Translating IPv4 and IPv6 connections

Yoshinobu Inoue and Jun-ichiro itojun Itoh, KAME Project
$Id: index.html,v 1.1.1.1 2001/04/17 03:42:18 itojun Exp $
THE DOCUMENT IS VERY OBSOLETE.
IPv6 specification clearly states that, in the early stage of IPv6 transition, an IPv6 host must speak IPv4 as well. However, one might want to setup IPv6-only subnets, because of the shortage of IPv4 addresses or pure curiosity:-). In this case, you will need to configure a IPv4-v6 translating gateway so that you can access your IPv4 mail servers via POP protocol, or IPv4 web servers such as yahoo.

This newsletter tries to describe what kind of technologies are available with KAME stack, to help communication between IPv6 hosts and IPv4 hosts.

Taxonomy of IPv4-v6 translators

There are several kind of IPv4-v6 translators possible. KAME kit comes with several translation tools. At this moment KAME kit does not include IPv4-v6 header translation code. As for TCP relay, we provide SOCKS64, an IPv4/v6 capable version of SOCKS5. As for application gateway, we provide IPv6-capable apache web server, which can be used as http proxy server.

KAME kit also include (our home-brew) IPv6-to-IPv4 translator called FAITH. FAITH can be regarded as an mixture of TCP relay and application gateway (FAITH translates any TCP connection, however, it has some knowledge of application protocols such as ftp). In the following section we describe how to configure FAITH translator.

What FAITH provides

From here, please assume the following network configuration.
four.kame.net
  |
==+=======+== IPv4 network
	  |
	dual.kame.net
	  |
	==+=======+== IPv6 network
		  |
		six.kame.net
four.kame.net is an IPv4-only host, and six.kame.net is an IPv6-only host, as the hostname suggests. dual.kame.net is IPv4-v6 capable router, and on this host FAITH translator will be executed. Actually, dual.kame.net need not have two network interfaces. It can perform translation with single interface, as below:
four.kame.net		six.kame.net
  |			  |
==+=======+===============+== IPv4/v6 network
	  |
	dual.kame.net
What FAITH provide is an translation service for connection originating from IPv6 host (six.kame.net) to IPv4 host (four.kame.net).

FAITH reserves an IPv6 prefix from your IPv6 address space. Suppose this to be 3ffe:0501:9999:ffff::/64 (NOTE: prefix must be grabbed from the IPv6 address pool assigned to your organization/laboratory). If there is an TCP connection request from six.kame.net toward 3ffe:0501:9999:ffff::<IPv4 address of four.kame.net>, it will get translated into IPv4 TCP connection toward four.kame.net. FAITH daemon on dual.kame.net will make two TCP connection, as below, and transfers data between those.

Configuring FAITH

Most configurations must be made on dual.kame.net. There will be almost no configuration required on six.kame.net.
  1. First and foremost, IPv6 packets from six.kame.net must go through dual.kame.net. If not, please configure six.kame.net so that it will throw packets to dual.kame.net. You may find rtadvd, router advertisement daemon, useful for this purpose.
  2. Confirm that you have no IPv6 network daemon working on dual.kame.net for the translated port. If you are willing to translate IPv6 telnet request into IPv4 telnet request, you must comment out telnet in /usr/local/v6/etc/inet6d.conf. Do not forget to do kill -HUP <inet6d's pid>.
  3. Set FAITH-reserved prefix, by using faith command.
    # faith -e -p 3ffe:0501:9999:ffff::
    
    -e is for enabling kernel code to help FAITH daemon. By this configuration, all the IPv6 TCP toward FAITH-reserved IPv6 prefix will be tossed up to the application layer. To make sure, confirm that sysctl MIB net.inet6.ip6.keepfaith is 1. If not, set it to 1 by using sysctl command:
    # sysctl -w net.inet6.ip6.keepfaith=1
    
  4. Start faithd daemon on dual.kame.net. To translate telnet connection, please invoke:
    # /usr/local/v6/sbin/faithd telnet /usr/local/v6/libexec/telnetd telnetd
    
    faithd must be invoked for each of the services you need, so you may want to start multiple faithd. Refer to the manpage of faithd for details.
  5. Try a telnet session from six.kame.net to 3ffe:0501:9999:ffff::<IPv4 address of four.kame.net>. The connection request will be captured by dual.kame.net since the address matches the FAITH-reserved prefix. faithd will accept the IPv6 TCP connection, and makes a IPv4 TCP connection toward four.kame.net.

Advanced configuration

You will find it irritating to specify 3ffe:0501:9999:ffff::<IPv4 address of four.kame.net> every time you want a translation service.

For address conversion, there are two major ways to do it. The first way is to use a home-brew DNS server, called newbie, which is implemented by Yusuke Doi of WIDE project. It includes the address conversion function.
The next way is to have an entry in /etc/hosts.

Some notice

By using FAITH translator, IPv4 TCP connection will be made between a host running faithd (dual.kame.net in the example) and the target host (four.kame.net). As you can imagine, if a daemon on four.kame.net invokes getpeername() system call, it will return dual.kame.net, not six.kame.net. Therefore, you may have some trouble logging/authenticating the connection on four.kame.net. For example, if you use .rhosts or known_hosts used by ssh, thre may be some strange behavior. Also, the hostname shown by wtmp will be dual.kame.net (not six.kame.net). This is because you are using TCP relay technology. Every TCP relay or NAT technology has this problem. There is no good way to avoid this.

Further readings

INET98 paper by Kazu may provide you additional information. Presentation foil is also available.
KAME top page
Copyright (c) 1998, 1999, 2000, 2001, 2002, and 2003 by the author (indicated separately). All rights reserved. Freely redistributable. Absolutely no warranty.