OpenBSD manual page server

Manual Page Search Parameters
FAITHD(8) System Manager's Manual FAITHD(8)

faithdFAITH IPv6/v4 translator daemon

faithd [-dp] [-f configfile] service [serverpath [serverargs]]

faithd provides an IPv6-to-IPv4 TCP relay. faithd must be used on an IPv4/v6 dual stack router.

When faithd receives TCPv6 traffic, faithd will relay the TCPv6 traffic to TCPv4. The destination for the relayed TCPv4 connection is determined by the last 4 octets of the original IPv6 destination. For example, if 2001:db8:4819:ffff:: is reserved for faithd, and the TCPv6 destination address is 2001:db8:4819:ffff::0a01:0101, the traffic is relayed to IPv4 destination 10.1.1.1.

To use the faithd translation service, an IPv6 address prefix must be reserved for mapping IPv4 addresses onto. The kernel must be properly configured to route all the TCP connections toward the reserved IPv6 address prefix into the faith(4) pseudo interface, by using the route(8) command. Also, sysctl(8) should be used to configure net.inet6.ip6.keepfaith to 1.

The router must be configured to capture all the TCP traffic for a given reserved IPv6 address prefix, by using the route(8) and sysctl(8) commands.

faithd needs a special name-to-address translation logic, so that hostnames get resolved into a special IPv6 address prefix. For small-scale installation, use hosts(5). For large-scale installation, it is useful to have a DNS server with special address translation support. An implementation called totd is available at http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html. Make sure you do not propagate translated DNS records to normal DNS cloud, it is highly harmful. When faithd is invoked, faithd will daemonize itself. faithd will listen to TCPv6 port service. If TCPv6 traffic to port service is found, it relays the connection.

Since faithd listens to TCP port service, it is not possible to run local TCP daemons for port service on the router, using inetd(8) or other standard mechanisms. Local daemons can be run on the router by specifying a serverpath to faithd. faithd will invoke a local daemon at serverpath if the destination address is a local interface address, and will perform translation to IPv4 TCP in other cases. serverargs can also be specified as arguments for the local daemon.

The following options are available:

Debugging information will be generated using syslog(3).
configfile
Specify a configuration file for access control. See below.
Use the privileged TCP port number as a source port, for an IPv4 TCP connection toward the final destination. For relaying ftp(1) this flag is not necessary as special program code is supplied.

faithd will relay both normal and out-of-band TCP data. It is capable of emulating TCP half close as well. faithd includes special support for protocols used by ftp(1). When translating FTP protocol, faithd translates network level addresses in PORT/LPRT/EPRT and PASV/LPSV/EPSV commands.

Inactive sessions will be disconnected in 30 minutes, to avoid stale sessions from chewing up resources. This may be inappropriate for some of the services (should this be configurable?).

To prevent malicious access, faithd implements a simple address-based access control. With /etc/faithd.conf (or configfile specified by -f), faithd will avoid relaying unwanted traffic. faithd.conf contains directives with the following format:

  • src/slen deny dst/dlen

    If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, deny the connection.

  • src/slen permit dst/dlen

    If the source address of a query matches src/slen, and the translated destination address matches dst/dlen, permit the connection.

The directives are evaluated in sequence, and the first matching entry will be effective. If there is no match (the end of the ruleset has been reached), the traffic is denied.

faithd exits with EXIT_SUCCESS (0) on success, and EXIT_FAILURE (1) on error.

Before invoking faithd, the faith(4) interface has to be configured properly:

# sysctl net.inet6.ip6.accept_rtadv=0
# sysctl net.inet6.ip6.forwarding=1
# sysctl net.inet6.ip6.keepfaith=1
# ifconfig faith0 up
# route add -inet6 2001:db8:4819:ffff:: -prefixlen 96 ::1
# route change -inet6 2001:db8:4819:ffff:: -prefixlen 96 -ifp faith0

To translate telnet service, and provide no local telnet service, invoke faithd as follows:

# faithd telnet

Pass extra arguments to the local daemon:

# faithd ftp /usr/libexec/ftpd ftpd -l

The following illustrates a simple faithd.conf setting.

# Permit anyone from 2001:db8:ffff::/48 to use the translator,
# to connect to the following IPv4 destinations:
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
# Permit no other connections.
#
2001:db8:ffff::/48 deny 10.0.0.0/8
2001:db8:ffff::/48 deny 127.0.0.0/8
2001:db8:ffff::/48 permit 0.0.0.0/0

faith(4), route(8), sysctl(8)

Jun-ichiro itojun Hagino and Kazu Yamamoto, “An IPv6-to-IPv4 transport relay translator”, RFC 3142, June 2001, ftp://ftp.isi.edu/in-notes/rfc3142.txt.

The faithd command first appeared in the WIDE Hydrangea IPv6 protocol stack kit.

It is very insecure to use IP-address-based authentication for connections relayed by faithd.

Administrators are advised to limit access to faithd using faithd.conf, or by using IPv6 packet filters, to protect the faithd service from malicious parties and avoid theft of service/bandwidth. IPv6 destination addresses can be limited by carefully configuring routing entries that point to faith(4), using route(8). IPv6 source addresses need to be filtered using a packet filter. The documents listed in SEE ALSO have more discussions on this topic.

July 19, 2008 OpenBSD-5.1