Air Force base prepares for IPv6 trials
Eglin's internal testing is first step toward use in a production environment
Network administrators and engineers at Eglin Air Force Base, Fla., expect to receive approval by the end of April to turn on IPv6 within the base network, the first time the new IP would be used within a production Air Force network.
“They have been readying the entire base network to the internal router to be able to pass both IPv4 and IPv6 traffic,” said Brent Bettis, an associate at Booz Allen Hamilton and the lead test and security engineer on the project.
Although the work is being done on a production network, IPv6 traffic will be strictly for testing at this stage, said Doug Fry, lead engineer at the Air Force’s IPv6 Transition Management Office.
“At this point, actual production traffic is not going to be considered,” Fry said. Engineers will capture and check IPv6 traffic to ensure that it is legitimate and secure and that boundaries can be enforced. “The purpose of the enclave is to show that IPv6 does no harm to the current infrastructure.”
Establishing an isolated enclave for testing is Milestone Objective 1 for the Air Force’s IPv6 transition. The next milestone would be to pass traffic between two enclaves to show that the capability is not restricted to a single site or vendor. The Air Force has not set a timetable for that step.
IPv6 is the next generation of IP and includes features to enhance security and end-to-end connectivity, and it has expanded address space to accommodate the large number of networked devices that could use these services. The government has enabled IPv6 on its network backbones but has not extended the protocols to users or required that agencies use them, although networking equipment acquired in the past five years is supposed to be IPv6-ready.
Eglin’s network control center volunteered for the challenge of being the Air Force’s first IPv6 enclave.
“We sent out a request about interest in participating in the pilot program,” Fry said. “Eglin stood up and said we will do it with our money, with your guidance.”
“They are just as eager as we are to turn this on,” Bettis said. “They want to see the new technology. This is really going to be the next generation network for the warfighter.”
Work on the project began in July 2008, when Booz Allen Hamilton began working on an inventory of the Eglin network and checking for ability to handle IPv6 traffic. The next step was deciding what needed to be turned on to enable a dual-stack network that can handle IPv4 and IPv6 traffic simultaneously and developing controls to restrict IPv6 traffic to the internal router. The ability to ensure the integrity of information on the network during testing was essential to the program, Bettis said.
Testing the security design began in October 2008. In January, the security architecture was finalized with the base's networking engineers, and equipment was tested off-line. The base is waiting for final approval for operations, expected by April 27. Traffic will be generated initially with a single Web server and a laptop PC.
Although there is no timetable for moving to the second milestone objective, Fry noted that setting up the first IPv6 enclave took nine months, and establishing a second so that traffic could be passed between the two probably also would take that long.
The first production applications using IPv6 to be deployed on Air Force networks probably would be core functions, such as e-mail and applications used in day-to-day operations, Fry said. The first applications are likely to be implemented on segregated equipment before being used on the same equipment with current IPv4 versions.
When those would be available is not yet clear, Fry said. “A lot of this will depend on vendors,” he said. “We are currently waiting for information assurance products to be certified" by the National Security Agency.