Migrating to IPv6

With deadlines looming, agencies need to get serious about upgrading their data networks to the next-generation IP

The Internet is quickly running out of space. To be exact, it’s running out of the IP addresses that define where systems and devices are on the network, which guide how the data packets get from one place to another.

The more than 4 billion addresses that the current IPv4 allows — a seemingly unimaginable number when TCP/IP was deployed in the early 1980s — now look hopelessly outmatched in a world that already counts one-sixth of the population as users and envisions phones, refrigerators and even the clothes on our backs as potential nodes on the network.

Workarounds — such as Network Address Translation, which allows a single server to act as the address for all the nodes on a local network— have helped extend the life of IPv4, but they introduce other complications. The real answer is to increase the number of addresses.

Who has to make the move to IPv6, and when?
Enter IPv6. This next-generation version of IP uses a 128-bit address space, just four times more than IPv4, but that boosts the number of available unique addresses to 3.4 x 1038. That’s enough so that each person on Earth can have 50 octillion (5 x 1028).

In addition, IPv6 offers more significant benefits than its predecessor in terms of network management, security and performance.

The question for government users is how to make the move from IPv4 to IPv6.

The Office of Management and Budget simplified those issues when it issued a directive in 2005 that required all government agencies to move their backbone networks to IPv6 by June 2008 — meaning they should operate either IPv4/IPv6 dual-stack network cores or operate them only in IPv6 mode — and that agency networks must be able to interface with them.

Agencies have to meet certain milestones before June 2008. By Feb. 28, most agencies had to give OMB details of their transition plans. By June 30, they have to complete an inventory of the IP-based applications and devices on their networks and an analysis of how they expect the move to IPv6 will affect them.

As they near the 2008 deadline, agencies will include progress reports as part of their regular, annual enterprise architecture submissions to OMB.

What will the transition cost?
That could be one of the hardest things to measure, and some advise not even trying. “I think that’s a trap, because no one really knows,” said Frank Cuccias, program manager for Lockheed Martin’s IPv6 Transition Support Office. “You need to look several years ahead, account for the people who have to be trained, how much you’ll spend on lab and testing resources and so on.”

Lockheed Martin has been involved in IPv6 transition for five years yet still struggles with cost estimates. “None of the cost models people have come out with have panned out,” Cuccias said. Generally, costs can be categorized as those needed for hardware and software, and those for staff and services. Some agencies could face higher costs if they’ve tried to subsist on old hardware that will have to be switched, but most will find a lot of their newer hardware is already IPv6-capable, said Tom Kriedler, vice president and general manager of Juniper Federal Systems.

“The cost ratio for most agencies will probably work out to 80 percent for staff and services and 20 percent for hardware,” he said.

Just don’t expect any extra money to fall into your budget to help with the transition. OMB said most agencies will have to fund the IPv6 transition from their existing IT budgets.

Who needs to be involved?
Agencies that assume they can hand this off to the IT department can quickly find themselves in trouble, because the migration has much wider implications.

“We look at IPv6 transition as something that affects all the mission, fiscal, operational and security sides of the organization,” said Leslie Allen, a senior associate at Booz Allen Hamilton. “IT falls into the operations category, so if agencies look at it as just an IT problem, then they will overlook some essential things.”

A central method of winning support is to show people what IPv6 means to them and how it changes the way they conduct their daily business, said Peter Tseronis, director of network services at the Education Department.

One of the angles he took was to show people what the larger IPv6 address space would mean for such things as teleconferencing and online collaboration.

“We did reach out to people outside of the IT shop to pull our [transition] team together,” he said.

What planning is needed?
By requiring agencies to inventory their current IP-aware hardware and applications, OMB has already pushed them well along the planning path.

“Even though it seems hard for many agencies to find the cultural pivot to do it, having an adequate and complete inventory is a must,” said Jim Payne, president of federal telecom at Bechtel National. “They also need to know what their carriers and service providers have, because their existing contractors and vendors will also need to be IPv6-compliant by 2008.” That’s an important point, Cuccias said. Agencies can’t think of themselves as an island when it comes to IPv6 transition, he said. They have to think of themselves as a part of an island chain. Agencies and organizations that rely on one another “must go ahead with IPv6 transition in lock step,” Cuccias said.

About 80 percent of the success of an IPv6 transition is in the planning, he said. Get that right and the rest of the migration will be fairly low-risk and low-cost.

Will IPv6 implementation require new equipment or can existing gear be upgraded?
Unless hardware is old and nearing the end of its useful life, in which case it will be replaced according to regular refresh schedules anyway, the good news is most systems can be upgraded relatively painlessly, said Tony Hain, Cisco Systems’ senior technical leader for IPv6 technologies.

“For such things as the higher-end routers, some items may need to be replaced, and for switches it might mean the supervisor card will have to be replaced,” he said. “But, for the majority of systems, all of that can be done as part of the regular upgrade schedule.”

Can existing staff handle the transition?
Using existing staff is not only possible, it is preferable, said Bruce Fleming, chief technology officer of Verizon Federal Network Systems.

“You have to put pilots in place to test all of these [upgrades] before you put them into production, and you use the same suite of test tools as you would for IPv4, so it’s better to task engineers who know IPv4 to also learn about IPv6,” he said.

Tim LeMaster, director of systems engineering at Juniper Federal Systems, agreed that engineers currently on staff in agencies should be able to handle the transition with additional training, though he also said that training might have to differ depending on the engineer’s role.

“If people are actually implementing the changes and configuration, they will also need hands-on training,” he said. “It’s unlikely they’ll pick up the nuances of what’s needed for that from classroom training only.”

Remembering securityEven though numerous security features are built into IPv6, it would be a mistake to assume that networks and applications that are IPv6-capable are inherently more secure than their IPv4 versions.

The Government Accountability Office warned in a report issued last year that if devices such as firewalls and intrusion-detection systems were not properly configured to accommodate IPv6 features, then IPv6 traffic may not be detected or controlled, leaving systems vulnerable to attack.

The U.S. Computer Emergency Response Team specifically warned that the automatic configuration feature included in IPv6 would allow security devices to configure themselves with an IPv6 address without authorization.

“We always recommend doing models and simulations to test various [IPv6 security] systems and then build prototypes to test those models in the real world,” said Frank Cuccias, program manager for Lockheed Martin’s IPv6 Transition Support Office. “Never take them directly to a production system.”

Setting such prototypes to an optimal level and then breaking them will yield insights that will improve how IPv6 security is applied in the production environment, he said.

Agency information technology shops are usually in a comfort zone when they are dealing with network issues because that’s their business, said Leslie Allen, a senior associate at Booz Allen Hamilton. But it’s a different matter when they start dealing with intrusion detection and security applications.

“They need to realize that, when it comes to IPv6, security is a whole side to itself,” he said.

— Brian Robinson

Paying your own wayA lack of extra funds will force most agencies to make difficult choices when transitioning to IPv6. When Pete Tseronis, director of network services at the Education Department, presented an IPv6 transition business case to his bosses, he offered them a choice of three approaches: miserly, middle of the road or aggressive.

The aggressive approach included features such as money to hire extra workers or consultants or train employees who would focus specifically on the transition.

“We don’t need that, but in the long-term you have to ask where the support is coming from for the migration,” Tseronis said.

At the other end of the spectrum, the miserly option outlined the absolute minimum needed to upgrade the backbone network and routers to IPv6. But, he said, whether you upgrade one or 50 switches, you still need on-site resources for testing the upgrades.

Tseronis said he will likely end up with enough resources to start migrating to IPv6. The only certainty is that by June 2008 the department’s backbone network will be IPv6-capable.

— Brian Robinson

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above