NAME
faithd —
FAITH IPv6/v4 translator
daemon
SYNOPSIS
faithd |
[-dp]
[-f
configfile] service
[serverpath
[serverargs]] |
DESCRIPTION
The
faithd utility provides IPv6-to-IPv4 TCP relaying. It can
only be used on an IPv4/v6 dual stack router.
When
faithd receives TCPv6 traffic, it will relay the TCPv6
traffic to TCPv4. The destination for the relayed TCPv4 connection will be
determined by the last 4 octets of the original IPv6 destination. For example,
if
2001:0db8:4819:ffff::
is reserved for
faithd, and the TCPv6 destination address is
2001:0db8:4819:ffff::0a01:0101
, the traffic will be
relayed to IPv4 destination
10.1.1.1
.
To use the
faithd translation service, an IPv6 address prefix
must be reserved for mapping IPv4 addresses into. The kernel must be properly
configured to route all the TCP connections toward the reserved IPv6 address
prefix into the
faith(4) pseudo
interface, using the
route(8)
command. Also,
sysctl(8) should
be used to configure
net.inet6.ip6.keepfaith
to
1
.
The router must be configured to capture all the TCP traffic for the reserved
IPv6 address prefix, by using
route(8) and
sysctl(8) commands.
The
faithd utility needs special name-to-address translation
logic, so that hostnames gets resolved into the special IPv6 address prefix.
For small-scale installations, use
hosts(5); For large-scale
installations, it is useful to have a DNS server with special address
translation support. An implementation called
totd is
available at
http://www.dillema.net/software/totd.html.
Make sure you do not propagate translated DNS records over to normal DNS, as
it can cause severe problems.
Daemon mode
When
faithd is invoked as a standalone program,
faithd will daemonize itself.
faithd will
listen to TCPv6 port
service. If TCPv6 traffic to port
service is found, it relays the connection.
Since
faithd listens to TCP port
service, it is not possible to run local TCP daemons for
port
service on the router, using
inetd(8) or other standard
mechanisms. By specifying
serverpath to
faithd, you can run local daemons on the router. The
faithd utility will invoke ia local daemon at
serverpath if the destination address is a local
interface address, and will perform translation to IPv4 TCP in other cases.
You can also specify
serverargs for the arguments for
the local daemon.
The following options are available:
-
-
- -d
- Debugging information will be generated using
syslog(3).
-
-
- -f
configfile
- Specify a configuration file for access control. See
below.
-
-
- -p
- Use privileged TCP port number as source port, for IPv4 TCP
connection toward final destination. For relaying
ftp(1) this flag is not
necessary as special program code is supplied.
faithd will relay both normal and out-of-band TCP data. It is
capable of emulating TCP half close as well.
faithd includes
special support for protocols used by
ftp(1). When translating the FTP
protocol,
faithd translates network level addresses in
PORT/LPRT/EPRT
and
PASV/LPSV/EPSV
commands.
Inactive sessions will be disconnected in 30 minutes, to prevent stale sessions
from chewing up resources. This may be inappropriate for some services (should
this be configurable?).
inetd mode
When
faithd is invoked via
inetd(8),
faithd will handle connections passed from standard input.
If the connection endpoint is in the reserved IPv6 address prefix,
faithd will relay the connection. Otherwise,
faithd will invoke a service-specific daemon like
telnetd(8), by using the
command argument passed from
inetd(8).
faithd determines operation mode by the local TCP port number,
and enables special protocol handling whenever necessary/possible. For
example, if
faithd is invoked via
inetd(8) on the FTP port, it will
operate as an FTP relay.
Access control
To prevent malicious access,
faithd implements a simple
address-based access control. With
/etc/faithd.conf (or
configfile specified by
-f),
faithd will avoid relaying unwanted traffic. The
faithd.conf configuration file contains directives of the
following format:
- src/slen
deny
dst/dlen
If the source address of a query matches src/slen, and
the translated destination address matches dst/dlen,
deny the connection.
- src/slen
permit
dst/dlen
If the source address of a query matches src/slen, and
the translated destination address matches dst/dlen,
permit the connection.
The directives are evaluated in sequence, and the first matching entry will be
effective. If there is no match (if we reach the end of the ruleset) the
traffic will be denied.
With inetd mode, traffic may be filtered by using access control functionality
in
inetd(8).
EXIT STATUS
faithd exits with
EXIT_SUCCESS
(0) on
success, and
EXIT_FAILURE
(1) on error.
EXAMPLES
Before invoking
faithd, the
faith(4) interface has to be
configured properly.
# sysctl -w net.inet6.ip6.accept_rtadv=0
# sysctl -w net.inet6.ip6.forwarding=1
# sysctl -w net.inet6.ip6.keepfaith=1
# ifconfig faith0 create up
# route add -inet6 2001:0db8:4819:ffff:: -prefixlen 96 ::1
# route change -inet6 2001:0db8:4819:ffff:: -prefixlen 96 -ifp faith0
Daemon mode samples
To translate
telnet
service, and provide no local telnet
service, invoke
faithd as follows:
If you would like to provide local telnet service via
telnetd(8) on
/usr/libexec/telnetd, use the following command line:
# faithd telnet /usr/libexec/telnetd telnetd
If you would like to pass extra arguments to the local daemon:
# faithd ftp /usr/libexec/ftpd ftpd -l
Here are some other examples. You may need
-p if the service
checks the source port range.
# faithd ssh
# faithd telnet /usr/libexec/telnetd telnetd
inetd mode samples
Add the following lines into
inetd.conf(5).
telnet stream faith/tcp6 nowait root faithd telnetd
ftp stream faith/tcp6 nowait root faithd ftpd -l
ssh stream faith/tcp6 nowait root faithd /usr/sbin/sshd -i
inetd(8) will open listening
sockets with kernel TCP relay support enabled. Whenever a connection comes in,
faithd will be invoked by
inetd(8). If the connection
endpoint is in the reserved IPv6 address prefix.
faithd will
relay the connection. Otherwise,
faithd will invoke
service-specific daemon like
telnetd(8).
Access control samples
The following illustrates a simple
faithd.conf setting.
# permit anyone from 2001:0db8:ffff::/48 to use the translator,
# to connect to the following IPv4 destinations:
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
# Permit no other connections.
#
2001:0db8:ffff::/48 deny 10.0.0.0/8
2001:0db8:ffff::/48 deny 127.0.0.0/8
2001:0db8:ffff::/48 permit 0.0.0.0/0
SEE ALSO
faith(4),
route(8),
sysctl(8),
pkgsrc/net/totd
Jun-ichiro itojun Hagino and
Kazu Yamamoto, An IPv6-to-IPv4
transport relay translator, RFC 3142,
http://www.ietf.org/rfc/rfc3142.txt,
June 2001.
HISTORY
The
faithd utility first appeared in the WIDE Hydrangea IPv6
protocol stack kit.
SECURITY CONSIDERATIONS
It is very insecure to use IP-address based authentication, for connections
relayed by
faithd, and any other TCP relaying services.
Administrators are advised to limit accesses to
faithd using
faithd.conf, or by using IPv6 packet filters, to protect the
faithd service from malicious parties, and to avoid theft of
service/bandwidth. IPv6 destination addresses can be limited by carefully
configuring routing entries that point to
faith(4), using
route(8). The IPv6 source address
needs to be filtered using packet filters. The documents listed in
SEE ALSO have more information on this
topic.