faith translator deamon, from KAME

1 files changed, 138 insertions, 0 deletions

diff --git a/usr.sbin/faithd/README b/usr.sbin/faithd/README
new file mode 100644
index 00000000000..10ada6fa328
--- /dev/null
+++ b/usr.sbin/faithd/README
@@ -0,0 +1,138 @@
+Configuring FAITH IPv6-to-IPv4 TCP relay
+
+Kazu Yamamoto and Jun-ichiro itojun Hagino
+$Id: README,v 1.1 1999/12/20 16:07:42 itojun Exp $
+
+
+Introduction
+============
+
+FAITH is a IPv6-to-IPv4 TCP relay.  It performs tcp relay just as some of
+firewall-oriented gateway does, but between IPv6 and IPv4 with address
+address translation.
+TCP connections has to be made from IPv6 node to to IPv4 node.  FAITH will
+not relay connections for the opposite direction.
+To perform relays, FAITH daemon needs to be executed on a router between
+your local IPv6 site and outside IPv4 network.  The daemon needs to be
+invoked per each TCP services (TCP port number).
+
+	IPv4 node "dest" = 123.4.5.6
+		|
+	[[[[ outside IPv4 ocean ]]]]
+		|
+	node that runs FAITH-daemon (usually a router)
+		|
+	==+=====+===+==== IPv6, or IPv4/v6 network in your site ^
+	  |	    |						| connection
+	clients	  IPv6 node "src"				|
+
+You will have to allocate an IPv6 address prefix to map IPv4 addresses into.
+The following description uses 3ffe:0501:1234:ffff:: as example.
+Please use a prefix which belongs to your site.
+FAITH will make it possible to make a IPv6 TCP connection From IPv6 node
+"src", toward IPv4 node "dest", by specifying FAITH-mapped address
+3ffe:0501:1234:ffff::123.4.5.6
+(which is, 3ffe:0501:1234:ffff:0000:0000:7b04:0506).
+The address mapping can be performed by hand:-), by speical nameserver on
+the network, or by special resolver on the source node.
+
+
+Setup
+=====
+
+The following example assumes:
+- You have assigned 3ffe:0501:1234:ffff:: as FAITH adderss prefix.
+- You are willing to provide IPv6-to IPv4 TCP relay for telnet.
+
+<<On the translating router on which faithd runs>>
+
+(1) If you have IPv6 TCP server for the "telnet" service, i.e. telnetd via
+    inet6d, disable that daemon.  Comment out the line from "inet6d.conf"
+    and send the HUP signal to "inet6d".
+
+(2) Execute sysctl as root to enable FAITH support in the kernel.
+
+        # sysctl -w net.inet6.ip6.keepfaith=1
+
+(3) Route packets toward FAITH prefix into "faith0" interface.
+
+	# ifconfig faith0 up
+	# route add -inet6 3ffe:0501:1234:ffff:: -prefixlen 64 -interface faith0
+
+	or, on platforms that has problem with "-interface":
+	# ifconfig faith0 up
+	# route add -inet6 3ffe:0501:1234:ffff:: -prefixlen 64 \
+		fe80:q::xxxx:yyyy:zzzz:wwww
+	(the last one is link-local address assigned for faith0)
+
+(4) Execute "faithd" by root as follows:
+
+	# faithd telnet /usr/local/v6/libexec/telnetd telnetd
+
+    1st argument is a service name you are willing to provide TCP relay.
+	(it can be specified either by number "23" or by string "telnet")
+    2nd argument is a path name for local IPv6 TCP server.  If there is a
+    connection toward the router itself, this program will be invoked.
+    3rd and the following arguments are arguments for the local IPv6 TCP
+    server.  (3rd argument is typically the program name without its path.)
+
+    More examples:
+
+	# faithd login /usr/local/v6/libexec/rlogin rlogind
+	# faithd shell /usr/local/v6/libexec/rshd rshd
+	# faithd ftpd /usr/local/v6/libexec/ftpd ftpd -l
+	# faithd sshd
+
+
+<<Routing>>
+
+(4) Make sure that packets whose destinations match the prefix can
+reach from the IPv6 host to the translating router.
+
+<<On the IPv6 host>>
+
+There are two ways to translate IPv4 address to IPv6 address:
+	(a) Faked by DNS
+	(b) Faked by /etc/hosts.
+
+(5.a) Install "newbie" and set up FAITH mode. See kit/ports/newbie.
+
+(5.b) Add an entry into /etc/hosts so that you can resolve hostname into
+faked IPv6 addrss.  For example, add the following line for www.netbsd.org:
+
+	3ffe:0501:1234:ffff::140.160.140.252	www.netbsd.org
+
+<<On the translating router on which faithd runs.>>
+
+(6) To see if "faithd" works, watch "/var/log/daemon". Note: please
+setup "/etc/syslog.conf" so that LOG_DAEMON messages are to be stored
+in "/var/log/daemon".
+
+	<e.g.>
+	daemon.*   /var/log/daemon
+
+
+Advanced configuration
+======================
+
+If you would like to restrict IPv4 destination for translation, you may
+want to do the following:
+
+	# route add -inet6 3ffe:0501:1234:ffff::123.0.0.0 -prefixlen 104 \
+		-interface faith0
+
+By this way, you can restrict IPv4 destination to 123.0.0.0/8.
+You may also want to reject packets toward 3ffe:0501:1234:ffff::/64 which
+is not in 3ffe:0501:1234:ffff::123.0.0.0/104.  This will be left as excerside
+for the reader.
+
+By doing this, you will be able to provide your IPv4 web server to outside
+IPv6 customers, without risks of unwanted open relays.
+
+	[[[[ IPv6 network outside ]]]]			| 
+		|					| connection
+	node that runs FAITH-daemon (usually a router)	v
+		|
+	========+======== IPv4/v6 network in your site 
+		|			(123.0.0.0/8)
+	IPv4 web server