l
78	# faithd sshd
79
80If inetd(8) on your platform have special support for faithd, it is possible
81to setup faithd services via inetd(8).  Consult manpage for details.
82
83
84<<Routing>>
85
86(4) Make sure that packets whose destinations match the prefix can
87reach from the IPv6 host to the translating router.
88
89<<On the IPv6 host>>
90
91There are two ways to translate IPv4 address to IPv6 address:
92	(a) Faked by DNS
93	(b) Faked by /etc/hosts.
94
95(5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie.
96
97(5.b) Add an entry into /etc/hosts so that you can resolve hostname into
98faked IPv6 addrss.  For example, add the following line for www.netbsd.org:
99
100	3ffe:0501:ffff:0000::140.160.140.252	www.netbsd.org
101
102<<On the translating router on which faithd runs.>>
103
104(6) To see if "faithd" works, watch "/var/log/daemon". Note: please
105setup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored
106in "/var/log/daemon".
107
108	<e.g.>
109	daemon.*   /var/log/daemon
110
111
112Access control
113==============
114
115Since faithd implements TCP relaying service, it is critical to implement
116proper access control to cope with malicious use.  Bad guy may try to
117use your relay router to circumvent access controls, or may try to
118abuse your network (like sending SPAMs from IPv4 address that belong to you).
119Install IPv6 packet filter directives that would reject traffic from
120unwanted source.  If you are using inetd-based setup, you may be able to
121use access control mechanisms in inetd.
122
123
124Advanced configuration
125======================
126
127If you would like to restrict IPv4 destination for translation, you may
128want to do the following:
129
130	# route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1
131	# route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \
132		-ifp faith0
133
134By this way, you can restrict IPv4 destination to 123.0.0.0/8.
135You may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which
136is not in 3ffe:0501:ffff:0000::123.0.0.0/104.  This will be left as excerside
137for the reader.
138
139By doing this, you will be able to provide your IPv4 web server to outside
140IPv6 customers, without risks of unwanted open relays.
141
142	[[[[ IPv6 network outside ]]]]			|
143		|					| connection
144	node that runs FAITH-daemon (usually a router)	v
145		|
146	========+======== IPv4/v6 network in your site
147		|			(123.0.0.0/8)
148	IPv4 web server
149