Stops along the IPv6 road
After drawing the map comes the hands-on work
The Office of Management and Budget’s deadline for agencies to make the transition from IPv4 to IPv6 is less than two years away, and agencies need to know, in concrete terms, what will be required to create an IPv6 backbone. According to experts, information technology managers will need to focus their efforts on four major activities: acquiring appropriate switching and routing hardware, assuring the coexistence of IPv4 and IPv6 environments, testing the effect on production networks, and learning new security skills.
Those efforts will require new technologies and new expertise, but the transition need not be rocky. “If you have a well-managed network infrastructure with IPv4, implementing IPv6 will be just an evolutionary step,” said Rich Terzigni, senior adviser for network architecture in the Social Security Administration’s Office of Telecommunications and System Operations. “If, however, you have a stovepiped organization with firewalls between your internal groups, then you may have a problem.”
New hardware goes into place
The screwing-the-screws phase of IPv6 implementations comes after agencies have completed their inventories of IP devices to determine which ones already support IPv6, which ones need upgrading and which ones must be removed because they can’t support the new protocol.
Agencies that have recently refreshed their network technology — many organizations do this every three to five years — might already have IPv6-capable equipment in place. For those devices, agencies need to pinpoint which pieces of equipment will need to have their inherent IPv6 capabilities enabled to complete the transition.
“For IPv4 support, there’s a configuration file that explains to the device how it should treat packets as they come in and out, and you need to build a comparable version of the configuration for handling IPv6 packets,” said Tony Hain, technical leader at Cisco Systems. “For devices that are already IPv6-capable, the first step is just turning on the capability through this configuration process.”
The major network devices in an IPv6 conversion are the switches and routers that manage the flow of data within local- and wide-area networks. Routers are generally easier to convert because they use software that can be upgraded, said Bipin Mistry, director of technology at networking vendor 3Com.
Typically, a router will need an updated network operating system to support IPv6. In some cases, network administrators will need to add memory to the routers so that they can accommodate the new operating system.
Converting switches is somewhat tricker, Mistry said, because some of the chipsets and application-specific integrated circuits may need to be replaced.
One type of switch, called a stackable switch, offers a feature to ease the task. Such switches are linked together so that upgrading the operating system in one unit applies to all of the units in the chain.
Although routers and switches are important network building blocks, they are not the only devices that need IPv6 retooling. Experts advise administrators to reconfigure associated gear, such as intrusion-protection systems and WAN optimization devices, to recognize IPv6 traffic before using the version on production networks.
Dual stack will rule
Most federal networks will run a combination of IPv4 and IPv6 for some time after the 2008 deadline. “It’s an approach that allows agencies to set the stage and get themselves ready for those applications that will require IPv6 without impacting current business,” Hain said. “And as applications evolve, they can be moved [onto production networks] in a coordinated fashion.”
Another consideration as agencies move to IPv6 is ensuring they don’t create incompatibilities with their IPv4 activities, said Tom Patterson, chief executive officer at Command Information, a consulting firm specializing in IPv6. The primary way to avoid that is to use tunneling, which requires inserting IPv6 packets into the address space of IPv4 packets. The addressing sleight of hand helps IPv6 packets flow smoothly across the network to an IPv6 router, which then extracts the IPv6 packet and sends it to its destination.
“Typically, there will be islands of IPv6 where certain applications will be running that protocol while the majority of the network will be running IPv4,” Mistry said. “So there will be a gradual migration as agencies go from IPv4 to IPv6. Over time, those islands of IPv6 in an IPv4 environment will flip to become islands of IPv4 in an IPv6 environment.”
Kick the tires with a test bed
IPv6 experts say that test-bed networks are essential to keep IPv6 conversions from disrupting network operations. “We’re taking about a year to kick the tires before putting [IPv6] into production,” Terzigni said.
NASA began similar IPv6 testing about two years ago. “We have a dedicated research network that we use to test new, emerging networking technologies and applications,” said John McManus, NASA’s chief technology officer and chairman of the CIO Council’s IPv6 Working Group. The network means “we can test in a more pristine environment” than the production communication infrastructure, he said. “We don’t have to worry about impacting services to any of our critical programs or projects.”
One test criterion is evaluating the coexistence of IPv4 and IPv6 protocols, McManus said. “We wanted to understand what’s a dual-stack environment going to look like and will our legacy applications and our commercial applications function properly?” The answer so far is positive.
“We found very few problems,” he said. “I don’t think we saw any showstoppers.”
Now the agency is testing related technology elements, such as security devices and a Domain Name System server. The latter converts the host names of computers into IP addresses.
New security considerations
IPv6 offers additional security capabilities. Networking experts believe, for example, that IPSec, a component within IPv6, offers more flexible encryption and authentication of IP communications than are possible using IPv4.
The new capabilities, however, can open up new vulnerabilities if they are misused, Patterson said. IPv6 packets look so different from their IPv4 counterparts that older security systems, including firewalls and intrusion-detection systems, might not recognize them and could fail to act on them. “You want to make sure that your firewall and intrusion-detection vendors are supporting IPv6,” he said.
Agencies must also be diligent about implementing security configurations in their IPv4 routers and switches in new Version 6 devices. Otherwise, IPv6 routers that should be restricting access to a Web server, for example, may fail to do so. “Look at the security profile of the IPv4 configuration and then match that for IPv6,” Hain said.
Similarly, agencies typically route network traffic behind a firewall. With IPv6 agencies can push the security infrastructure all the way to edge devices, such as laptop computers, personal digital assistants or remote security cameras. “That makes for a much more powerful way to deploy security, but it is also very different than what people have been taught,” Patterson said. Administrators need to develop new security skills, such as configuring IPSec connections for those edge devices.
Such security issues have forced NASA to rely heavily on its testing lab. “We are going to test our intrusion-detection systems to make sure that all of them are going to provide us at a minimum with the same level of security that we have on our existing network,” McManus said.
Joch is a business and technology writer based in New England. He can be reached at firstname.lastname@example.org.