Investigate IPV6 Compatibility

[chelma]

Description

Investigate what, if any, changes are required to support IPV6. This includes both for specifying Capture and Viewer VPC CIDRs and for capturing traffic in a target VPC.

Acceptance Criteria

• Create new issues to cover fixing any areas there is an incompatibility
• Update the README to specify whether the CLI is or is not compatible with IPV6

[chelma]

Per Traffic Mirroring docs - "Traffic mirroring is not supported for IPv6-only subnets."

https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-limits.html

[chelma]

It turns out that IPv6-only is a checkbox when making a subnet in an IPv6 enabled VPC. A subnet can have both an IPv4 and IPv6 CIDR simultaneously, or you can do just one of those two. This means you can’t mirror traffic from ENIs in a subnet with that checkbox ticked, but could do so in a mixed IPv4/IPv6 subnet or an IPv4-only subnet.

[chelma]

Thinking this through a bit more, what we need to do is actually test this out with a real VPC and see what happens. It could be the real limitation is the inability to make filtering rules for IPv6 CIDRs, or that you cannot create a Target Session against an ENI in an IPv6 subnet, which changes how we want to handle things in the CLI. IPv6-enabled (but not IPv6-only) subnets will also have an IPv4 CIDR associated with them so it may be the case that all filtering must be done with IPv4.

Next step is to add IPv6 to our Demo VPC(s) and see how this works.

[chelma]

Some useful links on how to do IPv6 w/ VPC in CDK. It's not obvious how to do this.

• https://superluminar.io/2023/03/23/ipv6-in-aws-with-cdk/
• https://www.turbogeek.co.uk/aws-cdk-ipv6-v/

[chelma]

After further investigation, the value proposition of IPv6 support seems unclear. Putting this task down for now in favor of more urgent work, but may return in the future.