The Tealeaf CX Passive Capture Application can be configured to capture of IPv6 addresses.
Note: Hosting of Tealeaf servers by using IPv6 addresses is not supported. The processing of IPv6 addresses for search, replay, and reporting purposes is supported. Enabling the capture of the PCA is available by request only.
Overview of IPv6
Internet Protocol Version 6 (IPv6) is the next-generation method for specifying Internet Protocol addresses. IPv4, the previous version, enabled 32-bit IP addresses, which permitted the specification of 2 32 addresses. All IPv4 address blocks are assigned.
IPv6 enables the specification of 128-bit IP addresses, which supports the specification of 2 128 addresses. This expanded specification allows the use of device-specific IP addresses for the ever-growing set of connected devices. Other features:
- Extra flexibility in allocating addresses
- Efficiency for routing traffic
- Eliminates the primary need for network address translation (NAT)
While IPv6 is supported on all major operating systems, IPv6 does not implement native interoperability features with IPv4. Typically, interoperability of the two network that is addressing schemes requires a dual network stack (a stack for each).
Note: The Tealeaf CX Passive Capture Application can be configured to capture IPv6 only, IPv4 only, and mixed IPv6 and IPv4, and IPv6 with embedded IPv4.
Note: IPv6 with embedded IPv4 cannot be inserted into the PCA Web Console, but you can insert these values in the ctc-conf.xml
file. The PCA is able to use these addresses.
IPv4 Format
The Internet Protocol specification originally formatted IP addresses in the following manner. This format was in universal use through 2009.
AAA.BBB.CCC.DDD:EEEE
In the above, each three-digit set of values is called an octet.
- The value
EEEE
represents a port number and is preceded by a colon(:)
.
IPv6 Format
An IPv6 address is represented as a sequence of eight groups of four hexadecimal digits. The groups are separated by colons (:
).
The IPv6 format is designed to succeed the IP4 format, as it provides a much larger range of potential addresses. IPv6 is displayed more frequently on the Internet. It is specified in the following format:
2001:0db8:85a3:0000:0000:8a2e:0370:7334(8080)
Hexadecimal digits are not case-sensitive but must be represented in lowercase for consistency.
Port numbers
Since the specification uses the colon (:
) as a separator, the colon cannot be used as the port number marker, as in IPv4:
https://langley:19000
Instead, the parentheses notation is used, as in the following example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334(8080)
Note: The port number is included in parentheses (8080)
. For IPv6 addresses, searches by using port numbers are not supported.
Simplifications
The full representation of eight-4-digit groups can be simplified by several techniques, eliminating parts of the representation.
Leading zeroes in a group can be omitted, but each group must contain at least one hexadecimal digit. The previous example address can be simplified as:
2001:db8:85a3:0:0:8a2e:370:7334
The removal of two sets of leading zeros and two sets of octets that are composed of zeros.
One or more consecutive groups of zero values can be replaced with a single empty group by using two consecutive colons (::
).
- Substitution can only be applied once in an address, as multiple occurrences create an ambiguous representation.
- If more than one such substitution can be applied, the substitution that replaces the most groups must be used. If the number of groups is equal, then the leftmost substitution must be used.
With these rules, the example address is further simplified:
2001:db8:85a3::8a2e:370:7334
Special addresses
Address Name | Raw Address | Shortened Address |
---|---|---|
The localhost (loopback) address | 0:0:0:0:0:0:0:1 |
::1 |
The IPv6 unspecified address | 0:0:0:0:0:0:0:0 |
:: |
Methods for capturing and translating IP addresses
To make IPv6 addresses available for search, addresses of either IPv4 or IPv6 format must be captured. These addresses are normalized to a format that is known to Tealeaf indexing and search processes.
Tealeaf supports two methods of capturing and translating addresses:
- PCA: When PCA Build 3501 or later is deployed, capture of IPv6 addresses can be enabled. IPv4 addresses can be translated into an IPv6 format for indexing and search.
- Inflate session agent: If the PCA cannot be upgraded to a IPv6-supported build now, you must deploy the Inflate session agent to insert the appropriate values in the request for indexing and search of IPv6 addresses.
PCA Support for IPv6
The CX Passive Capture Application can be configured to capture IPv6 addresses. PCA can apply compression to those addresses, and enable configuration by using IPv6 addresses.
Note: IPv6 cannot be enabled through the PCA Web Console. For more information, contact Support.
Data insertion into the request
Data insertions into the request involve the IPv6 format and translate mode.
IPv6 format
When IPv6 capture is enabled and IPv6 addresses are detected in the capture stream, the following variables are inserted into the [env]
section of the request:
[env]
...
IPV6_XLAT=False
IPV6=True
...
REMOTE_ADDR=fe80::20b:dbff:fe93:a462
LOCAL_ADDR=fe80::213:72ff:fe67:ed26
SERVER_NAME=fe80::213:72ff:fe67:ed26
IPV6_REMOTE_ADDR=FE80:0000:0000:0000:020B:DBFF:FE93:A462
IPV6_LOCAL_ADDR=FE80:0000:0000:0000:0213:72FF:FE67:ED26
IPV6_SERVER_NAME= fe80::213:72ff:fe67:ed26
...
Field | Description |
---|---|
IPV6_XLAT |
When IPv6 is set to True , this option, if True , indicates whether IP addresses inserted into the request contain IPv4 addresses and must be translated. |
IPV6 |
Indicates if captured traffic is IPv6, if True . |
REMOTE_ADDR |
The raw IP address, as captured, for the remote address can be in IPv6 or IPv4 format. This value can be inserted by the PCA and can be compressed for IPv6 format. |
LOCAL_ADDR |
The raw IP address, as captured, for the local address can be in IPv6 or IPv4 format. This value can be inserted by the PCA and can be compressed for IPv6 format. |
SERVER_NAME |
Existing field name can now accept IPv6 data.
Note:
SERVER_NAME is not indexed. |
IPV6_REMOTE_ADDR |
The REMOTE_ADDR value that is rendered in IPv6 uncompressed format . This value can be inserted by the PCA. |
IPV6_LOCAL_ADDR |
The LOCAL_ADDR value that is rendered in IPv6 uncompressed format. This value can be inserted by the PCA. |
IPV6_SERVER_NAME |
New field name is used to store SERVER_NAME value in uncompressed IPv6 format. |
IPv6 Translate mode
In IPv6 Translate mode, the PCA translates IPv4-native addresses into a format that is readable by using components on the Windows™ servers. The PCA inserts the following fields in the request. In addition to the fields, the original values for the following are inserted:
IPV6_REMOTE_ADDR_ORIG
IPV6_LOCAL_ADDR_ORIG
IPV6_SERVER_NAME_ORIG
Example:
IPV6_XLAT=True
IPV6=True
REMOTE_ADDR=254.147.164.98
LOCAL_ADDR=254.103.237.38
SERVER_NAME=254.103.237.38
?
IPV6_REMOTE_ADDR=0000:0000:0000:0000:0000:FFFF:FE93:A462
IPV6_LOCAL_ADDR=0000:0000:0000:0000:0000:FFFF:FE67:ED26
IPV6_SERVER_NAME=0000:0000:0000:0000:0000:FFFF:FE67:ED26
?
IPV6_REMOTE_ADDR_ORIG=FE80:0000:0000:0000:020B:DBFF:FE93:A462
IPV6_LOCAL_ADDR_ORIG=FE80:0000:0000:0000:0213:72FF:FE67:ED26
IPV6_SERVER_NAME_ORIG=FE80:0000:0000:0000:0213:72FF:FE67:ED26
Field | Description |
---|---|
IPV6_REMOTE_ADDR_ORIG |
Contains the original IPv6 address for the REMOTE_ADDR before it is translated. |
IPV6_LOCAL_ADDR_ORIG |
Contains the original IPv6 address for the LOCAL_ADDR before it is translated. |
IPV6_SERVER_NAME_ORIG |
Contains the original IPv6 address for the SERVER_NAME before it is translated. |