README revision 96397
1239313SdimConfiguring FAITH IPv6-to-IPv4 TCP relay 2239313Sdim 3239313SdimKazu Yamamoto and Jun-ichiro itojun Hagino 4239313Sdim$KAME: README,v 1.8 2001/09/05 03:04:20 itojun Exp $ 5239313Sdim$FreeBSD: head/usr.sbin/faithd/README 96397 2002-05-11 05:55:05Z dd $ 6239313Sdim 7239313SdimIntroduction 8239313Sdim============ 9239313Sdim 10239313SdimFAITH is a IPv6-to-IPv4 TCP relay. It performs tcp relay just as some of 11252723Sdimfirewall-oriented gateway does, but between IPv6 and IPv4 with address 12252723Sdimtranslation. 13239313SdimTCP connections has to be made from IPv6 node to IPv4 node. FAITH will 14239313Sdimnot relay connections for the opposite direction. 15239313SdimTo perform relays, FAITH daemon needs to be executed on a router between 16239313Sdimyour local IPv6 site and outside IPv4 network. The daemon needs to be 17245431Sdiminvoked per each TCP services (TCP port number). 18252723Sdim 19239313Sdim IPv4 node "dest" = 123.4.5.6 20239313Sdim | 21239313Sdim [[[[ outside IPv4 ocean ]]]] 22239313Sdim | 23239313Sdim node that runs FAITH-daemon (usually a router) 24245431Sdim | 25245431Sdim ==+=====+===+==== IPv6, or IPv4/v6 network in your site ^ 26245431Sdim | | | connection 27245431Sdim clients IPv6 node "src" | 28239313Sdim 29245431SdimYou will have to allocate an IPv6 address prefix to map IPv4 addresses into. 30245431SdimThe following description uses 3ffe:0501:ffff:0000:: as example. 31239313SdimPlease use a prefix which belongs to your site. 32263509SdimFAITH will make it possible to make a IPv6 TCP connection From IPv6 node 33239313Sdim"src", toward IPv4 node "dest", by specifying FAITH-mapped address 34239313Sdim3ffe:0501:ffff:0000::123.4.5.6 35239313Sdim(which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506). 36239313SdimThe address mapping can be performed by hand:-), by special nameserver on 37239313Sdimthe network, or by special resolver on the source node. 38239313Sdim 39239313Sdim 40245431SdimSetup 41239313Sdim===== 42239313Sdim 43239313SdimThe following example assumes: 44239313Sdim- You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix. 45239313Sdim- You are willing to provide IPv6-to IPv4 TCP relay for telnet. 46239313Sdim 47239313Sdim<<On the translating router on which faithd runs>> 48239313Sdim 49252723Sdim(1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via 50252723Sdim inet6d, disable that daemon. Comment out the line from "inet6d.conf" 51252723Sdim and send the HUP signal to "inet6d". 52252723Sdim 53252723Sdim(2) Execute sysctl as root to enable FAITH support in the kernel. 54252723Sdim 55252723Sdim # sysctl net.inet6.ip6.keepfaith=1 56252723Sdim 57252723Sdim(3) Route packets toward FAITH prefix into "faith0" interface. 58252723Sdim 59239313Sdim # ifconfig faith0 up 60239313Sdim # route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1 61239313Sdim # route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0 62239313Sdim 63239313Sdim(4) Execute "faithd" by root as follows: 64239313Sdim 65239313Sdim # faithd telnet /usr/libexec/telnetd telnetd 66239313Sdim 67239313Sdim 1st argument is a service name you are willing to provide TCP relay. 68239313Sdim (it can be specified either by number "23" or by string "telnet") 69239313Sdim 2nd argument is a path name for local IPv6 TCP server. If there is a 70239313Sdim connection toward the router itself, this program will be invoked. 71239313Sdim 3rd and the following arguments are arguments for the local IPv6 TCP 72245431Sdim server. (3rd argument is typically the program name without its path.) 73239313Sdim 74239313Sdim More examples: 75252723Sdim 76252723Sdim # faithd login /usr/libexec/rlogin rlogind 77252723Sdim # faithd shell /usr/libexec/rshd rshd 78252723Sdim # faithd ftpd /usr/libexec/ftpd ftpd -l 79252723Sdim # faithd sshd 80239313Sdim 81252723SdimIf inetd(8) on your platform have special support for faithd, it is possible 82252723Sdimto setup faithd services via inetd(8). Consult manpage for details. 83239313Sdim 84239313Sdim 85239313Sdim<<Routing>> 86239313Sdim 87252723Sdim(4) Make sure that packets whose destinations match the prefix can 88245431Sdimreach from the IPv6 host to the translating router. 89239313Sdim 90239313Sdim<<On the IPv6 host>> 91239313Sdim 92239313SdimThere are two ways to translate IPv4 address to IPv6 address: 93252723Sdim (a) Faked by DNS 94252723Sdim (b) Faked by /etc/hosts. 95252723Sdim 96252723Sdim(5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie. 97252723Sdim 98252723Sdim(5.b) Add an entry into /etc/hosts so that you can resolve hostname into 99252723Sdimfaked IPv6 addrss. For example, add the following line for www.netbsd.org: 100252723Sdim 101263509Sdim 3ffe:0501:ffff:0000::140.160.140.252 www.netbsd.org 102252723Sdim 103252723Sdim<<On the translating router on which faithd runs.>> 104263509Sdim 105252723Sdim(6) To see if "faithd" works, watch "/var/log/daemon". Note: please 106252723Sdimsetup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored 107252723Sdimin "/var/log/daemon". 108252723Sdim 109252723Sdim <e.g.> 110252723Sdim daemon.* /var/log/daemon 111252723Sdim 112252723Sdim 113252723SdimAccess control 114252723Sdim============== 115252723Sdim 116252723SdimSince faithd implements TCP relaying service, it is critical to implement 117252723Sdimproper access control to cope with malicious use. Bad guy may try to 118252723Sdimuse your relay router to circumvent access controls, or may try to 119252723Sdimabuse your network (like sending SPAMs from IPv4 address that belong to you). 120252723SdimInstall IPv6 packet filter directives that would reject traffic from 121252723Sdimunwanted source. If you are using inetd-based setup, you may be able to 122252723Sdimuse access control mechanisms in inetd. 123252723Sdim 124252723Sdim 125252723SdimAdvanced configuration 126252723Sdim====================== 127252723Sdim 128252723SdimIf you would like to restrict IPv4 destination for translation, you may 129252723Sdimwant to do the following: 130252723Sdim 131252723Sdim # route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1 132252723Sdim # route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \ 133263509Sdim -ifp faith0 134263509Sdim 135263509SdimBy this way, you can restrict IPv4 destination to 123.0.0.0/8. 136263509SdimYou may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which 137263509Sdimis not in 3ffe:0501:ffff:0000::123.0.0.0/104. This will be left as excerside 138263509Sdimfor the reader. 139252723Sdim 140252723SdimBy doing this, you will be able to provide your IPv4 web server to outside 141252723SdimIPv6 customers, without risks of unwanted open relays. 142252723Sdim 143252723Sdim [[[[ IPv6 network outside ]]]] | 144252723Sdim | | connection 145252723Sdim node that runs FAITH-daemon (usually a router) v 146252723Sdim | 147252723Sdim ========+======== IPv4/v6 network in your site 148252723Sdim | (123.0.0.0/8) 149252723Sdim IPv4 web server 150252723Sdim