IPv6 – Incapsula Support
Incapsula provides IPv6 support for websites on Incapsula’s service.
In this topic:
- Incapsula as your IPv6 gateway
- Providing the end user’s IPv4 address
- IPv4/IPv6 load balancing
- Compressing IPv6 zeros
Incapsula provides IPv6 support of both client-side and server-side IPv6 traffic. This means that IPv6 is supported both for traffic between your end users and Incapsula’s PoP and also for traffic between Incapsula’s PoP and your origin servers.
In this way, Incapsula can act as an IPv6 gateway for you, so that you can retain your IPv4 setups and Incapsula will service your clients who send IPv4 and IPv6, as needed. This saves you the significant investment of updating your origin servers’ set up to support IPv6 and allows you to service your clients without having to upgrade your servers.
For example, if your origin server only services IPv4 and an end user sends an IPv6 message, then Incapsula acts as an IPv6 gateway. Incapsula receives the IPv6 message and forwards the message to your origin server according to the server’s unique IPv4 address.
Note: Incapsula DNS servers and proxies support TCP/UDP over IPv4, and UDP over IPv6. TCP over IPv6 is not currently supported.
The question arises of how can your origin server access and parse the IP addresses of end users sending IPv6 addresses. For example, for logging and statistics.
For this purpose Incapsula adds an RFC HTTP X-Forwarded-For header to each end user request before forwarding it to your origin server. This is done in a similar manner to how each HTTP proxy adds another X-Forwarded-For header before forwarding. An X-Forwarded-For (XFF) HTTP header is an existing standard (not originating from IPv6) for identifying the originating IP address of a client connecting to a web server through an HTTP proxy.
Note: A Request for Comments (RFC) is a formal document from the Internet Engineering Task Force (IETF) that is the result of committee drafting and subsequent review by interested parties.
Incapsula uses the X-Forwarded-For header to append the actual IP address of your end user.
Incapsula can append X-Forwarded-For headers that contain the end user’s IPv6 addresses. Appending this X-Forwarded-For header enables your origin server to see the actual IP address of the end users. Otherwise, the origin server does not see end users’ IP addresses, but only sees Incapsula’s IP address.
Incapsula does not activate this functionality by default because, some parsers on the origin side (mostly the ones used by logging and statistics applications), may not be able to parse IPv6 addresses and will not function properly. Therefore, in order to get this functionality, you must open a ticket and request it.
In general, an end user’s IP address is not required by applications on your origin server. This is because these applications can communicate with end users using Incapsula’s proxy IP (that was sent in the request). However, if these applications require an end user’s IP address, then it can be extracted from the X-Forwarded-For header. For example, an application might require an end user’ s IP address for statistical purposes, marketing purposes or other purposes that detect the geolocation of the end user.
The following describes how Incapsula handles the situation where you have multiple origin servers. In this case some of your origin servers are IPv4 only, some are IPv6 only and some are dual stack (IPv4 and IPv6).
The dual stack server is treated as if it is two different servers even if they are running on the same physical device.
By default Incapsula handles load balancing of IPv4 and IPv6 as follows:
- IPv4 traffic is sent to all servers.
- IPv6 traffic is only sent to the servers that support IPv6.
- However, if all your servers that support IPv6 are down, then IPv6 traffic is sent to your IPv4 servers.
Incapsula also enables you to configure load balancing so that IPv6 traffic is only sent to IPv6 servers and IPv4 traffic is only sent IPv4 servers. Alternatively, you can configure that Incapsula sends traffic to any origin server, regardless of whether it is IPv4 or IPv6.
Contact Incapsula support to configure this feature.
Note: Each IP address, regardless of whether it is IPv4 or IPv6 appears separately in the Incapsula dashboard. Traffic is not separated by server in any way. For example, in the scenario described above, each request from a different user (meaning each IP address) to any server appears separately in the Incapsula dashboard. The dual stack server appears in the Incapsula dashboard as if it is two different servers even if they are running on the same physical device.
Incapsula supports both compressed-zeroes format and non-compressed zeros format for entering IPv6 addresses
Many IPv6 addresses contain long sequences of zeros. Incapsula simplifies the representation of such IPv6 addresses, by removing contiguous sequences of zeros according to RFC conventions and using the standard library to do these conversions.
For example, the following address: 1111:0000000000:000000000:555 is represented by: 1111::555