DOD develops a road map for getting to IPv6
Military networks will have to prove that they can run securely and reliably under IP Version 6 before receiving approval to use the new protocols.
The deadline for moving to the new version of the Internet Protocol is 2008. Until then, IPv6 will be restricted to early adopter environments and will not be allowed on operational Defense Department networks. The DOD IPv6 Transition Office is developing guidelines to help networks get approval to operate.Authorization in steps
Networks will receive authorization to run at two levels before progressing to operational capability, said James Schifalacqua of the Transition Office support team from SI International Inc. Information assurance will be a key element in receiving authorization to operate, Schifalacqua said recently at the U.S. IPv6 Summit in Reston, Va.
“It’s not the technology, it’s the process,” he said. Not all risk has to be eliminated, but administrators must be able to document how risks are analyzed and managed.
Much of the process will be standard risk management, Schifalacqua said. Some elements will be specific to the features of the new protocols, such as mobile networking.
“Mobility has a lot of possible vulnerabilities,” he said. “Most of them involve integrating and authentication.”
The first level of authority to operate will be for isolated IPv6 enclaves that will not be sending packets to the outside. The rule of thumb for this level is “do no harm,” Schifalacqua said. These enclaves must have the same basic information assurance features as an IPv4 network, including packet filtering, firewalls and network intrusion detection.
The next level will be for Version 6 enclaves that communicate with other network elements.
These will require more extensive information assurance features, including methods of mitigating risk in dual stacks running both IP versions 4 and 6 and for tunneling packets from one version through another.
The first level of real operational capability, which must be reached by 2008, was described as parity with IPv4. The new version will be running, but with essentially the same capabilities as current IPv4 networks. Additional capabilities unique to IPv6 will be added in the second level.
The Transition Office plans to offer help to networks in achieving authorization. Staff member Marty Beckman said the office is readying a testbed network that DOD agencies will be welcome to connect with. It will have DNS servers with dual stacks for both IPv4 and IPv6 for the ipv6.mil domain. It also will enable voice over IPv6.
The service will be free, but agencies will have to pay for their own connections to the node. The initial testbed core will be at Falls Church, Va. Plans call for extending it with cores at Scott Air Force Base in Illinois, Peters Air Force Base in Colorado, and the Marine Corps base in San Diego.
The Transition Office also plans to establish an IPv6 training center for DOD and other government personnel, Beckman said. Cost is expected to be about $250 per person for a week of instruction.
Connect with the GCN staff on Twitter @GCNtech.