Tealeaf supports the capture, processing, and storage of IPv6, which results in these addresses being available for search, replay, and reporting.
Note: Hosting Tealeaf servers using IPv6 addresses is not supported at this time.
Internet Protocol Version 6 (IPv6) is the next-generation method for specifying internet protocol addresses. IPv4, the previous version, enabled 32-bit IP addresses, which permitted the specification of 2 32 addresses. All IPv4 address blocks have been assigned.
IPv6 enables the specification of 128-bit IP addresses, which supports the specification of 2 128 addresses. This expanded specification allows the use of device-specific IP addresses for the ever-growing set of connected devices. Other features:
- extra flexibility in allocating addresses
- efficiency for routing traffic
- eliminates the primary need for network address translation (NAT)
Note: The Tealeaf Passive Capture Application can be configured to capture IPv6 addresses, mixed IPv6 and IPv4, and to translate IPv4 to IPv6 addresses.
Note: IPv4 addresses translated to IPv6 format cannot be inserted into the PCA web console, but you can insert these values in the ctc-conf.xml file. The PCA is able to consume these addresses.
IPv4 Format
The Internet Protocol specification originally formatted IP addresses in the following manner. This format was in universal use through 2009.
In the following example, each three-digit set of values is called an octet.
AAA.BBB.CCC.DDD:EEEE
The value EEEE
represents a port number and is preceded by a colon (:).
IPv6 Format
An IPv6 address is represented as a sequence of eight groups of four hexadecimal digits. The groups are separated by colons (:).
The IPv6 format provides a much larger range of potential addresses than its predecessor, the IPv4.
IPv6, which is becoming more prevalent on the Internet. It is specified in the following format:
2001:0db8:85a3:0000:0000:8a2e:0370:7334(8080)
Hexadecimal digits are case-insensitive but should be represented in lower case for consistency.
- Port numbers
- Since the specification utilizes the colon (:) as an separator, the colon cannot be used as the port number marker, as in IPv4:
https://langley:19000
Instead, the parentheses notation is used, as in the following example:
2001:0db8:85a3:0000:0000:8a2e:0370:7334(8080)
Note: The port number is included in parentheses (8080). For IPv6 addresses, searches using port numbers are not supported. - Simplifications
- The full representation of eight 4-digit groups may be simplified by several techniques, eliminating parts of the representation.
- Leading zeroes
- Leading zeroes in a group can be omitted, but each group must contain at least one hexadecimal digit. In this way, the address can be simplified. For example, rather than using this port number:
You can use this port number:2001:0db8:85a3:0000:0000:8a2e:0370:7334(8080)
2001:db8:85a3:0:0:8a2e:370:7334
Note: Notice the removal of two sets of leading zeroes and two sets of octets composed of zeros. - Groups of zeroes
- One or more consecutive groups of zero values may be replaced with a single empty group using two consecutive colons (::).
- Substitution can only be applied once in an address, as multiple occurrences create an ambiguous representation.
- If more than one such substitution could be applied, the substitution that replaces the most groups should be used. If the number of groups is equal, then the leftmost substitution should be used.
With these rules, the example address is simplified even further, to this:2001:db8:85a3::8a2e:370:7334
- Special addresses
-
Table 1. Special addresses Address name Raw address Shortened address The localhost (loopback) address
0:0:0:0:0:0:0:1
::1
The IPv6 unspecified address
0:0:0:0:0:0:0:0
::
Supported uses of IPv6
The following uses of IPv6 addresses are supported by Tealeaf at this time:
- URLs in web application
- Enterprise-internal IPv6 addresses for servers
Restrictions for using IPv6
Tealeaf components cannot be hosted on networks that use IPv6 addresses at this time.
Capturing and normalizing IPv6 addresses
To make IPv6 addresses available for search, addresses of either IPv4 or IPv6 format must be captured and normalized to a format that is known to the Tealeaf indexing and search processes. Tealeaf supports two methods of capturing and translating addresses.
If you have deployed PCA Build 3501 or later, you can enable the capability to capture IPv6 addresses. IPv4 addresses can be translated into an IPv6 format for indexing and search.
Note: If you cannot upgrade to PCA Build 3501 or later at this time, you must deploy the Inflate session agent in every Windows processing pipeline in order to support indexing and search of IPv6 addresses.
You can configure the Web Console to accept IPv6 addresses by default.
Data insertions into the request - IPv6 format
When IPv6 capture is enabled and IPv6 addresses are detected in the capture stream, the following variables are inserted into the [env] section of the request:
...
IPV6_XLAT=False
IPV6=True
...
REMOTE_ADDR=fe80::20b:dbff:fe93:a462
LOCAL_ADDR=fe80::213:72ff:fe67:ed26
SERVER_NAME=fe80::213:72ff:fe67:ed26
IPV6_REMOTE_ADDR=FE80:0000:0000:0000:020B:DBFF:FE93:A462
IPV6_LOCAL_ADDR=FE80:0000:0000:0000:0213:72FF:FE67:ED26
IPV6_SERVER_NAME= fe80::213:72ff:fe67:ed26
...
- IPV6_XLAT
- When IPv6 is set to True, this option, if True, indicates whether IP addresses inserted into the request contain IPv4 addresses and should be translated.
- IPV6
- Indicates if captured traffic is IPv6, if True.
- REMOTE_ADDR
- The raw IP address, as captured, for the remote address may be in IPv6 or IPv4 format.
This value may be inserted by the PCA.
- LOCAL_ADDR
- The raw IP address, as captured, for the local address may be in IPv6 or IPv4 format.
This value may be inserted by the PCA.
Note: This value may be compressed for IPv6 format. - SERVER_NAME
- Existing field name can now accept IPv6 data.
SERVER_NAME is not indexed.
- IPV6_REMOTE_ADDR
- The REMOTE_ADDR value rendered in IPv6 uncompressed format.
This value may be inserted by the PCA.
- IPV6_LOCAL_ADDR
- The LOCAL_ADDR value rendered in IPv6 uncompressed format.
This value may be inserted by the PCA.
- IPV6_SERVER_NAME
- New field name is used to store SERVER_NAME value in uncompressed IPv6 format
IPv6 Translate mode
In IPv6 Translate mode, the PCA translates IPv4-native addresses into a format that is readable using components on the Tealeaf Windows servers. The PCA inserts the following fields in the request. In addition to the above fields, the original values for the following are inserted:
- IPV6_REMOTE_ADDR_ORIG
- IPV6_LOCAL_ADDR_ORIG
- IPV6_SERVER_NAME_ORIG
IPV6_XLAT=True
IPV6=True
REMOTE_ADDR=254.147.164.98
LOCAL_ADDR=254.103.237.38
SERVER_NAME=254.103.237.38
?
IPV6_REMOTE_ADDR=0000:0000:0000:0000:0000:FFFF:FE93:A462
IPV6_LOCAL_ADDR=0000:0000:0000:0000:0000:FFFF:FE67:ED26
IPV6_SERVER_NAME=0000:0000:0000:0000:0000:FFFF:FE67:ED26
?
IPV6_REMOTE_ADDR_ORIG=FE80:0000:0000:0000:020B:DBFF:FE93:A462
IPV6_LOCAL_ADDR_ORIG=FE80:0000:0000:0000:0213:72FF:FE67:ED26
IPV6_SERVER_NAME_ORIG=FE80:0000:0000:0000:0213:72FF:FE67:ED26
- IPV6_REMOTE_ADDR_ORIG
- Contains the original IPv6 address for the REMOTE_ADDR before it is translated.
- IPV6_LOCAL_ADDR_ORIG
- Contains the original IPv6 address for the LOCAL_ADDR before it is translated
- IPV6_SERVER_NAME_ORIG
- Contains the original IPv6 address for the SERVER_NAME before it is translated.
Data insertions into the request - IPv4 format
If the PCA detects IPv4 addresses, the following fields are inserted in the request.
IPV6_XLAT=False
IPV6=False
REMOTE_ADDR=10.10.20.105
LOCAL_ADDR=152.163.17.33
SERVER_NAME=152.163.17.33
IPV6_REMOTE_ADDR=0000:0000:0000:0000:0000:FFFF:0A0A:1469
IPV6_LOCAL_ADDR=0000:0000:0000:0000:0000:FFFF:98A3:1121
IPV6_SERVER_NAME=0000:0000:0000:0000:0000:FFFF:98A3:1121
For indexing purposes, the IPv4 source addresses are converted into an IPv6 format and inserted into the following destination variables in the request:
IPv4 source | Source example | IPv6 destination | Destination example |
---|---|---|---|
REMOTE_ADDR |
10.10.20.105 |
IPV6_REMOTE_ADDR |
|
LOCAL_ADDR |
152.163.17.33 |
IPV6_LOCAL_ADDR |
|
SERVER_NAME |
152.163.17.33 |
IPV6_SERVER_NAME |
|
Inflate session agent support for IPv6
If the PCA cannot be upgraded to a IPv6-supported build at this time, you must deploy the Inflate session agent to insert the appropriate values in the request for indexing and search of IPv6 addresses.
When hits are passed through pipelines containing the Inflate session agent, the following IPv6-compatible fields are inserted into the request, if they are not already present:
- IPV6_REMOTE_ADDR
- IPV6_LOCAL_ADDR
Reporting for IPv6
Reporting objects may need to be reviewed and modified to accommodate the IP address configuration in your network environment.
After IPv6 data capture has been deployed, values in the reporting data may be changed, depending on your configuration options.
Dimensions
The Server dimension provided by Tealeaf is defined to capture values from the REMOTE_ADDR
request variable. If you have enabled the X-FORWARDING
feature in the PCA to pull data from a different request field containing IPv6-formatted addresses, the content of your Server dimension is changed.
Until the dimension data is purged, it might be difficult to produce consistent reporting data if IPv4 addresses are being translated into IPv6 format.
After you have enabled capture of IPv6 data and have enabled IPv4 translation into IPv6, do the following:
- If possible, consider purging any dimensions that capture IP addresses of their data.
- If dimension purge is not acceptable, all report users should be informed of the date in which the IPv6 switch was enabled. Dimension data before and after the switch will differ for the same values.
Other IP-related event objects
Any objects that you have created to capture IP addresses should be reviewed to verify that they are sourced from the proper hit data.