5 critical steps on the road to IPv6

The new protocols will soon be necessary. Here’s what to do now to prepare.

Most government agencies don’t have a dire need to implement the next generation of Internet protocols internally in the near future, but maintaining full connectivity with the rest of the world could soon require the use of IPv6, industry experts say.

With large allocations of IPv4 addresses still available in much of the .gov domain and the use of Network Address Translation as a way to extend the life of IPv4, there is unlikely to be a shortage of address space in the enterprise. But outside the enterprise and especially outside North America, IPv6 soon will be used to enable a multitude of new devices and services that will comprise a growing portion of the global Internet.

“The government is faced with a real need to address the shift externally,” said former National Security Agency Deputy Director Bill Crowell.

Agencies will need to enable infrastructure that connects to the Internet for IPv6 to ensure that outside users of the protocols will continue to have access to public resources available on the Web and ensure that agencies have access to outside resources.


Related stories:

Why bother moving to IPv6?

Navy offers IPv6 lessons learned

Report outlines IPv6 security challenges


“We would expect to see most organizations deploying it on the Internet side of the network before implementing it internally,” said Cricket Liu, vice president of architecture at Infoblox. “That is where you are going to see the rollout begin. You want to make everything accessible.”

Government officials have known for some time that the depleting pool of available IPv4 addresses will eventually require a shift to IPv6, with its much larger address space. The pool is expected to be exhausted by the end of 2011, according to most estimates, and possibly as early as the end of this year, according to others. But the move to IPv6 has been slow to take off, said Crowell, who sits on a new technical advisory board established by BlueCat Networks for its federal customers.

Preparing for the adoption of IPv6 is one of the board’s primary concerns.

“In some respects, the transition from IPv4 to IPv6 is like Y2K, except that the date keeps slipping,” Crowell said. Y2K presented the threat that computers would not function properly when the calendar flipped from 1999 to 2000, but it had the advantage of a firm deadline for fixing possible problems. Not so with IPv6. “From 2004 to 2009, it slipped quite dramatically,” Crowell said.

The IPv6 transition is being delayed by the number of elements in the networking infrastructure, both hardware and software, that must adapt to the new protocols. Vendors are making IPv6-compliant products available, but many of the products still must make their way through the acquisition process and onto networks, and agencies don't have a specific budget for that process.

“They are doing it as budget permits,” said former CIA CTO Bob Flores, another member of the BlueCat advisory board. That will take time to complete the acquisitions. “Absent something breaking, they are not likely to replace it” outside of the normal refresh cycle just to get IPv6 capability. “It’s coming. But anything that is budget-related is hard to predict.”

Change might be slow in coming, but there are steps that agencies can take now to ease the way for the inevitable transition.

1. Audit

“One of the things they will have to do early on is an audit of their equipment” to see what is and is not ready to handle IPv6, Liu said.

Most up-to-date desktop and server operating systems support IPv6, as do core networking equipment, such as routers. That will help the first stages of transition, which will focus on Internet-facing portions of networks. However, many elements inside the enterprise, such as printers, probably are not ready.

“The hardest part is to identify the parts of the network that are not compatible and realize that, at some point, you will have to jettison them,” Flores said.

One of the most troublesome areas for IPv6 compatibility is likely to be with network security tools. Those tools are starting to include functionality for the new protocols, but performance of the next-generation tools might not match that of tools already in use.

“That will change gradually” as vendors wait for demand to grow, Liu said. “They are not making a lot of revenue from the IPv6 features of their products.”

2. Handle Diversity

IPv4 is not going away. Even when the new functionality becomes available, “you won’t be doing IPv6 only,” Liu said.

There are three primary techniques for handling both sets of protocols on a network: dual stacking, which allows equipment to handle both protocols; translating, which converts one set of protocols to another; and tunneling, which encapsulates packets from one set of protocols inside packets of the other.

Liu, Crowell and Flores agree that most organizations are looking at dual stacking as the preferred method of handling diversity.

You will need to select management tools for your IPv6-enabled network. Those tools will need to understand and work with the new protocols. And ideally, they would be able to work with both sets of protocols so that you can have a single view of the segments that are using both IP versions.

3. Deal With Schemes and Deployment

Organizations not only will need to acquire IPv6 addresses but also come up with a plan for allocating them throughout the enterprise.

“The Internet as we know it today is going to be a vastly different place five to 10 years from now,” Flores said. As the private sector moves to add devices and services to online offerings, more applications will be using IPv6. Administrators will need to decide where to deploy their IPv6 addresses to accommodate new needs.

Whether IPv6 is used internally or externally, agencies need to create a plan for implementing the protocols. Administrators will need to decide how organizations will use IPv6, what subnetworks will accommodate it and how it will be phased in.

4. Conduct Training

Training is an area that is perpetually underfunded at most agencies and can be an unexpected expense after the hardware and software is in place. It also puts a burden on staffs that already are stretched thin, so waiting until the last minute is not a good idea.

“Right now, we need to start learning about IPv6,” even if it will not be implemented for a while, Liu said. “I’m going to take more training myself. There is a lot more to IPv6 than just a longer address space.”

Training will depend on staff members' roles. Desktop administrators working in a Windows environment might need only a day or two of instruction, Liu said. But “if you’re a network administrator, you’re going to need longer than that.”

5. Apply Security

Adoption of IPv6 will bring both opportunities and problems for network security.

“Moving to IPv6 is being touted as a good move from a security standpoint,” Flores said. “But it can also be a bad move.”

IPv4 will not be replaced by the new protocols but will be operating alongside or on top of them. So administrators will continue to face all the vulnerabilities and threats that they already know, in addition to those created by IPv6 that they do not yet know. Many of the same lessons painfully learned will have to be relearned.

The availability and quality of IPv6 security tools remain in question, and the effects of new types of traffic on existing firewalls, intrusion detection and prevention systems, antivirus, and other tools are vague. For example, the new protocols require the use of IPSec for end-to-end encryption of traffic, which is intended to be a security enhancement. But it could also interfere with requirements for monitoring traffic.

And then there is the sheer scope of the transition, “all of which is occurring at the same time they are having to update the networks with limited funding to address security threats,” Crowell said.

It is not all bad news for network security. “Once the conversion is done, we will see some major leaps in network security,” Flores said.

But in the meantime, “there are some real advantages to being in the IPv6 space,” Crowell said. “And there are also concerns.”

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Wed, Sep 22, 2010 Jamie

The DoD is working hard on the first point of audit capability. Through data collection of acquisition programs we have ingrained IPv6 reporting. The problem is getting a handle on the legacy programs or those that are never brought through the acquisition community. Does anybody have insight into how we can accomplish that?

Fri, Sep 17, 2010

Why was there no mention of whether security devices for IPv6 were available?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group