Moving to IPv6: It will get worse before it gets better

'We are watching carefully what DOD is doing. We will shamelessly copy everything they do to the extent that it meets our needs.'

'Glenn Schlarman, OMB

Rachael Golden

Funding shouldn't be a major issue until it's time to launch applications for the new protocol

Network administrators and managers are a practical lot. While listening to presentations at a recent workshop on why they should move their networks to IPv6, they were more interested in how to make the transition.

Concerns about moving networks to the next generation of IP protocols include security, training, management, overhead and'of course'funding. In the long run, IPv6 promises to provide greater functionality, security and efficiency than IPv4.

But the short run does not look so rosy.

'Yes, the transition will be a problem,' said Charles Lynch, head of the Defense Department's IPv6 transition office. 'The first five to eight years will be a problem as you have to operate both' sets of protocols.

The Internet Protocols are the set of rules defining how computers and other networked devices communicate with each other. Version 4 has been in use for more than 30 years and is beginning to show its age. Countries in Asia and, to a lesser extent, Europe are moving aggressively to implement IPv6. The large, installed IPv4 infrastructure in the United States has become something of a liability, said Chas Phillips, policy counsel for the House Government Reform Committee.

'We should have an active government policy' to advance IPv6 in both the public and private sectors, Phillips said.

Until recently, the Defense Department, which has set a 2008 deadline for moving to IPv6, was alone in the government sector. But in August, the Office of Management and Budget established an aggressive timeline for moving all federal backbones to the new protocols by 2008.

Although the networks must be running IPv6 by that time, they will also continue to handle IPv4 for the foreseeable future. The overall switch to all-IPv6 is expected to be gradual.

'You can blame Chuck Lynch for OMB's policy,' said Glenn Schlarman, chief of OMB's information policy and technology branch, somewhat facetiously. 'We are watching carefully what DOD is doing. We will shamelessly copy everything they do to the extent that it meets our needs.'

Lynch tried to calm concerns about the cost of the transition.

'If you try to do it soon, it's very expensive,' he said. But if done over time as equipment is replaced or upgraded, 'the additional money should be zero for software and network components.'

By focusing initially on components that are regularly upgraded, OMB is hoping to minimize the financial impact. Although the definition of 'IPv6-capable' is still being worked out, most network hardware and software now includes some level of IPv6 capability. OMB guidance calls for all agencies to buy IPv6-compliant gear when available in the course of building or upgrading networks.

'You have all the money you need,' Schlarman said. 'This is a tech refresh. You are probably already much closer to the goal than you think you are.'

But networking hardware is not the only expense to consider. There are personnel and management costs of overseeing the transition. IT staff will also have to be trained to use IPv6.

'Training is a challenge,' Lynch said. 'But IP is IP and IT people are IT people,' and the learning curve for the new protocols is not steep, he said.

The money's in the apps

Eventually, once the networks are ready for them, applications using the capabilities of IPv6 will be added.

'That is where we will see the real funding issues,' said David Powner, director of IT management issues for the Government Accountability Office.

But those expenses are likely to come farther down the road. Some attendees at the recent workshop were concerned that the expense of Hurricane Katrina recovery efforts would sideline the IPv6 transition.

'Almost everything is taking second place to what is going on now,' Phillips acknowledged. But in the long run, there will be little, if any, impact on transition plans.

Running systems will likely become a little slower or a little more complex during the transition, when networks will have to accommodate both IP versions on their networks.

'Ironically, the protocols that have great benefits for security in the long run, in the short run could create some vulnerabilities,' said Powner.

The most immediate concern is that many networks are now IPv6-capable, whether administrators realize it or not. And they could become a target for ambitious hackers.

'Be aware that this is a technology you have to look out for,' said Jim Schifalaqua, chief security technologist for SI International Inc. of McLean, Va. SI International is supporting the Defense Department in its move to the new networking protocols. Schifalaqua said the first thing to do with IPv6 is to turn it off until you're going to use it. 'The hacker community has been IPv6-ready for years.'

Common software such as Microsoft's Windows XP with Service Pack 2 already supports IPv6, and hackers could create their own virtual and invisible networks using the new protocols on compromised machines.

Another problem is that many security products, such as firewalls, filters and intrusion detection systems, do not yet recognize IPv6 and cannot defend against threats delivered in IPv6 packets. There are ways to work around these problems, and more products are beginning to support IPv6, but this is yet another attack vector administrators will have to worry about.

And although routing is expected to be more efficient with the simplified IPv6 packet headers, the computational overhead of running both protocols could cut into network efficiency. One attendee said that turning on IPv6 in routers now maxes out CPU cycles.

'It wouldn't be very efficient at all right now,' he said. The benefits will not become apparent until IPv4 is retired from the networks, 'and that will take a long time.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above