chelma
commented
1 year ago Per Traffic Mirroring docs - "Traffic mirroring is not supported for IPv6-only subnets."
https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-limits.html
Open chelma opened 1 year ago
chelma
commented
1 year ago Per Traffic Mirroring docs - "Traffic mirroring is not supported for IPv6-only subnets."
https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-limits.html
chelma
commented
1 year ago It turns out that IPv6-only is a checkbox when making a subnet in an IPv6 enabled VPC. A subnet can have both an IPv4 and IPv6 CIDR simultaneously, or you can do just one of those two. This means you can’t mirror traffic from ENIs in a subnet with that checkbox ticked, but could do so in a mixed IPv4/IPv6 subnet or an IPv4-only subnet.
chelma
commented
1 year ago Thinking this through a bit more, what we need to do is actually test this out with a real VPC and see what happens. It could be the real limitation is the inability to make filtering rules for IPv6 CIDRs, or that you cannot create a Target Session against an ENI in an IPv6 subnet, which changes how we want to handle things in the CLI. IPv6-enabled (but not IPv6-only) subnets will also have an IPv4 CIDR associated with them so it may be the case that all filtering must be done with IPv4.
Next step is to add IPv6 to our Demo VPC(s) and see how this works.
chelma
commented
1 year ago Some useful links on how to do IPv6 w/ VPC in CDK. It's not obvious how to do this.
chelma
commented
1 year ago After further investigation, the value proposition of IPv6 support seems unclear. Putting this task down for now in favor of more urgent work, but may return in the future.
Description
Investigate what, if any, changes are required to support IPV6. This includes both for specifying Capture and Viewer VPC CIDRs and for capturing traffic in a target VPC.
Acceptance Criteria