README revision 108533
1Configuring FAITH IPv6-to-IPv4 TCP relay 2 3Kazu Yamamoto and Jun-ichiro itojun Hagino 4$KAME: README,v 1.8 2001/09/05 03:04:20 itojun Exp $ 5$FreeBSD: head/usr.sbin/faithd/README 108533 2003-01-01 18:49:04Z schweikh $ 6 7Introduction 8============ 9 10FAITH is an IPv6-to-IPv4 TCP relay. It performs tcp relay just as some of 11firewall-oriented gateway does, but between IPv6 and IPv4 with address 12translation. 13TCP connections has to be made from IPv6 node to IPv4 node. FAITH will 14not relay connections for the opposite direction. 15To perform relays, FAITH daemon needs to be executed on a router between 16your local IPv6 site and outside IPv4 network. The daemon needs to be 17invoked per each TCP services (TCP port number). 18 19 IPv4 node "dest" = 123.4.5.6 20 | 21 [[[[ outside IPv4 ocean ]]]] 22 | 23 node that runs FAITH-daemon (usually a router) 24 | 25 ==+=====+===+==== IPv6, or IPv4/v6 network in your site ^ 26 | | | connection 27 clients IPv6 node "src" | 28 29You will have to allocate an IPv6 address prefix to map IPv4 addresses into. 30The following description uses 3ffe:0501:ffff:0000:: as example. 31Please use a prefix which belongs to your site. 32FAITH will make it possible to make an IPv6 TCP connection From IPv6 node 33"src", toward IPv4 node "dest", by specifying FAITH-mapped address 343ffe:0501:ffff:0000::123.4.5.6 35(which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506). 36The address mapping can be performed by hand:-), by special nameserver on 37the network, or by special resolver on the source node. 38 39 40Setup 41===== 42 43The following example assumes: 44- You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix. 45- You are willing to provide IPv6-to IPv4 TCP relay for telnet. 46 47<<On the translating router on which faithd runs>> 48 49(1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via 50 inet6d, disable that daemon. Comment out the line from "inet6d.conf" 51 and send the HUP signal to "inet6d". 52 53(2) Execute sysctl as root to enable FAITH support in the kernel. 54 55 # sysctl net.inet6.ip6.keepfaith=1 56 57(3) Route packets toward FAITH prefix into "faith0" interface. 58 59 # ifconfig faith0 up 60 # route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1 61 # route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0 62 63(4) Execute "faithd" by root as follows: 64 65 # faithd telnet /usr/libexec/telnetd telnetd 66 67 1st argument is a service name you are willing to provide TCP relay. 68 (it can be specified either by number "23" or by string "telnet") 69 2nd argument is a path name for local IPv6 TCP server. If there is a 70 connection toward the router itself, this program will be invoked. 71 3rd and the following arguments are arguments for the local IPv6 TCP 72 server. (3rd argument is typically the program name without its path.) 73 74 More examples: 75 76 # faithd login /usr/libexec/rlogin rlogind 77 # faithd shell /usr/libexec/rshd rshd 78 # faithd ftpd /usr/libexec/ftpd ftpd -l 79 # faithd sshd 80 81If inetd(8) on your platform have special support for faithd, it is possible 82to setup faithd services via inetd(8). Consult manpage for details. 83 84 85<<Routing>> 86 87(4) Make sure that packets whose destinations match the prefix can 88reach from the IPv6 host to the translating router. 89 90<<On the IPv6 host>> 91 92There are two ways to translate IPv4 address to IPv6 address: 93 (a) Faked by DNS 94 (b) Faked by /etc/hosts. 95 96(5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie. 97 98(5.b) Add an entry into /etc/hosts so that you can resolve hostname into 99faked IPv6 addrss. For example, add the following line for www.netbsd.org: 100 101 3ffe:0501:ffff:0000::140.160.140.252 www.netbsd.org 102 103<<On the translating router on which faithd runs.>> 104 105(6) To see if "faithd" works, watch "/var/log/daemon". Note: please 106setup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored 107in "/var/log/daemon". 108 109 <e.g.> 110 daemon.* /var/log/daemon 111 112 113Access control 114============== 115 116Since faithd implements TCP relaying service, it is critical to implement 117proper access control to cope with malicious use. Bad guy may try to 118use your relay router to circumvent access controls, or may try to 119abuse your network (like sending SPAMs from IPv4 address that belong to you). 120Install IPv6 packet filter directives that would reject traffic from 121unwanted source. If you are using inetd-based setup, you may be able to 122use access control mechanisms in inetd. 123 124 125Advanced configuration 126====================== 127 128If you would like to restrict IPv4 destination for translation, you may 129want to do the following: 130 131 # route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1 132 # route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \ 133 -ifp faith0 134 135By this way, you can restrict IPv4 destination to 123.0.0.0/8. 136You may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which 137is not in 3ffe:0501:ffff:0000::123.0.0.0/104. This will be left as excerside 138for the reader. 139 140By doing this, you will be able to provide your IPv4 web server to outside 141IPv6 customers, without risks of unwanted open relays. 142 143 [[[[ IPv6 network outside ]]]] | 144 | | connection 145 node that runs FAITH-daemon (usually a router) v 146 | 147 ========+======== IPv4/v6 network in your site 148 | (123.0.0.0/8) 149 IPv4 web server 150