Agencies, start your protocols!

Federal agencies scurry to meet next year's deadline for implementing IPv6

By this time next year, all federal agencies must have their networks running Version 6 of the Internet Protocol. Some will meet the deadline, some won't.

The CIO Council's IPv6 working group has established three criteria for successfully meeting the mandate to enable the next generation of IP on agency network backbones. They must be able to:
  • Transport IPv6 traffic from an external network to the core and deliver it to a subnet.
  • Push IPv6 traffic from an internal subnet to an external network.
  • Route traffic around the core from one subnet to another.
A little less than a year before the June 30, 2008, deadline for putting IPv6 on networks, agency progress is a mixed bag, said Commerce Department Chief Technology Officer John McManus, who is co-chairman of the working group.

Realistically, not all are expected to make it on time. He estimated that for about 30 percent of agencies, the transition will simply be a part of their network evolution, as envisioned by the Office of Management and Budget when it handed down the mandate. Another 50 percent to 65 percent will have to work to meet the deadline. The remaining 5 percent to 20 percent will be behind.

Catch up or Catch-22?

What accounts for agencies' varying levels of progress? A variety of factors, including the size and complexity of the networks in question, the resources available for planning and training, and competing priorities such as compliance with federal information technology security requirements and mandates to issue a new generation of smart government identification cards.

OMB put the federal government at the forefront of the transition when it decided IPv6 is the future of networking. Industry experts say momentum in the transition is shifting from Asia to North America. The move is expected not only to help the government get out from under a creaking Internet infrastructure that has expanded ' in both size and functionality ' far beyond its intended scope, but also to enable a wide range of new applications.

The move is inevitable, and the OMB mandate is a good thing, industry experts agree. But missing the deadline would not necessarily be bad. Transitioning a network requires more than simply turning on IPv6 in a switch or a router, and it could be better to be late than to be wrong.

'You can find agencies now that already have met the deadline.' ' John McManus, Commerce Department

'They are coming to the conclusion that the June 2008 deadline, while important, is not as important as having a fully integrated architecture in place with a security and network management plan,' said Dave West, IPv6 lead at Cisco Systems. 'I think that's the right conclusion. More important than rushing toward a date is being prepared.'

After all, the date is arbitrary, said David Kriegman, president of the federal arm of Command Information. 'If you miss the date, it's not like a Y2K thing,' he said. 'Everything is still going to work.'

The important question is how well things will work after you flip the switch. Most of your applications and services will still be running IPv4, and you don't want to break them. The shift will require more than having IPv6-enabled products.
'Products don't necessarily solve customers' mission needs,' West said. 'A well-thought-out architectural plan needs to be in place so as not to affect the day-to-day operations.'

Agencies have been addressing this issue in their enterprise architecture framework plans, said Peter Tseronis, networking services director at the Education Department and co-chairman with McManus of the IPv6 working group.

'IPv6 is integrated into enterprise architecture,' Tseronis said. Agencies submit quarterly assessments of their frameworks to OMB, and 'every agency should have clearly defined milestones they expect to meet by the third quarter of fiscal 2008.'

Agencies are turning to their industry partners for the practical experience they need in preparing core networks for transition. Verizon has been operating dual-stack IPv6 networks since 1997, when the company began moving away from Asynchronous Transfer Mode switching, said Charles Lee, Verizon's chief technology officer of civilian networks.

'It gave us a chance to get early experience with supporting our operations in a dual-stack mode,' he said. The Defense Department and other agencies have been using the networks to help plan their own transitions.

Early support

Cisco has supported IPv6 in its IOS operating system since 2001, and Microsoft this year released Vista, its first operating system in which IPv6 is turned on by default. The move to IPv6 is only just beginning, but Vista already is having an impact on networks. Lumeta scans the Internet regularly for IPv6 addresses in networking equipment and reported that the number of active addresses has increased by 18 percent since the first of the year. Admittedly, the number of IPv6 addresses remains small ' 2,600 as of April 30, just a drop in the Internet ocean. But Lumeta CTO David Arbeitel said the growth reflects the evolution of carrier and service provider networks in the face of expected demand for IPv6 services. Forty million Vista licenses have been sold since the beginning of the year.

West said recent studies have found that despite the Internet's phenomenal growth, only 16.7 percent of the world's population has access to the global network.
'I think we still have tremendous expansion before us,' he said. And faced with the rapid depletion of IPv4 address space, that growth will have to take place in IPv6.

The American Registry for Internet Numbers, one of five regional Internet registries responsible for assigning Internet addresses, gave the Internet community notice in May that demand for address space soon would outstrip the pool of available IPv4 addresses. The address space for Version 4 has not been exhausted, but large blocks of numbers are becoming scarce.

'The available IPv4 resource pool has not been reduced to the point that ARIN is compelled to advise the Internet community that migration to IPv6 is necessary for any applications that require ongoing availability from ARIN of contiguous IP number resources,' the registry said. The registry remains technology-agnostic and cannot force any organization to adopt the new protocols, but organizations may not have any choice as they deploy new applications and services.

What are the applications that will require large blocks of IPv6 addresses? Nobody knows for sure. Broad categories of functionality, such as enhanced mobility, persistent IP identities and location-based services, are being touted by proponents of IPv6. But for the most part, the applications that will provide the return on the investment of making the transition to IPv6 are still missing.

'There is no IPv6 business case,' said Jim Bound, CTO at the North American IPv6 Forum. 'It does not exist. IPv6 is plumbing.'

Killer apps

That is not to say applications will not be forthcoming. The Defense Department has big plans for pushing information and resources to individual warfighters in the field as part of its vision of net-centric warfare. Logistics, with the ability to address and track myriad individual pieces of materiel, is high on DOD's list of IPv6 priorities. But killer apps will vary from user to user.

'My personal opinion is that the killer app is voice,' said Lee, not surprisingly for someone with roots in the telephone industry. With increased mobility and persistent location-aware addressing, IPv6 could enable authentication, nonrepudiation and access control in voice communications, he said. 'That IP address is you. New applications become enabled because I now know the source.'

Despite the uncertainty of what applications will be available, agencies are being asked to include them in their transition plans. How they will be using their IPv6 networks will determine how they should be built and managed. Some functions and applications will never be transitioned. If they already are working well, there may be no reason to change them, and they will die a slow IPv4 death in the coming years and decades.

Lee said most agencies are doing a good job of planning how to use IPv6 applications to generate a return on their transition investments.
'I think it's a pretty mature approach,' he said.

But Kriegman of Command Information, which provides IPv6 training and consulting services, disagrees.

'For the most part, agencies are trying to do the minimum to be compliant' with the OMB directive, he said. 'They are not thinking about security, and they are not thinking about how to get ready for the future applications.' There are a few standouts, such as the Education Department, where officials really get it, he said, 'but they are few and far between.'

So when push comes to shove, the IPv6 transition is likely to get pushed down on some agency priority lists. They are not ignoring the mandate, Lee said. 'Pretty much everybody is doing something.' But in some agencies, competing mandates such as the Federal Information Security Management Act are taking precedence over IPv6.
The intelligence community is one area in which the transition might be taking a back seat to other priorities, said John Howard, deputy associate director of national intelligence for enterprise services.

'The intelligence community will transition to IPv6,' Howard said at a recent conference. The community is under the OMB and DOD mandates to enable backbones by 2008 and has a five-year plan to implement the new protocols throughout the infrastructure. But 'the intel community's commitment to that transition is at risk,' because of competing funding priorities, he said. 'The prevailing attitude is that there are more important things than IPv6.'

The intelligence community is focused on applications that will enable better analysis rather than IT infrastructure, Howard said.

'We are overwhelmed with information,' he said. 'We're trying to make connections with it.' Theoretically, IPv6 applications could help improve information sharing and analysis among intelligence agencies. But 'it's not there yet.'

In the meantime, Howard has more immediate concerns, such as the need to flatten and consolidate the community's networks. A 100-day discovery project aims to find exactly what equipment, resources and users are on the community's myriad networks and to enable access to resources as needed across the networks without compromising security.

'The vision is [that] it is going to be done down to the individual file level,' Howard said. 'We're not even close to that.'

Getting ready

IPv6 may have to wait at some agencies, but meanwhile, resources are being readied to help with the transition. The National Institute of Standards and Technology is putting the final touches on a profile of IPv6 standards and features that will be required in all networking products acquired by agencies, said NIST computer scientist Sheila Frankel, a member of the CIO Council's IPv6 working group. But that profile would not go into effect for 18 months, and NIST has not decided whether it will have any teeth or whether there will be a formal testing program to guarantee conformity and interoperability.

'At some point, IPv6 products will become commodities,' Frankel said, and testing and feature profiles will not be needed.

The working group also is developing a protocol for IPv6 deployment testing to give agencies a standard set of criteria to test their backbones for compliance with the OMB mandate, 'so we're not all doing stovepipe deployments,' Tseronis said.

That effort is being spearheaded by McManus. Input for the standards is being gathered from agencies, industry and academia. Their comments will result in guidelines that agencies can use in mapping their architectural framework and transition strategies.

'I think we're giving ourselves plenty of time to get this solidified,' Tseronis said. This will be the initial phase of a deployment testing strategy, and agencies can expect a number of other IPv6 deployment guidelines in the coming months, he said. 'This summer will be interesting.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above