faithd - FAITH IPv6/v4 translator daemon
faithd [-dp] [-f configfile] service [serverpath
[serverargs]]
faithd provides an IPv6-to-IPv4 TCP relay. faithd must be
used on an
IPv4/v6 dual stack router.
When faithd receives TCPv6 traffic, faithd will relay the
TCPv6 traffic
to TCPv4. The destination for the relayed TCPv4 connection
is determined
by the last 4 octets of the original IPv6 destination. For
example, if
3ffe:0501:4819:ffff:: is reserved for faithd, and the TCPv6
destination
address is 3ffe:0501:4819:ffff::0a01:0101, the traffic is
relayed to IPv4
destination 10.1.1.1.
To use the faithd translation service, an IPv6 address prefix must be reserved
for mapping IPv4 addresses onto. The kernel must be
properly configured
to route all the TCP connections toward the reserved
IPv6 address
prefix into the faith(4) pseudo interface, by using the
route(8) command.
Also, sysctl(8) should be used to configure net.inet6.ip6.keepfaith to 1.
The router must be configured to capture all the TCP traffic
for a given
reserved IPv6 address prefix, by using the route(8) and
sysctl(8) commands.
faithd needs a special name-to-address translation logic, so
that hostnames
get resolved into a special IPv6 address prefix. For
small-scale
installation, use hosts(5). For large-scale installation,
it is useful
to have a DNS server with special address translation support. An implementation
called totd is available at
http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html.
Make sure you
do not propagate translated DNS records to normal DNS cloud,
it is highly
harmful. When faithd is invoked, faithd will daemonize itself. faithd
will listen to TCPv6 port service. If TCPv6 traffic to port
service is
found, it relays the connection.
Since faithd listens to TCP port service, it is not possible
to run local
TCP daemons for port service on the router, using inetd(8)
or other standard
mechanisms. Local daemons can be run on the router by
specifying a
serverpath to faithd. faithd will invoke a local daemon at
serverpath if
the destination address is a local interface address, and
will perform
translation to IPv4 TCP in other cases. Serverargs can also
be specified
as arguments for the local daemon.
The following options are available:
-d Debugging information will be generated using syslog(3).
-f configfile
Specify a configuration file for access control.
See below.
-p Use the privileged TCP port number as a source port,
for an IPv4
TCP connection toward the final destination. For
relaying ftp(1)
this flag is not necessary as special program code
is supplied.
faithd will relay both normal and out-of-band TCP data. It
is capable of
emulating TCP half close as well. faithd includes special
support for
protocols used by ftp(1). When translating FTP protocol,
faithd translates
network level addresses in PORT/LPRT/EPRT and
PASV/LPSV/EPSV commands.
Inactive sessions will be disconnected in 30 minutes, to
avoid stale sessions
from chewing up resources. This may be inappropriate
for some of
the services (should this be configurable?).
Access control [Toc] [Back]
To prevent malicious access, faithd implements a simple address-based access
control. With /etc/faithd.conf (or configfile specified by -f),
faithd will avoid relaying unwanted traffic. faithd.conf
contains directives
with the following format:
+o src/slen deny dst/dlen
If the source address of a query matches src/slen, and
the translated
destination address matches dst/dlen, deny the connection.
+o src/slen permit dst/dlen
If the source address of a query matches src/slen, and
the translated
destination address matches dst/dlen, permit the connection.
The directives are evaluated in sequence, and the first
matching entry
will be effective. If there is no match (the end of the
ruleset has been
reached), the traffic is denied.
faithd exits with EXIT_SUCCESS (0) on success, and EXIT_FAILURE (1) on
error.
Before invoking faithd, the faith(4) interface has to be
configured properly:
# sysctl net.inet6.ip6.accept_rtadv=0
# sysctl net.inet6.ip6.forwarding=1
# sysctl net.inet6.ip6.keepfaith=1
# ifconfig faith0 up
# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96
-ifp faith0
To translate telnet service, and provide no local telnet
service, invoke
faithd as follows:
# faithd telnet
Provide local telnet service via telnetd(8) using
/usr/libexec/telnetd.
# faithd telnet /usr/libexec/telnetd telnetd
Pass extra arguments to the local daemon:
# faithd ftp /usr/libexec/ftpd ftpd -l
Here are some other examples. If the service checks the
source port
range, -p may be required.
# faithd ssh
# faithd telnet /usr/libexec/telnetd telnetd
Access control samples [Toc] [Back]
The following illustrates a simple faithd.conf setting.
# permit anyone from 3ffe:501:ffff::/48 to use the translator,
# to connect to the following IPv4 destinations:
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
# Permit no other connections.
#
3ffe:501:ffff::/48 deny 10.0.0.0/8
3ffe:501:ffff::/48 deny 127.0.0.0/8
3ffe:501:ffff::/48 permit 0.0.0.0/0
faith(4), route(8), sysctl(8)
Jun-ichiro itojun Hagino and Kazu Yamamoto, "An IPv6-to-IPv4
transport
relay translator", RFC 3142, June 2001,
ftp://ftp.isi.edu/in-
notes/rfc3142.txt.
The faithd command first appeared in WIDE Hydrangea IPv6
protocol stack
kit.
SECURITY CONSIDERATIONS [Toc] [Back] It is very insecure to use IP-address based authentication,
for connections
relayed by faithd, and any other TCP relaying services.
Administrators are advised to limit accesses to faithd using
faithd.conf,
or by using IPv6 packet filters, to protect the faithd service from malicious
parties and avoid theft of service/bandwidth. IPv6
destination addresses
can be limited by carefully configuring routing entries that
point to faith(4), using route(8). IPv6 source addresses
need to be filtered
using a packet filter. Documents listed in SEE ALSO
have more discussions
on this topic.
OpenBSD 3.6 May 17, 1998
[ Back ] |
