README revision 57122
1Configuring FAITH IPv6-to-IPv4 TCP relay 2 3Kazu Yamamoto and Jun-ichiro itojun Hagino 4$Id: README,v 1.1.1.1 1999/08/08 23:29:27 itojun Exp $ 5$FreeBSD: head/usr.sbin/faithd/README 57122 2000-02-10 19:42:42Z shin $ 6 7 8Introduction 9============ 10 11FAITH is a IPv6-to-IPv4 TCP relay. It performs TCP relay just as some of 12firewall-oriented gateway does, but between IPv6 and IPv4 with address 13translation. 14TCP connections has to be made from IPv6 node to IPv4 node. FAITH will 15not relay connections for the opposite direction. 16To perform relays, FAITH daemon needs to be executed on a router between 17your local IPv6 site and outside IPv4 network. The daemon needs to be 18invoked per each TCP services (TCP port number). 19 20 IPv4 node "dest" = 123.4.5.6 21 | 22 [[[[ outside IPv4 ocean ]]]] 23 | 24 node that runs FAITH-daemon (usually a router) 25 | 26 ==+=====+===+==== IPv6, or IPv4/v6 network in your site ^ 27 | | | connection 28 clients IPv6 node "src" | 29 30You will have to allocate an IPv6 address prefix to map IPv4 addresses into. 31The following description uses 3ffe:0501:1234:ffff:: as example. 32Please use a prefix which belongs to your site. 33FAITH will make it possible to make a IPv6 TCP connection From IPv6 node 34"src", toward IPv4 node "dest", by specifying FAITH-mapped address 353ffe:0501:1234:ffff::123.4.5.6 36(which is, 3ffe:0501:1234:ffff:0000:0000:7b04:0506). 37The address mapping can be performed by hand:-), by special nameserver on 38the network, or by special resolver on the source node. 39 40 41Setup 42===== 43 44The following example assumes: 45- You have assigned 3ffe:0501:1234:ffff:: as FAITH address prefix. 46- You are willing to provide IPv6-to IPv4 TCP relay for telnet. 47 48<<On the translating router on which faithd runs>> 49 50(1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via 51 inet6d, disable that daemon. Comment out the line from "inet6d.conf" 52 and send the HUP signal to "inet6d". 53 54(2) Execute sysctl as root to enable FAITH support in the kernel. 55 56 # sysctl -w net.inet6.ip6.keepfaith=1 57 58(3) Route packets toward FAITH prefix into "faith0" interface. 59 60 # ifconfig faith0 up 61 # route add -inet6 3ffe:0501:1234:ffff:: -prefixlen 64 -interface faith0 62 63 or, on platforms that has problem with "-interface": 64 # ifconfig faith0 up 65 # route add -inet6 3ffe:0501:1234:ffff:: -prefixlen 64 \ 66 fe80:q::xxxx:yyyy:zzzz:wwww 67 (the last one is link-local address assigned for faith0) 68 69(4) Execute "faithd" by root as follows: 70 71 # faithd telnet /usr/local/v6/libexec/telnetd telnetd 72 73 1st argument is a service name you are willing to provide TCP relay. 74 (it can be specified either by number "23" or by string "telnet") 75 2nd argument is a path name for local IPv6 TCP server. If there is a 76 connection toward the router itself, this program will be invoked. 77 3rd and the following arguments are arguments for the local IPv6 TCP 78 server. (3rd argument is typically the program name without its path.) 79 80 More examples: 81 82 # faithd login /usr/local/v6/libexec/rlogin rlogind 83 # faithd shell /usr/local/v6/libexec/rshd rshd 84 # faithd ftpd /usr/local/v6/libexec/ftpd ftpd -l 85 # faithd ssh 86 87 88<<Routing>> 89 90(4) Make sure that packets whose destinations match the prefix can 91reach from the IPv6 host to the translating router. 92 93<<On the IPv6 host>> 94 95There are two ways to translate IPv4 address to IPv6 address: 96 (a) Faked by DNS 97 (b) Faked by /etc/hosts. 98 99(5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie of 100 KAME package. KAME package is obtained from www.kame.net. 101 102(5.b) Add an entry into /etc/hosts so that you can resolve hostname into 103faked IPv6 address. For example, add the following line for www.freebsd.org: 104 105 3ffe:0501:1234:ffff::204.216.27.21 www.freebsd.org 106 107<<On the translating router on which faithd runs.>> 108 109(6) To see if "faithd" works, watch "/var/log/daemon". Note: please 110setup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored 111in "/var/log/daemon". 112 113 <e.g.> 114 daemon.* /var/log/daemon 115 116 117Advanced configuration 118====================== 119 120If you would like to restrict IPv4 destination for translation, you may 121want to do the following: 122 123 # route add -inet6 3ffe:0501:1234:ffff::123.0.0.0 -prefixlen 104 \ 124 -interface faith0 125 126By this way, you can restrict IPv4 destination to 123.0.0.0/8. 127You may also want to reject packets toward 3ffe:0501:1234:ffff::/64 which 128is not in 3ffe:0501:1234:ffff::123.0.0.0/104. This will be left as exercise 129for the reader. 130 131By doing this, you will be able to provide your IPv4 web server to outside 132IPv6 customers, without risks of unwanted open relays. 133 134 [[[[ IPv6 network outside ]]]] | 135 | | connection 136 node that runs FAITH-daemon (usually a router) v 137 | 138 ========+======== IPv4/v6 network in your site 139 | (123.0.0.0/8) 140 IPv4 web server 141