Graded on a curve: How feds lead the way on IPv6
Despite a strong surge in the final days before the Sept. 30 deadline, most agencies have not fully met the requirement for enabling IPv6 on public-facing servers. Industry observers praised the effort, however, and called the U.S. government a global leader in adoption of the new Internet Protocols.
Although the total number of agencies enabling IPv6 remains relatively small, it has grown from about 11 last year to more than 250 today, said David Helms, vice president of Salient Federal Solutions’ Cybersecurity Center of Excellence.
“It’s really the shape of the curve that matters,” Helms said. “There has been a rapid acceleration in the last 12 to 18 months.”
The deadline set in 2010 by then-federal-CIO Vivek Kundra not only pushed agencies to enable the new protocols but also spurred industry support, said Christine Schweickert, senior engagement officer at the content delivery company Akamai.
“They put a lot of pressure on the vendors, including Akamai, to expose our roadmaps,” Schweickert said. “It helped them shape their roadmaps” and to provide technical capabilities and support for government customers. “I think the government has done a good job on this mandate, compared to some others.”
The Internet Protocols are the rules and specifications enabling communication among components on IP networks, including the Internet. Version 4 of the protocols is commonly in use today, and the pools of new IPv4 addresses are nearing depletion. This means that future growth on the Internet will require the use of IPv6. The two protocols are not interoperable, so for the foreseeable future, providers of online resources will have to be able to handle both types of traffic at the same time.
The September 2010 mandate requires agencies to enable IPv6 for external-facing services such as public websites by the end of fiscal 2012 and on internal networks two years later.
According to a Sept. 30 snapshot from the National Institute of Standards and Technology’s IPv6 dashboard, 16 percent of 1,494 .gov domains scanned had enabled IPv6, 37 percent were in progress and 47 percent had not made any progress. Comparisons are inexact because the number of domains scanned varies from day to day, but that appears to be a significant improvement from a few days earlier. The number of operational domains grew by 3 percentage points after Sept. 28, as did the percentage of those in progress.
Among those domains coming in close to the deadline was the Executive Office of the President, which on Sept. 27 enabled IPv6 on www.whitehouse.gov and 26 other EOP domains.
“I think the mandate was well designed, and we’ve actually had good success compared with mandates in the past,” Helms said. Agencies also were required to designate an IPv6 transition manager, which all did, and as well as comply with acquisition requirements that all new equipment meet federal standards for IPv6 compliance. He pointed out that the volume of operational domains now is approaching 20 percent, and “I actually think that is pretty good. Twenty percent is critical mass.”
Helms said peer pressure is likely to be the strongest incentive for agencies to complete the move to IPv6, and Schweickert said she had seen “spirited competition” between some agencies. Among the leaders in adoption is the Veterans Affairs Department, which not only has enabled its websites but also is moving to take advantage of the new protocols to enable health-care initiatives such as the use of remote sensors for medical devices.
Schweickert said the U.S. government has emerged as a major force in IPv6 adoption, supporting initiatives such as the Internet Society’s World IPv6 Day in 2011 and the IPv6 Launch Day this year. When Akamai created its dual-stack platform supporting IPv6 for content delivery from customer websites, “the public sector customers were the first to move onto that platform.”
Challenges to enabling IPv6 obviously remain, however. There is a lack of expertise in managing the new protocols on a network, and simply getting to the task can be a chore when administrators are faced with a laundry list of competing priorities. But there is plenty of support and advice available within government and from vendors.
Those agencies that are putting off the transition are kicking the problem further down the road, when it will be more difficult to deal with, Helms said.
“Whether they know it or not, they already are deploying IPv6” with the installation of equipment that often comes with IPv6 enabled by default, Helms said. Doing this in an unmanaged way increases an agency’s attack surface without providing any of the benefits, he said.
Although the volume of IPv6 traffic currently is very small, Schweickert said that agencies soon will find pockets of users that cannot access their resources if the protocols are not enabled. Enabling them now and learning to manage them while traffic is low will be much easier than waiting until demand increases, she said. “They are going to have bigger problems on their hands” in the future.