Connecting with the rest of the world could soon require the use of IPv6, and agencies should begin preparing now to use the new protocols.
Most government agencies don’t have a dire need to implement the next generation of Internet protocols internally in the near future, but maintaining full connectivity with the rest of the world could soon require the use of IPv6, industry experts say.
With large allocations of IPv4 addresses still available in much of the .gov domain and the use of Network Address Translation as a way to extend the life of IPv4, there is unlikely to be a shortage of address space in the enterprise. But outside the enterprise and especially outside North America, IPv6 soon will be used to enable a multitude of new devices and services that will comprise a growing portion of the global Internet.
“The government is faced with a real need to address the shift externally,” said former National Security Agency Deputy Director Bill Crowell.
Agencies will need to enable infrastructure that connects to the Internet for IPv6 to ensure that outside users of the protocols will continue to have access to public resources available on the Web and ensure that agencies have access to outside resources.
“We would expect to see most organizations deploying it on the Internet side of the network before implementing it internally,” said Cricket Liu, vice president of architecture at Infoblox. “That is where you are going to see the rollout begin. You want to make everything accessible.”
Government officials have known for some time that the depleting pool of available IPv4 addresses will eventually require a shift to IPv6, with its much larger address space. The pool is expected to be exhausted by the end of 2011, according to most estimates, and possibly as early as the end of this year, according to others. But the move to IPv6 has been slow to take off, said Crowell, who sits on a new technical advisory board established by BlueCat Networks for its federal customers.
Preparing for the adoption of IPv6 is one of the board’s primary concerns.
“In some respects, the transition from IPv4 to IPv6 is like Y2K, except that the date keeps slipping,” Crowell said. Y2K presented the threat that computers would not function properly when the calendar flipped from 1999 to 2000, but it had the advantage of a firm deadline for fixing possible problems. Not so with IPv6. “From 2004 to 2009, it slipped quite dramatically,” Crowell said.
The IPv6 transition is being delayed by the number of elements in the networking infrastructure, both hardware and software, that must adapt to the new protocols. Vendors are making IPv6-compliant products available, but many of the products still must make their way through the acquisition process and onto networks, and agencies don't have a specific budget for that process.
“They are doing it as budget permits,” said former CIA CTO Bob Flores, another member of the BlueCat advisory board. That will take time to complete the acquisitions. “Absent something breaking, they are not likely to replace it” outside of the normal refresh cycle just to get IPv6 capability. “It’s coming. But anything that is budget-related is hard to predict.”
Change might be slow in coming, but there are steps that agencies can take now to ease the way for the inevitable transition.
“One of the things they will have to do early on is an audit of their equipment” to see what is and is not ready to handle IPv6, Liu said.
Most up-to-date desktop and server operating systems support IPv6, as do core networking equipment, such as routers. That will help the first stages of transition, which will focus on Internet-facing portions of networks. However, many elements inside the enterprise, such as printers, probably are not ready.
“The hardest part is to identify the parts of the network that are not compatible and realize that, at some point, you will have to jettison them,” Flores said.
One of the most troublesome areas for IPv6 compatibility is likely to be with network security tools. Those tools are starting to include functionality for the new protocols, but performance of the next-generation tools might not match that of tools already in use.
“That will change gradually” as vendors wait for demand to grow, Liu said. “They are not making a lot of revenue from the IPv6 features of their products.”
2. Handle Diversity
IPv4 is not going away. Even when the new functionality becomes available, “you won’t be doing IPv6 only,” Liu said.
There are three primary techniques for handling both sets of protocols on a network: dual stacking, which allows equipment to handle both protocols; translating, which converts one set of protocols to another; and tunneling, which encapsulates packets from one set of protocols inside packets of the other.
Liu, Crowell and Flores agree that most organizations are looking at dual stacking as the preferred method of handling diversity.
You will need to select management tools for your IPv6-enabled network. Those tools will need to understand and work with the new protocols. And ideally, they would be able to work with both sets of protocols so that you can have a single view of the segments that are using both IP versions.
3. Deal With Schemes and Deployment
Organizations not only will need to acquire IPv6 addresses but also come up with a plan for allocating them throughout the enterprise.
“The Internet as we know it today is going to be a vastly different place five to 10 years from now,” Flores said. As the private sector moves to add devices and services to online offerings, more applications will be using IPv6. Administrators will need to decide where to deploy their IPv6 addresses to accommodate new needs.
Whether IPv6 is used internally or externally, agencies need to create a plan for implementing the protocols. Administrators will need to decide how organizations will use IPv6, what subnetworks will accommodate it and how it will be phased in.
4. Conduct Training
Training is an area that is perpetually underfunded at most agencies and can be an unexpected expense after the hardware and software is in place. It also puts a burden on staffs that already are stretched thin, so waiting until the last minute is not a good idea.
“Right now, we need to start learning about IPv6,” even if it will not be implemented for a while, Liu said. “I’m going to take more training myself. There is a lot more to IPv6 than just a longer address space.”
Training will depend on staff members' roles. Desktop administrators working in a Windows environment might need only a day or two of instruction, Liu said. But “if you’re a network administrator, you’re going to need longer than that.”
5. Apply Security
Adoption of IPv6 will bring both opportunities and problems for network security.
“Moving to IPv6 is being touted as a good move from a security standpoint,” Flores said. “But it can also be a bad move.”
IPv4 will not be replaced by the new protocols but will be operating alongside or on top of them. So administrators will continue to face all the vulnerabilities and threats that they already know, in addition to those created by IPv6 that they do not yet know. Many of the same lessons painfully learned will have to be relearned.
The availability and quality of IPv6 security tools remain in question, and the effects of new types of traffic on existing firewalls, intrusion detection and prevention systems, antivirus, and other tools are vague. For example, the new protocols require the use of IPSec for end-to-end encryption of traffic, which is intended to be a security enhancement. But it could also interfere with requirements for monitoring traffic.
And then there is the sheer scope of the transition, “all of which is occurring at the same time they are having to update the networks with limited funding to address security threats,” Crowell said.
It is not all bad news for network security. “Once the conversion is done, we will see some major leaps in network security,” Flores said.
But in the meantime, “there are some real advantages to being in the IPv6 space,” Crowell said. “And there are also concerns.”