sync document with latest kame. now uses 3ffe:501:ffff::/48 in example.
This commit is contained in:
parent
9b8c74f603
commit
ed870024f2
@ -1,8 +1,7 @@
|
|||||||
Configuring FAITH IPv6-to-IPv4 TCP relay
|
Configuring FAITH IPv6-to-IPv4 TCP relay
|
||||||
|
|
||||||
Kazu Yamamoto and Jun-ichiro itojun Hagino
|
Kazu Yamamoto and Jun-ichiro itojun Hagino
|
||||||
$NetBSD: README,v 1.8 2000/07/04 20:08:32 thorpej Exp $
|
$KAME: README,v 1.6 2000/07/06 13:43:33 itojun Exp $
|
||||||
$KAME: README,v 1.5 2000/07/02 08:50:50 itojun Exp $
|
|
||||||
|
|
||||||
|
|
||||||
Introduction
|
Introduction
|
||||||
@ -28,12 +27,12 @@ invoked per each TCP services (TCP port number).
|
|||||||
clients IPv6 node "src" |
|
clients IPv6 node "src" |
|
||||||
|
|
||||||
You will have to allocate an IPv6 address prefix to map IPv4 addresses into.
|
You will have to allocate an IPv6 address prefix to map IPv4 addresses into.
|
||||||
The following description uses 3ffe:0501:1234:ffff:: as example.
|
The following description uses 3ffe:0501:ffff:0000:: as example.
|
||||||
Please use a prefix which belongs to your site.
|
Please use a prefix which belongs to your site.
|
||||||
FAITH will make it possible to make a IPv6 TCP connection From IPv6 node
|
FAITH will make it possible to make a IPv6 TCP connection From IPv6 node
|
||||||
"src", toward IPv4 node "dest", by specifying FAITH-mapped address
|
"src", toward IPv4 node "dest", by specifying FAITH-mapped address
|
||||||
3ffe:0501:1234:ffff::123.4.5.6
|
3ffe:0501:ffff:0000::123.4.5.6
|
||||||
(which is, 3ffe:0501:1234:ffff:0000:0000:7b04:0506).
|
(which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506).
|
||||||
The address mapping can be performed by hand:-), by speical nameserver on
|
The address mapping can be performed by hand:-), by speical nameserver on
|
||||||
the network, or by special resolver on the source node.
|
the network, or by special resolver on the source node.
|
||||||
|
|
||||||
@ -42,7 +41,7 @@ Setup
|
|||||||
=====
|
=====
|
||||||
|
|
||||||
The following example assumes:
|
The following example assumes:
|
||||||
- You have assigned 3ffe:0501:1234:ffff:: as FAITH adderss prefix.
|
- You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix.
|
||||||
- You are willing to provide IPv6-to IPv4 TCP relay for telnet.
|
- You are willing to provide IPv6-to IPv4 TCP relay for telnet.
|
||||||
|
|
||||||
<<On the translating router on which faithd runs>>
|
<<On the translating router on which faithd runs>>
|
||||||
@ -57,9 +56,9 @@ The following example assumes:
|
|||||||
|
|
||||||
(3) Route packets toward FAITH prefix into "faith0" interface.
|
(3) Route packets toward FAITH prefix into "faith0" interface.
|
||||||
|
|
||||||
# ifconfig faith0 create up
|
# ifconfig faith0 up
|
||||||
# route add -inet6 3ffe:0501:1234:ffff:: -prefixlen 64 \
|
# route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1
|
||||||
fe80::xxxx:yyyy:zzzz:wwww%faith0
|
# route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0
|
||||||
|
|
||||||
(4) Execute "faithd" by root as follows:
|
(4) Execute "faithd" by root as follows:
|
||||||
|
|
||||||
@ -79,6 +78,9 @@ The following example assumes:
|
|||||||
# faithd ftpd /usr/libexec/ftpd ftpd -l
|
# faithd ftpd /usr/libexec/ftpd ftpd -l
|
||||||
# faithd sshd
|
# faithd sshd
|
||||||
|
|
||||||
|
If inetd(8) on your platform have special support for faithd, it is possible
|
||||||
|
to setup faithd services via inetd(8). Consult manpage for details.
|
||||||
|
|
||||||
|
|
||||||
<<Routing>>
|
<<Routing>>
|
||||||
|
|
||||||
@ -96,7 +98,7 @@ There are two ways to translate IPv4 address to IPv6 address:
|
|||||||
(5.b) Add an entry into /etc/hosts so that you can resolve hostname into
|
(5.b) Add an entry into /etc/hosts so that you can resolve hostname into
|
||||||
faked IPv6 addrss. For example, add the following line for www.netbsd.org:
|
faked IPv6 addrss. For example, add the following line for www.netbsd.org:
|
||||||
|
|
||||||
3ffe:0501:1234:ffff::140.160.140.252 www.netbsd.org
|
3ffe:0501:ffff:0000::140.160.140.252 www.netbsd.org
|
||||||
|
|
||||||
<<On the translating router on which faithd runs.>>
|
<<On the translating router on which faithd runs.>>
|
||||||
|
|
||||||
@ -108,18 +110,31 @@ in "/var/log/daemon".
|
|||||||
daemon.* /var/log/daemon
|
daemon.* /var/log/daemon
|
||||||
|
|
||||||
|
|
||||||
|
Access control
|
||||||
|
==============
|
||||||
|
|
||||||
|
Since faithd implements TCP relaying service, it is critical to implement
|
||||||
|
proper access control to cope with malicious use. Bad guy may try to
|
||||||
|
use your relay router to circumvent access controls, or may try to
|
||||||
|
abuse your network (like sending SPAMs from IPv4 address that belong to you).
|
||||||
|
Install IPv6 packet filter directives that would reject traffic from
|
||||||
|
unwanted source. If you are using inetd-based setup, you may be able to
|
||||||
|
use access control mechanisms in inetd.
|
||||||
|
|
||||||
|
|
||||||
Advanced configuration
|
Advanced configuration
|
||||||
======================
|
======================
|
||||||
|
|
||||||
If you would like to restrict IPv4 destination for translation, you may
|
If you would like to restrict IPv4 destination for translation, you may
|
||||||
want to do the following:
|
want to do the following:
|
||||||
|
|
||||||
# route add -inet6 3ffe:0501:1234:ffff::123.0.0.0 -prefixlen 104 \
|
# route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1
|
||||||
-interface faith0
|
# route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \
|
||||||
|
-ifp faith0
|
||||||
|
|
||||||
By this way, you can restrict IPv4 destination to 123.0.0.0/8.
|
By this way, you can restrict IPv4 destination to 123.0.0.0/8.
|
||||||
You may also want to reject packets toward 3ffe:0501:1234:ffff::/64 which
|
You may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which
|
||||||
is not in 3ffe:0501:1234:ffff::123.0.0.0/104. This will be left as excerside
|
is not in 3ffe:0501:ffff:0000::123.0.0.0/104. This will be left as excerside
|
||||||
for the reader.
|
for the reader.
|
||||||
|
|
||||||
By doing this, you will be able to provide your IPv4 web server to outside
|
By doing this, you will be able to provide your IPv4 web server to outside
|
||||||
|
Loading…
Reference in New Issue
Block a user