Translating IPv4 and IPv6 connections

Yoshinobu Inoue and Jun-ichiro itojun Itoh, KAME Project
$Id: index.html,v 2001/04/17 03:42:18 itojun Exp $
IPv6 specification clearly states that, in the early stage of IPv6 transition, an IPv6 host must speak IPv4 as well. However, one might want to setup IPv6-only subnets, because of the shortage of IPv4 addresses or pure curiosity:-). In this case, you will need to configure a IPv4-v6 translating gateway so that you can access your IPv4 mail servers via POP protocol, or IPv4 web servers such as yahoo.

This newsletter tries to describe what kind of technologies are available with KAME stack, to help communication between IPv6 hosts and IPv4 hosts.

Taxonomy of IPv4-v6 translators

There are several kind of IPv4-v6 translators possible. KAME kit comes with several translation tools. At this moment KAME kit does not include IPv4-v6 header translation code. As for TCP relay, we provide SOCKS64, an IPv4/v6 capable version of SOCKS5. As for application gateway, we provide IPv6-capable apache web server, which can be used as http proxy server.

KAME kit also include (our home-brew) IPv6-to-IPv4 translator called FAITH. FAITH can be regarded as an mixture of TCP relay and application gateway (FAITH translates any TCP connection, however, it has some knowledge of application protocols such as ftp). In the following section we describe how to configure FAITH translator.

What FAITH provides

From here, please assume the following network configuration.
==+=======+== IPv4 network
	==+=======+== IPv6 network
		  | is an IPv4-only host, and is an IPv6-only host, as the hostname suggests. is IPv4-v6 capable router, and on this host FAITH translator will be executed. Actually, need not have two network interfaces. It can perform translation with single interface, as below:
  |			  |
==+=======+===============+== IPv4/v6 network
What FAITH provide is an translation service for connection originating from IPv6 host ( to IPv4 host (

FAITH reserves an IPv6 prefix from your IPv6 address space. Suppose this to be 3ffe:0501:9999:ffff::/64 (NOTE: prefix must be grabbed from the IPv6 address pool assigned to your organization/laboratory). If there is an TCP connection request from toward 3ffe:0501:9999:ffff::<IPv4 address of>, it will get translated into IPv4 TCP connection toward FAITH daemon on will make two TCP connection, as below, and transfers data between those.

Configuring FAITH

Most configurations must be made on There will be almost no configuration required on
  1. First and foremost, IPv6 packets from must go through If not, please configure so that it will throw packets to You may find rtadvd, router advertisement daemon, useful for this purpose.
  2. Confirm that you have no IPv6 network daemon working on for the translated port. If you are willing to translate IPv6 telnet request into IPv4 telnet request, you must comment out telnet in /usr/local/v6/etc/inet6d.conf. Do not forget to do kill -HUP <inet6d's pid>.
  3. Set FAITH-reserved prefix, by using faith command.
    # faith -e -p 3ffe:0501:9999:ffff::
    -e is for enabling kernel code to help FAITH daemon. By this configuration, all the IPv6 TCP toward FAITH-reserved IPv6 prefix will be tossed up to the application layer. To make sure, confirm that sysctl MIB net.inet6.ip6.keepfaith is 1. If not, set it to 1 by using sysctl command:
    # sysctl -w net.inet6.ip6.keepfaith=1
  4. Start faithd daemon on To translate telnet connection, please invoke:
    # /usr/local/v6/sbin/faithd telnet /usr/local/v6/libexec/telnetd telnetd
    faithd must be invoked for each of the services you need, so you may want to start multiple faithd. Refer to the manpage of faithd for details.
  5. Try a telnet session from to 3ffe:0501:9999:ffff::<IPv4 address of>. The connection request will be captured by since the address matches the FAITH-reserved prefix. faithd will accept the IPv6 TCP connection, and makes a IPv4 TCP connection toward

Advanced configuration

You will find it irritating to specify 3ffe:0501:9999:ffff::<IPv4 address of> every time you want a translation service.

For address conversion, there are two major ways to do it. The first way is to use a home-brew DNS server, called newbie, which is implemented by Yusuke Doi of WIDE project. It includes the address conversion function.
The next way is to have an entry in /etc/hosts.

Some notice

By using FAITH translator, IPv4 TCP connection will be made between a host running faithd ( in the example) and the target host ( As you can imagine, if a daemon on invokes getpeername() system call, it will return, not Therefore, you may have some trouble logging/authenticating the connection on For example, if you use .rhosts or known_hosts used by ssh, thre may be some strange behavior. Also, the hostname shown by wtmp will be (not This is because you are using TCP relay technology. Every TCP relay or NAT technology has this problem. There is no good way to avoid this.

Further readings

INET98 paper by Kazu may provide you additional information. Presentation foil is also available.
KAME top page
Copyright (c) 1998, 1999, 2000, 2001, 2002, and 2003 by the author (indicated separately). All rights reserved. Freely redistributable. Absolutely no warranty.