Incapsula provides IPv6 support for websites on Incapsula’s service.
In this topic:
- What is IPv6?
- The transition from IPv4 to IPv6
- Incapsula as your IPv6 gateway
- Providing the end user’s IP address
- IPv4/IPv6 load balancing
- Compressing IPv6 zeros
IPv6 (Internet Protocol Version 6) is the successor to Internet Protocol Version 4 (IPv4). IPv6 is being deployed to fulfill the need for more Internet addresses. The growth of the Internet will soon use up the IPv4 addresses.
IPv6 uses 128-bit addresses that enable up to 2128 addresses (three hundred and forty trillion, trillion trillion unique IP addresses), which is a lot more than IPv4.
An example IPv6 address is:
IPv6 is designed to allow the Internet to grow significantly, both in terms of the number of connected hosts and the total amount of data traffic transmitted.
Currently, IPv4 is still the prevalent Internet Protocol used for addresses. Only a small percentage of traffic is currently transmitted via IPv6 (maybe less than 5% of total Internet traffic). A variety of Internet leaders, governments and regulation entities throughout the world are leading the migration to IPv6.
The new IPv6 will coexist with the older IPv4 for some time, possibly for many years. The two protocols are not designed to be interoperable, thus complicating the transition to IPv6. However, several IPv6 transition mechanisms have been devised to permit communication between IPv4 and IPv6 hosts.
Incapsula provides IPv6 support of both client-side and server-side IPv6 traffic. This means that IPv6 is supported both for traffic between your end users and Incapsula’s PoP and also for traffic between Incapsula’s PoP and your origin servers.
In this way, Incapsula can act as an IPv6 gateway for you, so that you can retain your IPv4 setups and Incapsula will service your clients who send IPv4 and IPv6, as needed. This saves you the significant investment of updating your origin servers’ set up to support IPv6 and allows you to service your clients without having to upgrade your servers.
For example, if your origin server only services IPv4 and an end user sends an IPv6 message, then Incapsula acts as an IPv6 gateway. Incapsula receives the IPv6 message and forwards the message to your origin server according to the server’s unique IPv4 address. Incapsula does not convert IPv6 addresses to IPv4.
Note: Incapsula DNS servers and proxies support TCP/UDP over IPv4, and UDP over IPv6. TCP over IPv6 is not currently supported.
The question arises of how your origin server can access and parse the IP addresses of end users sending IPv6 addresses. For example, for logging and statistics.
For this purpose Incapsula adds an RFC HTTP X-Forwarded-For header to each end user request before forwarding it to your origin server. This is done in a similar manner to how each HTTP proxy adds another X-Forwarded-For header before forwarding. An X-Forwarded-For (XFF) HTTP header is an existing standard (not originating from IPv6) for identifying the originating IP address of a client connecting to a web server through an HTTP proxy.
Note: A Request for Comments (RFC) is a formal document from the Internet Engineering Task Force (IETF) that is the result of committee drafting and subsequent review by interested parties.
Incapsula uses the X-Forwarded-For header to append the actual IP address of your end user.
Incapsula can append X-Forwarded-For headers that contain the end user’s IPv6 addresses. Appending this X-Forwarded-For header enables your origin server to see the actual IP address of the end users. Otherwise, the origin server does not see end users’ IP addresses, but only sees Incapsula’s IP address.
Incapsula does not activate this functionality by default because, some parsers on the origin side (mostly the ones used by logging and statistics applications), may not be able to parse IPv6 addresses and will not function properly. Therefore, in order to get this functionality, you must open a ticket and request it.
In general, an end user’s IP address is not required by applications on your origin server. This is because these applications can communicate with end users using Incapsula’s proxy IP (that was sent in the request). However, if these applications require an end user’s IP address, then it can be extracted from the X-Forwarded-For header. For example, an application might require an end user’ s IP address for statistical purposes, marketing purposes or other purposes that detect the geolocation of the end user.
The following describes how Incapsula handles the situation where you have multiple origin servers. In this case some of your origin servers are IPv4 only, some are IPv6 only and some are dual stack (IPv4 and IPv6).
The dual stack server is treated as if it is two different servers even if they are running on the same physical device.
By default Incapsula handles load balancing of IPv4 and IPv6 as follows:
- IPv4 traffic is sent to all servers.
- IPv6 traffic is only sent to the servers that support IPv6.
- However, if all your servers that support IPv6 are down, then IPv6 traffic is sent to your IPv4 servers.
Incapsula also enables you to configure load balancing so that IPv6 traffic is only sent to IPv6 servers and IPv4 traffic is only sent IPv4 servers. Alternatively, you can configure that Incapsula sends traffic to any origin server, regardless of whether it is IPv4 or IPv6.
Contact Incapsula support to configure this feature.
Note: Each IP address, regardless of whether it is IPv4 or IPv6 appears separately in the Incapsula dashboard. Traffic is not separated by server in any way. For example, in the scenario described above, each request from a different user (meaning each IP address) to any server appears separately in the Incapsula dashboard. The dual stack server appears in the Incapsula dashboard as if it is two different servers even if they are running on the same physical device.
Incapsula supports both compressed-zeroes format and non-compressed zeros format for entering IPv6 addresses
Many IPv6 addresses contain long sequences of zeros. Incapsula simplifies the representation of such IPv6 addresses, by removing contiguous sequences of zeros according to RFC conventions and using the standard library to do these conversions.
For example, the following address: 1111:0000000000:000000000:555 is represented by: 1111::555