faithd(8)
NAME
faithd - FAITH IPv6/v4 translator daemon
SYNOPSIS
faithd [-dp] [-f configfile] service [serverpath [serverargs]]
DESCRIPTION
- The faithd utility provides IPv6-to-IPv4 TCP relay. It must
- be used on
an IPv4/v6 dual stack router. - When faithd receives TCPv6 traffic, faithd will relay the
- TCPv6 traffic
to TCPv4. Destination for relayed TCPv4 connection will be - determined by
the last 4 octets of the original IPv6 destination. For ex - ample, if
3ffe:0501:4819:ffff:: is reserved for faithd, and the TCPv6 - destination
address is 3ffe:0501:4819:ffff::0a01:0101, the traffic will - be relayed to
IPv4 destination 10.1.1.1. - To use faithd translation service, an IPv6 address prefix
- must be
reserved for mapping IPv4 addresses into. Kernel must be - properly configured to route all the TCP connection toward the reserved
- IPv6 address
prefix into the faith(4) pseudo interface, by using route(8) - command.
Also, sysctl(8) should be used to configure net.in - et6.ip6.keepfaith to 1.
- The router must be configured to capture all the TCP traffic
- toward
reserved IPv6 address prefix, by using route(8) and - sysctl(8) commands.
- The faithd utility needs a special name-to-address transla
- tion logic, so
that hostnames gets resolved into special IPv6 address pre - fix. For
small-scale installation, use hosts(5). For large-scale in - stallation, it
is useful to have a DNS server with special address transla - tion support.
An implementation called totd is available at
http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html. - Make sure you
do not propagate translated DNS records to normal DNS cloud, - it is highly
harmful. - Daemon mode
- When faithd is invoked as a standalone program, faithd will
- daemonize
itself. The faithd utility will listen to TCPv6 port - service. If TCPv6
traffic to port service is found, it relays the connection. - Since faithd listens to TCP port service, it is not possible
- to run local
TCP daemons for port service on the router, using inetd(8) - or other standard mechanisms. By specifying serverpath to faithd, you
- can run local
daemons on the router. The faithd utility will invoke local - daemon at
serverpath if the destination address is local interface ad - dress, and
will perform translation to IPv4 TCP in other cases. You - can also specify serverargs for the arguments for the local daemon.
- The following options are available:
- -d Debugging information will be generated using sys
- log(3).
- -f configfile
Specify a configuration file for access control.See below.
- -p Use privileged TCP port number as source port, for
- IPv4 TCP con
- nection toward final destination. For relaying
- ftp(1), this flag
is not necessary as special program code is sup - plied.
- The faithd utility will relay both normal and out-of-band
- TCP data. It
is capable of emulating TCP half close as well. The faithd - utility
includes special support for protocols used by ftp(1). When - translating
FTP protocol, faithd translates network level addresses in - PORT/LPRT/EPRT
and PASV/LPSV/EPSV commands. - Inactive sessions will be disconnected in 30 minutes, to
- avoid stale sessions from chewing up resources. This may be inappropriate
- for some of
the services (should this be configurable?). - inetd mode
- When faithd is invoked via inetd(8), faithd will handle con
- nection passed
from standard input. If the connection endpoint is in the - reserved IPv6
address prefix, faithd will relay the connection. Other - wise, faithd will
invoke service-specific daemon like telnetd(8), by using the - command
argument passed from inetd(8). - The faithd utility determines operation mode by the local
- TCP port number, and enables special protocol handling whenever neces
- sary/possible.
For example, if faithd is invoked via inetd(8) on FTP port, - it will operate as a FTP relay.
- The operation mode requires special support for faithd in
- inetd(8).
- Access control
- To prevent malicious accesses, faithd implements a simple
- address-based
access control. With /etc/faithd.conf (or configfile speci - fied by -f),
faithd will avoid relaying unwanted traffic. The - faithd.conf contains
directives with the following format: - +o src/slen deny dst/dlen
If the source address of a query matches src/slen, andthe translated
destination address matches dst/dlen, deny the connection. - +o src/slen permit dst/dlen
If the source address of a query matches src/slen, andthe translated
destination address matches dst/dlen, permit the connection. - The directives are evaluated in sequence, and the first
- matching entry
will be effective. If there is no match (if we reach the - end of the
ruleset) the traffic will be denied. - With inetd mode, traffic may be filtered by using access
- control functionality in inetd(8).
EXIT STATUS
- The faithd utility exits with EXIT_SUCCESS (0) on success,
- and
EXIT_FAILURE (1) on error.
EXAMPLES
- Before invoking faithd, faith(4) interface has to be config
- ured properly.
- # sysctl net.inet6.ip6.accept_rtadv=0
# sysctl net.inet6.ip6.forwarding=1
# sysctl net.inet6.ip6.keepfaith=1
# ifconfig faith0 up
# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 - -ifp faith0
- Daemon mode samples
- To translate telnet service, and provide no local telnet
- service, invoke
faithd as follows: - # faithd telnet
- If you would like to provide local telnet service via tel
- netd(8) on
/usr/libexec/telnetd, use the following command line: - # faithd telnet /usr/libexec/telnetd telnetd
- If you would like to pass extra arguments to the local dae
- mon:
- # faithd ftp /usr/libexec/ftpd ftpd -l
- Here are some other examples. You may need -p if the ser
- vice checks the
source port range. - # faithd ssh
# faithd telnet /usr/libexec/telnetd telnetd - inetd mode samples
- Add the following lines into inetd.conf(5). Syntax may vary
- depending
upon your operating system. - telnet stream tcp6/faith nowait root faithd telnetd
ftp stream tcp6/faith nowait root faithd ftpd -l
ssh stream tcp6/faith nowait root faithd - /usr/sbin/sshd -i
- inetd(8) will open listening sockets with enabling kernel
- TCP relay support. Whenever connection comes in, faithd will be invoked
- by inetd(8).
If it the connection endpoint is in the reserved IPv6 ad - dress prefix.
The faithd utility will relay the connection. Otherwise, - faithd will
invoke service-specific daemon like telnetd(8). - Access control samples
- The following illustrates a simple faithd.conf setting.
- # permit anyone from 3ffe:501:ffff::/48 to use the transla
- tor,
# to connect to the following IPv4 destinations:
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
# Permit no other connections.
#
3ffe:501:ffff::/48 deny 10.0.0.0/8
3ffe:501:ffff::/48 deny 127.0.0.0/8
3ffe:501:ffff::/48 permit 0.0.0.0/0
SEE ALSO
- Jun-ichiro itojun Hagino and Kazu Yamamoto, "An IPv6-to-IPv4
- transport
relay translator", RFC3142, June 2001, ftp://ftp.isi.edu/innotes/rfc3142.txt.
HISTORY
- The faithd utility first appeared in WIDE Hydrangea IPv6
- protocol stack
kit. - IPv6 and IPsec support based on the KAME Project
- (http://www.kame.net/)
stack was initially integrated into FreeBSD 4.0
SECURITY CONSIDERATIONS
- It is very insecure to use IP-address based authentication,
- for connections relayed by faithd, and any other TCP relaying ser
- vices.
- Administrators are advised to limit accesses to faithd using
- faithd.conf,
or by using IPv6 packet filters. It is to protect faithd - service from
malicious parties and avoid theft of service/bandwidth. - IPv6 destination
address can be limited by carefully configuring routing en - tries that
points to faith(4), using route(8). IPv6 source address - needs to be filtered by using packet filters. Documents listed in SEE ALSO
- have more
discussions on this topic. - BSD May 17, 1998