Air Force makes progress on IPv6
Initial tests at Elgin AFB show base backbones can handle traffic without problems
Network administrators and engineers at Eglin Air Force Base, Fla., have been testing IPv6 traffic over the base network since April, with promising results.
“IPv6 does not adversely affect the network backbone in any way shape or form,” said Brent Bettis, an associate at Booz Allen Hamilton and the lead test and security engineer on the project.
Although the work is being done on a production network, IPv6 traffic is being used only for testing in a controlled environment enabled to handle both IPv4 and v6 traffic over the backbone, said Doug Fry, lead engineer and deputy acting chief of the Air Force’s IPv6 Transition Management Office.
“The full impact is yet to be determined,” Fry said. That will involve enabling select client devices on the base network to handle both IPv4 and IPv6 traffic, and then sending IPv6 traffic between two bases.
Establishing an isolated enclave for testing is Milestone Objective 1 for the Air Force’s IPv6 transition. The next milestone would be to pass traffic between two enclaves to demonstrate that the capability is not restricted to a single site or vendor. Those steps still are months away. The major task at this point is developing a standard security architecture -- subject to approval by the Air Force’s designated accrediting authority -- that will enable bases to implement IPv6 securely. The transition management office is in initial talks with the Assessment and Evaluation Branch that certifies IT systems for the Air Force.
“We are working diligently to get that architecture approved,” Bettis said. “It looks good right now.”
IPv6 is the next generation of Internet protocols and includes features to enhance security and end-to-end connectivity with an expanded address space to accommodate the large number of networked devices. The government has enabled IPv6 on its network backbones. Although networking equipment acquired in the last five years is supposed to be IPv6-ready, the capability has not been extended to end users.
Work on the Eglin project began in July 2008, when Booz Allen started working on an inventory of the Eglin network and checking for ability to handle IPv6 traffic. Two core routers and 13 information transport nodes in the network were enabled to handle both IPv4 and IPv6 traffic. IPv6 traffic has been generated with a Web server and a laptop with “no hiccups at all,” Bettis said. CPU use hasn'tt been affected, access control lists that restrict IPv6 traffic to the controlled environment are working, and “the end users haven’t seen anything, which is good,” he said.
Testing will continue for another three months and selected clients are expected to be enabled for dual stack traffic after that, Fry said. “We would like to see, within eight months, all the clients enabled to use IPv6.”
In the meantime, the second IPv6 enclave is being established in the Air Force Information Operations Center at the Kelly Annex at Lackland AFB in Texas. It is expected to have a dual stack environment within four to six months, pending certification and accreditation of the system. After internal testing, a VPN will be established to send IPv6 traffic between Lackland and Eglin.
Full IPv6 production deployment still is probably years off, said Fry. That is partly because of the lack of accredited information assurance equipment for IPv6, and partly because of the need to be cautious in rolling out the new technology.
“We are moving at a very deliberate pace,” he said. “‘Do no harm’ is the mantra we have been going by.” But the Air Force is ready for the inevitable problems that will crop up, he said. “Now it’s time to break some glass. We are expecting some hiccups, and Eglin is willing to move into that area.”