usr.sbin/faithd/faithd.8

.\"	$NetBSD: faithd.8,v 1.18 2002/05/09 14:24:03 itojun Exp $
.\"	$KAME: faithd.8,v 1.37 2002/05/09 14:21:23 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd May 17, 1998
.Dt FAITHD 8
.Os
.Sh NAME
.Nm faithd
.Nd FAITH IPv6/v4 translator daemon
.Sh SYNOPSIS
.Nm
.Op Fl dp
.Op Fl f Ar configfile
.Ar service
.Op Ar serverpath Op Ar serverargs
.Nm ""
.Sh DESCRIPTION
.Nm
provides IPv6-to-IPv4 TCP relay.
.Nm
must be used on an IPv4/v6 dual stack router.
.Pp
When
.Nm
receives
.Tn TCPv6
traffic,
.Nm
will relay the
.Tn TCPv6
traffic to
.Tn TCPv4 .
Destination for relayed
.Tn TCPv4
connection will be determined by the last 4 octets of the original
.Tn IPv6
destination.
For example, if
.Li 3ffe:0501:4819:ffff::
is reserved for
.Nm Ns ,
and the
.Tn TCPv6
destination address is
.Li 3ffe:0501:4819:ffff::0a01:0101 ,
the traffic will be relayed to IPv4 destination
.Li 10.1.1.1 .
.Pp
To use
.Nm
translation service,
an IPv6 address prefix must be reserved for mapping IPv4 addresses into.
Kernel must be properly configured to route all the TCP connection
toward the reserved IPv6 address prefix into the
.Xr faith 4
pseudo interface, by using
.Xr route 8
command.
Also,
.Xr sysctl 8
should be used to configure
.Dv net.inet6.ip6.keepfaith
to
.Dv 1 .
.Pp
The router must be configured to capture all the TCP traffic
toward reserved
.Tn IPv6
address prefix, by using
.Xr route 8
and
.Xr sysctl 8
commands.
.Pp
.Nm
needs a special name-to-address translation logic, so that
hostnames gets resolved into special
.Tn IPv6
address prefix.
For small-scale installation, use
.Xr hosts 5 .
For large-scale installation, it is useful to have
a DNS server with special address translation support.
An implementation called
.Nm totd
is available
at
.Pa http://www.vermicelli.pasta.cs.uit.no/ipv6/software.html .
Make sure you do not propagate translated DNS records to normal DNS cloud,
it is highly harmful.
.Ss Daemon mode
When
.Nm
is invoked as a standalone program,
.Nm
will daemonize itself.
.Nm
will listen to
.Tn TCPv6
port
.Ar service .
If
.Tn TCPv6
traffic to port
.Ar service
is found, it relays the connection.
.Pp
Since
.Nm
listens to TCP port
.Ar service ,
it is not possible to run local TCP daemons for port
.Ar service
on the router, using
.Xr inetd 8
or other standard mechanisms.
By specifying
.Ar serverpath
to
.Nm Ns ,
you can run local daemons on the router.
.Nm
will invoke local daemon at
.Ar serverpath
if the destination address is local interface address,
and will perform translation to IPv4 TCP in other cases.
You can also specify
.Ar serverargs
for the arguments for the local daemon.
.Pp
The following options are available:
.Bl -tag -width indent
.It Fl d
Debugging information will be generated using
.Xr syslog 3 .
.It Fl f Ar configfile
Specify a configuration file for access control.
See below.
.It Fl p
Use privileged TCP port number as source port,
for IPv4 TCP connection toward final destination.
For relaying
.Xr ftp 1
this flag is not necessary as special program code is supplied.
.El
.Pp
.Nm
will relay both normal and out-of-band TCP data.
It is capable of emulating TCP half close as well.
.Nm
includes special support for protocols used by
.Xr ftp 1 .
When translating FTP protocol,
.Nm
translates network level addresses in
.Li PORT/LPRT/EPRT
and
.Li PASV/LPSV/EPSV
commands.
.Pp
Inactive sessions will be disconnected in 30 minutes,
to avoid stale sessions from chewing up resources.
This may be inappropriate for some of the services
.Pq should this be configurable? .
.Ss inetd mode
When
.Nm
is invoked via
.Xr inetd 8 ,
.Nm
will handle connection passed from standard input.
If the connection endpoint is in the reserved IPv6 address prefix,
.Nm
will relay the connection.
Otherwise,
.Nm
will invoke service-specific daemon like
.Xr telnetd 8 ,
by using the command argument passed from
.Xr inetd 8 .
.Pp
.Nm
determines operation mode by the local TCP port number,
and enables special protocol handling whenever necessary/possible.
For example, if
.Nm
is invoked via
.Xr inetd 8
on FTP port, it will operate as a FTP relay.
.\".Pp
.\"The operation mode requires special support for
.\".Nm
.\"in
.\".Xr inetd 8 .
.Ss Access control
To prevent malicious accesses,
.Nm
implements a simple address-based access control.
With
.Pa /etc/faithd.conf
.Po
or
.Ar configfile
specified by
.Fl f
.Pc ,
.Nm
will avoid relaying unwanted traffic.
The
.Pa faithd.conf
contains directives with the following format:
.Bl -bullet
.It
.Xo
.Ic Ar src/slen Li deny Ar dst/dlen
.Xc
.Pp
If the source address of a query matches
.Ar src/slen ,
and the translated destination address matches
.Ar dst/dlen ,
deny the connection.
.It
.Xo
.Ic Ar src/slen Li permit Ar dst/dlen
.Xc
.Pp
If the source address of a query matches
.Ar src/slen ,
and the translated destination address matches
.Ar dst/dlen ,
permit the connection.
.El
.Pp
The directives are evaluated in sequence,
and the first matching entry will be effective.
If there is no match
.Pq if we reach the end of the ruleset
the traffic will be denied.
.Pp
With inetd mode,
traffic may be filtered by using access control functionality in
.Xr inetd 8 .
.Sh EXIT STATUS
.Nm
exits with
.Dv EXIT_SUCCESS
.Pq 0
on success, and
.Dv EXIT_FAILURE
.Pq 1
on error.
.Sh EXAMPLES
Before invoking
.Nm Ns ,
.Xr faith 4
interface has to be configured properly.
.Bd -literal -offset
# sysctl -w net.inet6.ip6.accept_rtadv=0
# sysctl -w net.inet6.ip6.forwarding=1
# sysctl -w net.inet6.ip6.keepfaith=1
# ifconfig faith0 up
# route add -inet6 3ffe:501:4819:ffff:: -prefixlen 96 ::1
# route change -inet6 3ffe:501:4819:ffff:: -prefixlen 96 -ifp faith0
.Ed
.Ss Daemon mode samples
To translate
.Li telnet
service, and provide no local telnet service, invoke
.Nm
as follows:
.Bd -literal -offset
# faithd telnet
.Ed
.Pp
If you would like to provide local telnet service via
.Xr telnetd 8
on
.Pa /usr/libexec/telnetd ,
use the following command line:
.Bd -literal -offset
# faithd telnet /usr/libexec/telnetd telnetd
.Ed
.Pp
If you would like to pass extra arguments to the local daemon:
.Bd -literal -offset
# faithd ftp /usr/libexec/ftpd ftpd -l
.Ed
.Pp
Here are some other examples.
You may need
.Fl p
if the service checks the source port range.
.Bd -literal -offset
# faithd ssh
# faithd telnet /usr/libexec/telnetd telnetd
.Ed
.Ss inetd mode samples
Add the following lines into
.Xr inetd.conf 5 .
.\"Syntax may vary depending upon your operating system.
.Bd -literal -offset
telnet  stream  faith/tcp6  nowait  root  faithd  telnetd
ftp     stream  faith/tcp6  nowait  root  faithd  ftpd -l
ssh     stream  faith/tcp6  nowait  root  faithd  /usr/sbin/sshd -i
.Ed
.Pp
.Xr inetd 8
will open listening sockets with enabling kernel TCP relay support.
Whenever connection comes in,
.Nm
will be invoked by
.Xr inetd 8 .
If it the connection endpoint is in the reserved IPv6 address prefix.
.Nm
will relay the connection.
Otherwise,
.Nm
will invoke service-specific daemon like
.Xr telnetd 8 .
.Ss Access control samples
The following illustrates a simple
.Pa faithd.conf
setting.
.Bd -literal -offset
# permit anyone from 3ffe:501:ffff::/48 to use the translator,
# to connect to the following IPv4 destinations:
# - any location except 10.0.0.0/8 and 127.0.0.0/8.
# Permit no other connections.
#
3ffe:501:ffff::/48 deny 10.0.0.0/8
3ffe:501:ffff::/48 deny 127.0.0.0/8
3ffe:501:ffff::/48 permit 0.0.0.0/0
.Ed
.Sh SEE ALSO
.Xr faith 4 ,
.Xr route 8 ,
.Xr sysctl 8
.Rs
.%A Jun-ichiro itojun Hagino
.%A Kazu Yamamoto
.%T "An IPv6-to-IPv4 transport relay translator"
.%B RFC3142
.%O ftp://ftp.isi.edu/in-notes/rfc3142.txt
.%D June 2001
.Re
.\"
.Sh HISTORY
The
.Nm
command first appeared in WIDE Hydrangea IPv6 protocol stack kit.
.\"
.Sh SECURITY CONSIDERATIONS
It is very insecure to use IP-address based authentication, for connections relayed by
.Nm Ns ,
and any other TCP relaying services.
.Pp
Administrators are advised to limit accesses to
.Nm
using
.Pa faithd.conf ,
or by using IPv6 packet filters.
It is to protect
.Nm
service from malicious parties and avoid theft of service/bandwidth.
IPv6 destination address can be limited by
carefully configuring routing entries that points to
.Xr faith 4 ,
using
.Xr route 8 .
IPv6 source address needs to be filtered by using packet filters.
Documents listed in
.Sx SEE ALSO
have more discussions on this topic.