How to succeed with IPv6
Navy center offers benefits of seven years' experience
The Navy is ahead of the curve as the Defense Department gradually converts over to IP Version 6 from the current protocol, IPv4. While the government, the private sector and much of the world has been slowly transitioning to IPv6 for almost a decade, the Navy’s Space and Naval Warfare Systems Center Pacific has been operating a fully integrated IPv6 environment on a daily basis since 2003.
Lessons learned from the center’s operation will help other government agencies and commercial organizations make an easier transition to IPv6, said Ron Broersma, SPAWAR’s enterprise network security manager and chief information technology division engineer. A major transition to IPv6 will soon begin, as the number of IPv4 Internet addresses is expected to run out sometime in 2012, if not sooner. IPv4 uses the familair four sets of three numbers each to define an IP address, allowing for only about 4.3 billion unique addresses. IPv6 uses a much larger address space, and offers a near-unlimited number.
Agency IT plans could hinge on IPv6 implementation
IPv4 address could dry up by year's end
Enabling IPv6 one step at a time
Changing over to the new protocol will affect the entire global Internet and its underlying infrastructure. Broersma said many organizations will probably wait until the last minute before they begin to transition. “There’s really no near term-incentive to doing the transition. You’re not suddenly going to get to some Web sites you couldn’t get to before,” he said.
For many agencies and companies, the transition will require them to operate both protocols, necessitating the use of translation software to operate between the old and new Internets because the two protocols do not interoperate. “They operate over the same wires, but they can’t talk directly to each other,” he said.
SPAWAR Systems Center Pacific was part of a DOD IPv6 pilot effort begun in 2003. Broersma said the center had already been conducting IPv6 research for a number of years, testing, developing protocols and gaining operational experience. The center has transitioned its entire research network to IPv6, an effort that is unique in DOD, the government and perhaps globally. He said that he does not know of any organization that has so completely moved its network to the new protocol and has been using it daily in a production environment for years.
The center has gained valuable operational experience with IPv6. SPAWAR is using this knowledge to publish and share lessons learned with the Navy, the DOD, vendors, industry and the Internet 2 community. IPv6 is important to the Navy’s future, especially as it develops more advanced networks for the fleet. “We are still in the pioneering phase, but the experience we’ve gained and the problems we’ve solved are going to save us years [of work] down the road when the rest of the DOD starts deploying this,” he said.
In its years of operating IPv6 on its network, Broersama said, the major lesson learned was that vendors’ claims of IPv6 and IPv4 compatibility were often unfounded. The challenge has been to achieve what he called “feature parity” in products. “We tell vendors, ‘If your product supports something and it works in IPv4, we want those same features to operate in IPv6',” he said.
Feature parity provides vendors with a framework with which to modify their applications and it helps to identify deficiencies in products. Broersma said the center has been successful in working with vendors to identify and solve compatibility issues. He noted that this work has probably saved the software industry three to four years of work based on the experience learned at the center.
SPAWAR also found that many products were not well-tested because vendors’ quality assurance suites were insufficient to test all the new IPv6 features. By placing these applications in a real operational network, the center was able to identify and correct incompatibilities.
Conversion cost, or the lack of it, was another surprise. Broersma said that was expected to be expensive, but the center did not require additional funding, not did it have to hire additional staff. The cost savings were realized because SPAWAR understood the requirements for IPv6 and the protocol was promoted within the organization until it became part of the culture, he said.
The team used normal technology refresh processes to add in the new technology, which eliminated the need for additional funding or a major capital investment. This process took place steadily over a five-year period. Broersma said SPAWAR can serve as a model for other organizations, provided those organizations plan and start early.
Security posed another challenge. During the effort’s early days, Broersmal said, work focused on ensuring that all of the security protections were present when IPv6 was activated. He added that many products did not support these security tools and it took many years of working with vendors to achieve the required set of features. “We went for feature parity so that we would not create a weakest link when we turned on IPv6,” he said.
But this diligence requires networks to be audited and surveyed. Administrators must know exactly what their security features are to ensure that IPv6 is as well-defended as IPv4. Additional measures were also taken to monitor traffic to ensure that there were not any new attacks. He added that other tools, such as firewalls, intrusion prevention and intrusion detection applications, all support IPv6 today.
“With IPv4 we have 30 years of product maturity. With IPv6, we have very new implementations, so we haven’t found all the bugs yet," he said. "I wouldn’t be surprised if some denial-of-service bugs are discovered over the next few years as we see the deployment of IPv6. It’s just a reality because of maturity of the software.”
The belief that IPv6 is more secure isn't true, Broersma said. It was fostered by a requirement in the protocol stipulating that all implementations include IP security (IPSEC) for compliance. “Some people think that IPSEC is something new for IPv6, which is not true," he said. "IPSEC was around for IPv4 as well, and we use it every day in IPv4. It was just never mandated.".