sync document with latest kame. now uses 3ffe:501:ffff::/48 in example.

This commit is contained in:
itojun 2000-09-14 00:30:23 +00:00
parent 9b8c74f603
commit ed870024f2

View File

@ -1,8 +1,7 @@
Configuring FAITH IPv6-to-IPv4 TCP relay Configuring FAITH IPv6-to-IPv4 TCP relay
Kazu Yamamoto and Jun-ichiro itojun Hagino Kazu Yamamoto and Jun-ichiro itojun Hagino
$NetBSD: README,v 1.8 2000/07/04 20:08:32 thorpej Exp $ $KAME: README,v 1.6 2000/07/06 13:43:33 itojun Exp $
$KAME: README,v 1.5 2000/07/02 08:50:50 itojun Exp $
Introduction Introduction
@ -28,12 +27,12 @@ invoked per each TCP services (TCP port number).
clients IPv6 node "src" | clients IPv6 node "src" |
You will have to allocate an IPv6 address prefix to map IPv4 addresses into. You will have to allocate an IPv6 address prefix to map IPv4 addresses into.
The following description uses 3ffe:0501:1234:ffff:: as example. The following description uses 3ffe:0501:ffff:0000:: as example.
Please use a prefix which belongs to your site. Please use a prefix which belongs to your site.
FAITH will make it possible to make a IPv6 TCP connection From IPv6 node FAITH will make it possible to make a IPv6 TCP connection From IPv6 node
"src", toward IPv4 node "dest", by specifying FAITH-mapped address "src", toward IPv4 node "dest", by specifying FAITH-mapped address
3ffe:0501:1234:ffff::123.4.5.6 3ffe:0501:ffff:0000::123.4.5.6
(which is, 3ffe:0501:1234:ffff:0000:0000:7b04:0506). (which is, 3ffe:0501:ffff:0000:0000:0000:7b04:0506).
The address mapping can be performed by hand:-), by speical nameserver on The address mapping can be performed by hand:-), by speical nameserver on
the network, or by special resolver on the source node. the network, or by special resolver on the source node.
@ -42,7 +41,7 @@ Setup
===== =====
The following example assumes: The following example assumes:
- You have assigned 3ffe:0501:1234:ffff:: as FAITH adderss prefix. - You have assigned 3ffe:0501:ffff:0000:: as FAITH adderss prefix.
- You are willing to provide IPv6-to IPv4 TCP relay for telnet. - You are willing to provide IPv6-to IPv4 TCP relay for telnet.
<<On the translating router on which faithd runs>> <<On the translating router on which faithd runs>>
@ -57,9 +56,9 @@ The following example assumes:
(3) Route packets toward FAITH prefix into "faith0" interface. (3) Route packets toward FAITH prefix into "faith0" interface.
# ifconfig faith0 create up # ifconfig faith0 up
# route add -inet6 3ffe:0501:1234:ffff:: -prefixlen 64 \ # route add -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 ::1
fe80::xxxx:yyyy:zzzz:wwww%faith0 # route change -inet6 3ffe:0501:ffff:0000:: -prefixlen 64 -ifp faith0
(4) Execute "faithd" by root as follows: (4) Execute "faithd" by root as follows:
@ -79,6 +78,9 @@ The following example assumes:
# faithd ftpd /usr/libexec/ftpd ftpd -l # faithd ftpd /usr/libexec/ftpd ftpd -l
# faithd sshd # faithd sshd
If inetd(8) on your platform have special support for faithd, it is possible
to setup faithd services via inetd(8). Consult manpage for details.
<<Routing>> <<Routing>>
@ -96,7 +98,7 @@ There are two ways to translate IPv4 address to IPv6 address:
(5.b) Add an entry into /etc/hosts so that you can resolve hostname into (5.b) Add an entry into /etc/hosts so that you can resolve hostname into
faked IPv6 addrss. For example, add the following line for www.netbsd.org: faked IPv6 addrss. For example, add the following line for www.netbsd.org:
3ffe:0501:1234:ffff::140.160.140.252 www.netbsd.org 3ffe:0501:ffff:0000::140.160.140.252 www.netbsd.org
<<On the translating router on which faithd runs.>> <<On the translating router on which faithd runs.>>
@ -108,18 +110,31 @@ in "/var/log/daemon".
daemon.* /var/log/daemon daemon.* /var/log/daemon
Access control
==============
Since faithd implements TCP relaying service, it is critical to implement
proper access control to cope with malicious use. Bad guy may try to
use your relay router to circumvent access controls, or may try to
abuse your network (like sending SPAMs from IPv4 address that belong to you).
Install IPv6 packet filter directives that would reject traffic from
unwanted source. If you are using inetd-based setup, you may be able to
use access control mechanisms in inetd.
Advanced configuration Advanced configuration
====================== ======================
If you would like to restrict IPv4 destination for translation, you may If you would like to restrict IPv4 destination for translation, you may
want to do the following: want to do the following:
# route add -inet6 3ffe:0501:1234:ffff::123.0.0.0 -prefixlen 104 \ # route add -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 ::1
-interface faith0 # route change -inet6 3ffe:0501:ffff:0000::123.0.0.0 -prefixlen 104 \
-ifp faith0
By this way, you can restrict IPv4 destination to 123.0.0.0/8. By this way, you can restrict IPv4 destination to 123.0.0.0/8.
You may also want to reject packets toward 3ffe:0501:1234:ffff::/64 which You may also want to reject packets toward 3ffe:0501:ffff:0000::/64 which
is not in 3ffe:0501:1234:ffff::123.0.0.0/104. This will be left as excerside is not in 3ffe:0501:ffff:0000::123.0.0.0/104. This will be left as excerside
for the reader. for the reader.
By doing this, you will be able to provide your IPv4 web server to outside By doing this, you will be able to provide your IPv4 web server to outside