NAME
faithd
—
FAITH IPv6/v4 translator
daemon
SYNOPSIS
faithd |
[-dp ] [-f
configfile] service
[serverpath [serverargs]] |
DESCRIPTION
faithd
provides an IPv6-to-IPv4 TCP relay.
faithd
must be used on an IPv4/v6 dual stack
router.
When faithd
receives TCPv6 traffic,
faithd
will relay the TCPv6 traffic to TCPv4. The
destination for the relayed TCPv4 connection is determined by the last 4
octets of the original IPv6 destination. For example, if
2001:db8:4819:ffff::
is reserved for
faithd
, and the TCPv6 destination address is
2001:db8:4819:ffff::0a01:0101
, the traffic is
relayed to IPv4 destination 10.1.1.1
.
To use the faithd
translation service, an
IPv6 address prefix must be reserved for mapping IPv4 addresses onto. The
kernel must be properly configured to route all the TCP connections toward
the reserved IPv6 address prefix into the
faith(4) pseudo interface, by using the
route(8) command. Also,
sysctl(8) should be used to configure
net.inet6.ip6.keepfaith
to
1
.
The router must be configured to capture all the TCP traffic for a given reserved IPv6 address prefix, by using the route(8) and sysctl(8) commands.
faithd
needs a special name-to-address
translation logic, so that hostnames get resolved into a special IPv6
address prefix. For small-scale installation, use
hosts(5). For large-scale installation, it is useful to have a DNS
server with special address translation support. An implementation called
totd
is available at
http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html.
Make sure you do not propagate translated DNS records to normal DNS cloud,
it is highly harmful. When faithd
is invoked,
faithd
will daemonize itself.
faithd
will listen to TCPv6 port
service. If TCPv6 traffic to port
service is found, it relays the connection.
Since faithd
listens to TCP port
service, it is not possible to run local TCP daemons
for port service on the router, using
inetd(8) or other standard mechanisms. Local daemons can be run on
the router by specifying a serverpath to
faithd
. faithd
will invoke a
local daemon at serverpath if the destination address
is a local interface address, and will perform translation to IPv4 TCP in
other cases. serverargs can also be specified as
arguments for the local daemon.
The following options are available:
-d
- Debugging information will be generated using syslog(3).
-f
configfile- Specify a configuration file for access control. See below.
-p
- Use the privileged TCP port number as a source port, for an IPv4 TCP connection toward the final destination. For relaying ftp(1) this flag is not necessary as special program code is supplied.
faithd
will relay both normal and
out-of-band TCP data. It is capable of emulating TCP half close as well.
faithd
includes special support for protocols used
by ftp(1). When translating FTP protocol, faithd
translates network level addresses in PORT/LPRT/EPRT
and PASV/LPSV/EPSV
commands.
Inactive sessions will be disconnected in 30 minutes, to avoid stale sessions from chewing up resources. This may be inappropriate for some of the services (should this be configurable?).
Access control
To prevent malicious access, faithd
implements a simple address-based access control. With
/etc/faithd.conf (or
configfile specified by -f
),
faithd
will avoid relaying unwanted traffic.
faithd.conf contains directives with the following
format:
- src/slen
deny
dst/dlenIf the source address of a query matches src/slen, and the translated destination address matches dst/dlen, deny the connection.
- src/slen
permit
dst/dlenIf the source address of a query matches src/slen, and the translated destination address matches dst/dlen, permit the connection.
The directives are evaluated in sequence, and the first matching entry will be effective. If there is no match (the end of the ruleset has been reached), the traffic is denied.
RETURN VALUES
faithd
exits with
EXIT_SUCCESS
(0) on success, and
EXIT_FAILURE
(1) on error.
EXAMPLES
Before invoking faithd
, the
faith(4) interface has to be configured properly:
# sysctl net.inet6.ip6.accept_rtadv=0 # sysctl net.inet6.ip6.forwarding=1 # sysctl net.inet6.ip6.keepfaith=1 # ifconfig faith0 up # route add -inet6 2001:db8:4819:ffff:: -prefixlen 96 ::1 # route change -inet6 2001:db8:4819:ffff:: -prefixlen 96 -ifp faith0
To translate telnet
service, and provide
no local telnet service, invoke faithd
as
follows:
# faithd telnet
Pass extra arguments to the local daemon:
# faithd ftp /usr/libexec/ftpd ftpd
-l
Access control samples
The following illustrates a simple faithd.conf setting.
# Permit anyone from 2001:db8:ffff::/48 to use the translator, # to connect to the following IPv4 destinations: # - any location except 10.0.0.0/8 and 127.0.0.0/8. # Permit no other connections. # 2001:db8:ffff::/48 deny 10.0.0.0/8 2001:db8:ffff::/48 deny 127.0.0.0/8 2001:db8:ffff::/48 permit 0.0.0.0/0
SEE ALSO
Jun-ichiro itojun Hagino and Kazu Yamamoto, An IPv6-to-IPv4 transport relay translator, RFC 3142, June 2001, ftp://ftp.isi.edu/in-notes/rfc3142.txt.
HISTORY
The faithd
command first appeared in the
WIDE Hydrangea IPv6 protocol stack kit.
SECURITY CONSIDERATIONS
It is very insecure to use IP-address-based authentication for
connections relayed by faithd
.
Administrators are advised to limit access to
faithd
using faithd.conf, or
by using IPv6 packet filters, to protect the faithd
service from malicious parties and avoid theft of service/bandwidth. IPv6
destination addresses can be limited by carefully configuring routing
entries that point to
faith(4), using
route(8). IPv6 source addresses need to be filtered using a packet
filter. The documents listed in SEE ALSO
have more discussions on this topic.