that is why rabobank has ipv6 - ripe 74 · rabobank ip space 145.72.0.0/16 (65.000 addresses)...
TRANSCRIPT
ExternalfacingIPv6
FrisoFeenstraNetw0rkSpecialist
ThatiswhyRabobankhasIPv6
WhyIPv6
2
2014investigation:• IsIPv6necessaryforourcorporatewebsites(www.rabobank.nl)• IsIPv6necessaryforourinternalnetwork
WhyIPv6
3
2014investigation:• IsIPv6necessaryforourcorporatewebsites(www.rabobank.nl)• IsIPv6necessaryforourinternalnetwork
Myexpectation:NO!!!!NoIPv6
WhyIPv6
4
2014investigation:• IsIPv6necessaryforourcorporatewebsites(www.rabobank.nl)• IsIPv6necessaryforourinternalnetwork
Myexpectation:NO!!!!NoIPv6
internaladdressing:private(17millionaddresses)
externaladressing:RabobankIPspace
145.72.0.0/16(65.000addresses)
InternetforofficeNAT44toproviderIPspace
Migrationcoststimeandmoney
MigrationRisk
WhyIPv6
5
2014investigation:• IsIPv6necessaryforourcorporatewebsites(www.rabobank.nl)• IsIPv6necessaryforourinternalnetwork
Myexpectation:NO!!!!NoIPv6
internaladdressing:private(17millionaddresses)
externaladressing:RabobankIPspace
145.72.0.0/16(65.000addresses)
InternetforofficeNAT44toproviderIPspace
Migrationcoststimeandmoney
MigrationRiskStillinvestigationfor
AretherereasonsforIPv6forRabobank?
Investigation:WhyIPv6
6
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
Investigation:WhyIPv6
7
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
Currentlynoproblem:WebsitesrelevantforRabobank
bankingwillbereachablethroughIPv4forthecomingyears
Investigation:WhyIPv6
8
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
Currentlynoproblem:WebsitesrelevantforRabobank
bankingwillbereachablethroughIPv4forthecomingyears
ButwhataboutfinancialwebsitesincountrieswithlittleIPv4space???
Investigation:WhyIPv6
9
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
Forthecomingyearsnoproblem:CommunicationwithNAT
orproxyinDMZ
Investigation:WhyIPv6
10
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
Investigation:WhyIPv6
11
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
CustomersconnectedthroughISP’s(KPN,
Vodafone,Ziggo,etc.)
Investigation:WhyIPv6
12
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
CustomersconnectedthroughISP’s(KPN,
Vodafone,Ziggo,etc.)
ISPshaveIPv4spaceforexisting
customers
Investigation:WhyIPv6
13
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
CustomersconnectedthroughISP’s(KPN,
Vodafone,Ziggo,etc.)
ISPshaveIPv4spaceforexisting
customers
Newcustomers?Newnetworks?
Investigation:WhyIPv6Newcustomers?Newnetworks?
14
• Newnetworks–newcustomers• G3/G4• Wifi• Newarea’s• Mergers
• IPv4NATisusedassolution• Expensivesolution• Notforallcustomers• Recoveryafterdisruption
• Alternative:IPv6+IPv4NAT• BecauseallmaincontentisavailableonIPv6
Investigation:WhyIPv6Newcustomers?Newnetworks?
15
• Newnetworks–newcustomers• G3/G4• Wifi• Newarea’s• Mergers
• IPv4NATisusedassolution• Expensivesolution• Notforallcustomers• Recoveryafterdisruption
• Alternative:IPv6+IPv4NAT• BecauseallmaincontentisavailableonIPv6
Somoreandmorecustomerswillbebehind
NATifwedon’tact.
Investigation:WhyIPv6Newcustomers?Newnetworks?
16
• Newnetworks–newcustomers• G3/G4• Wifi• Newarea’s• Mergers
• IPv4NATisusedassolution• Expensivesolution• Notforallcustomers• Recoveryafterdisruption
• Alternative:IPv6+IPv4NAT• BecauseallmaincontentisavailableonIPv6
Somoreandmorecustomerswillbebehind
NATifwedon’tact.
Isthataproblem???
Investigation:WhyIPv6MorecustomersbehindIPv4NAT.Problem??
17
Investigation:WhyIPv6MorecustomersbehindIPv4NAT.Problem??
18
• SecurityOperationsCentre“ThemajorityoftheSOCtoolingforprotectionofcustomertrafficbecomesunreliableofunusable”Reason:ToolingisoftenbasedonIPaddresses,forinstanceblockingoneIPaddressleadstoblockingwholegroupsofcustomers
Investigation:WhyIPv6MorecustomersbehindIPv4NAT.Problem??
19
• SecurityOperationsCentre“ThemajorityoftheSOCtoolingforprotectionofcustomertrafficbecomesunreliableofunusable”Reason:ToolingisoftenbasedonIPaddresses,forinstanceblockingoneIPaddressleadstoblockingwholegroupsofcustomers
• Transactionmonitoring,withingFEC(FinancialEconomicCrime)“IPaddressisoneofthemoreimportantpillorsfordetectionofPhishing”“Manysecuritycomponentswillloseeffectiveness”
Investigation:WhyIPv6MorecustomersbehindIPv4NAT.Problem??
20
• SecurityOperationsCentre“ThemajorityoftheSOCtoolingforprotectionofcustomertrafficbecomesunreliableofunusable”Reason:ToolingisoftenbasedonIPaddresses,forinstanceblockingoneIPaddressleadstoblockingwholegroupsofcustomers
• Transactionmonitoring,withingFEC(FinancialEconomicCrime)“IPaddressisoneofthemoreimportantpillorsfordetectionofPhishing”“Manysecuritycomponentswillloseeffectiveness”
• VCM(VirtualChannelMonitoring),withinFEC“Morethen15%customerstrafficbehindproviderNATisnotacceptable”
Investigation:WhyIPv6
21
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
Investigation:WhyIPv6
22
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
ButoncetherewillbeIPv6-only:• Features
• Applications• Websites
Thatweneed!!!
Investigation:WhyIPv6
23
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
ButoncetherewillbeIPv6-only:• Features
• Applications• Websites
Thatweneed!!!
WhenisthisgoingtohappenWhenwillweknowthis
HowmuchleadtimedowehaveIsthisenough
Investigation:WhyIPv6
24
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
ButoncetherewillbeIPv6-only:• Features
• Applications• Websites
Thatweneed!!!
WhenisthisgoingtohappenWhenwillweknowthis
HowmuchleadtimedowehaveIsthisenoughExpectation:
2018-2025
Investigation:WhyIPv6
25
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
ButoncetherewillbeIPv6-only:• Features
• Applications• Websites
Thatweneed!!!
WhenisthisgoingtohappenWhenwillweknowthis
HowmuchleadtimedowehaveIsthisenoughExpectation:
2018-2025
.5–1yearinadvance
Investigation:WhyIPv6
26
• WhathappenswithIPadressesfor• Websites• Thirdparties• Customers
• IfwestayonIPv4willwemisssomething• Canweposponemigrationforthecomingyears:• Otherpartiescangettheexperience• Bugsanderrorhavebeensolved• Wehavemoretime• Bestpractisescanbedeveloped
ButoncetherewillbeIPv6-only:• Features
• Applications• Websites
Thatweneed!!!
WhenisthisgoingtohappenWhenwillweknowthis
HowmuchleadtimedowehaveIsthisenoughExpectation:
2018-2025
.5–1yearinadvance NO!!!
Approach
27
• ExternalfacingIPv6project• StartedQ2-32015• IPv6untilexternalLoadBalancer• Multipledepartmentsinvolved• Networking(tooling,trainingandtechnicalaspects)• SecurityOperationsCentre(monitoring,DDOSmitigation,IPDS,etc.)• VCM(rapporting,fraudprevention,anti-physing),etc.
• Projectperdepartmentfordepartmentacvititieswithgovernanceprojectforcommunicationandtimelines
• Finishedwww.rabobank.nlè2a02:cc4:2000::10
• IPv6internalproject• Plannedtostartin2017• Threelevels(network,platform,applications)• Targetnetwork+platformèdualstack;applicationsispossibleIPv6
TopologyformainexternalfacingRabobankwebsites
28
InternetIPv4IPv6
EK4&6
ExternalLoadBal.
4&6
DDOSIPDS4&6
ContentInspection
4&6
InternalLoadBal.
4&6
ContentProcessing
4
TopologyformainexternalfacingRabobankwebsites
29
InternetIPv4IPv6
EK4&6
ExternalLoadBal.
4&6
DDOSIPDS4&6
ContentInspection
4&6
InternalLoadBal.
4&6
ContentProcessing
4
Twoloadbalancers?
IPv4&IPv6sessionstate!
TopologyformainexternalfacingRabobankwebsites
30
InternetIPv4IPv6
EK4&6
ExternalLoadBal.
4&6
DDOSIPDS4&6
ContentInspection
4&6
InternalLoadBal.
4&6
ContentProcessing
4
Twoloadbalancers?
IPv4&IPv6sessionstate!
Internetpeering
SSLoffloadingX-forwardRFC7239
TopologyformainexternalfacingRabobankwebsites
31
InternetIPv4IPv6
EK4&6
ExternalLoadBal.
4&6
DDOSIPDS4&6
ContentInspection
4&6
InternalLoadBal.
4&6
ContentProcessing
4
Twoloadbalancers?
IPv4&IPv6sessionstate!
Internetpeering
SSLoffloadingX-forwardRFC7239
Cleartext
TopologyformainexternalfacingRabobankwebsites
32
InternetIPv4IPv6
EK4&6
ExternalLoadBal.
4&6
DDOSIPDS4&6
ContentInspection
4&6
InternalLoadBal.
4&6
ContentProcessing
4
Twoloadbalancers?
IPv4&IPv6sessionstate!
Internetpeering
SSLoffloadingX-forwardRFC7239
Cleartext
TriggersIPDS
Defense
TopologyformainexternalfacingRabobankwebsites
33
InternetIPv4IPv6
EK4&6
ExternalLoadBal.
4&6
DDOSIPDS4&6
ContentInspection
4&6
InternalLoadBal.
4&6
ContentProcessing
4
Twoloadbalancers?
IPv4&IPv6sessionstate!
Internetpeering
SSLoffloadingX-forwardRFC7239
Cleartext
LTMIPv4SNAT
Q&A??
34