Translating IPv4 and IPv6 connections
Yoshinobu Inoue and Jun-ichiro itojun Itoh,
$Id: index.html,v 220.127.116.11 2001/04/17 03:42:18 itojun Exp $
THE DOCUMENT IS VERY OBSOLETE.
IPv6 specification clearly states that, in the early stage of IPv6 transition,
an IPv6 host must speak IPv4 as well.
However, one might want to setup IPv6-only subnets,
because of the shortage of IPv4 addresses or pure curiosity:-).
In this case, you will need to configure a IPv4-v6 translating gateway
so that you can access your IPv4 mail servers via POP protocol,
or IPv4 web servers such as yahoo.
This newsletter tries to describe what kind of technologies are available
with KAME stack, to help communication between IPv6 hosts and IPv4 hosts.
Taxonomy of IPv4-v6 translators
There are several kind of IPv4-v6 translators possible.
KAME kit comes with several translation tools.
At this moment KAME kit does not include IPv4-v6 header translation code.
As for TCP relay, we provide
SOCKS64, an IPv4/v6 capable version of SOCKS5.
As for application gateway, we provide IPv6-capable
apache web server,
which can be used as http proxy server.
- IP header translator:
This technology works in IP layer,
and replaces IPv4 header by IPv6 header.
IP header translator is similar to famous (and infamous) NAT,
Network Address Translator.
- TCP relay:
This technology works in TCP layer, and relays IPv4 TCP connection
to IPv6 TCP connection, and vice versa, regardless of the
application protocol used over TCP.
TCP connection is terimnated at the TCP relaying gateway host.
This technology is similar to SOCKS.
- Application gateway:
This technology works in application protocol layer (such as HTTP),
and uses application protocol-specific mechanism.
KAME kit also include (our home-brew) IPv6-to-IPv4 translator called
FAITH can be regarded as an mixture of TCP relay and application gateway
(FAITH translates any TCP connection, however, it has some knowledge of
application protocols such as ftp).
In the following section we describe how to configure FAITH translator.
What FAITH provides
From here, please assume the following network configuration.
==+=======+== IPv4 network
==+=======+== IPv6 network
four.kame.net is an IPv4-only host, and six.kame.net
is an IPv6-only host, as the hostname suggests.
dual.kame.net is IPv4-v6 capable router, and on this host
FAITH translator will be executed.
Actually, dual.kame.net need not have two network interfaces.
It can perform translation with single interface, as below:
==+=======+===============+== IPv4/v6 network
What FAITH provide is an translation service for connection originating
from IPv6 host (six.kame.net) to IPv4 host (four.kame.net).
FAITH reserves an IPv6 prefix from your IPv6 address space.
Suppose this to be 3ffe:0501:9999:ffff::/64
(NOTE: prefix must be grabbed from the IPv6 address pool assigned to your
If there is an TCP connection request from six.kame.net toward
3ffe:0501:9999:ffff::<IPv4 address of four.kame.net>,
it will get translated into IPv4 TCP connection toward
FAITH daemon on dual.kame.net will make two TCP connection,
as below, and transfers data between those.
- IPv6 TCP connection between six.kame.net
and 3ffe:0501:9999:ffff::<IPv4 address of four.kame.net>.
This connection is actually made between six.kame.net and
- IPv4 TCP connection between dual.kame.net
Most configurations must be made on dual.kame.net.
There will be almost no configuration required on six.kame.net.
- First and foremost, IPv6 packets from six.kame.net must go
If not, please configure six.kame.net so that it will
throw packets to dual.kame.net.
You may find rtadvd, router advertisement daemon,
useful for this purpose.
- Confirm that you have no IPv6 network daemon working on
dual.kame.net for the translated port.
If you are willing to translate IPv6 telnet request into IPv4
telnet request, you must comment out telnet in
Do not forget to do kill -HUP <inet6d's pid>.
- Set FAITH-reserved prefix, by using faith command.
# faith -e -p 3ffe:0501:9999:ffff::
-e is for enabling kernel code to help FAITH daemon.
By this configuration, all the IPv6 TCP toward FAITH-reserved IPv6
prefix will be tossed up to the application layer.
To make sure, confirm that sysctl MIB
net.inet6.ip6.keepfaith is 1.
If not, set it to 1 by using sysctl command:
# sysctl -w net.inet6.ip6.keepfaith=1
- Start faithd daemon on dual.kame.net.
To translate telnet connection, please invoke:
# /usr/local/v6/sbin/faithd telnet /usr/local/v6/libexec/telnetd telnetd
faithd must be invoked for each of the services you need,
so you may want to start multiple faithd.
Refer to the manpage of faithd for details.
- Try a telnet session from six.kame.net to
3ffe:0501:9999:ffff::<IPv4 address of four.kame.net>.
The connection request will be captured by dual.kame.net
since the address matches the FAITH-reserved prefix.
faithd will accept the IPv6 TCP connection, and makes a
IPv4 TCP connection toward four.kame.net.
You will find it irritating to specify
3ffe:0501:9999:ffff::<IPv4 address of four.kame.net>
every time you want a translation service.
For address conversion, there are two major ways to do it.
The first way is to use a home-brew DNS server, called newbie,
which is implemented by Yusuke Doi of WIDE project.
It includes the address conversion function.
The next way is to have an entry in /etc/hosts.
- newbie case:
You can configure newbie nameserver on dual.kame.net,
with FAITH-friendly function enabled by the following directive:
Then, configure /etc/resolv.conf in six.kame.net to
use dual.kame.net as its nameserver.
nameserver <numeric IPv6 address of dual.kame.net>
On name queries to IPv4 hosts, newbie will return IPv6 address,
- Have lines like follows, in /etc/hosts.
By using FAITH translator, IPv4 TCP connection will be made
between a host running faithd (dual.kame.net in the example)
and the target host (four.kame.net).
As you can imagine, if a daemon on four.kame.net invokes getpeername()
system call, it will return dual.kame.net, not six.kame.net.
Therefore, you may have some trouble logging/authenticating the connection on
For example, if you use .rhosts or known_hosts used by ssh,
thre may be some strange behavior.
Also, the hostname shown by wtmp will be dual.kame.net
This is because you are using TCP relay technology.
Every TCP relay or NAT technology has this problem.
There is no good way to avoid this.
INET98 paper by Kazu may provide you additional information.
Presentation foil is also available.
KAME top page
Copyright (c) 1998, 1999, 2000, 2001, 2002, and 2003 by the author (indicated separately). All rights reserved.
Freely redistributable. Absolutely no warranty.