IPv6 on the dotted line
When it comes to implementing Uncle Sam's next-generation Internet, the clock is ticking.
The Office of Management and Budget has mandated that the Internet backbone for every federal agency must be able to run Internet Protocol version 6 by June 30, 2008. By now, agencies are required to have created an IPv6 transition team, completed an inventory of all backbone-dependent hardware and software, and submitted an analysis of how the transition to IPv6 will impact their organizations.
No matter where they are in this timeline, the next step will be to procure the products and services for actual implementation.
'We've seen a few fresh contracts in a few arcane areas,' said Walt Grabowski, senior director of telecommunications for SI International, a contractor overseeing the Defense Department's transition to IPv6. 'The Air Force Communications Agency actually had a procurement about a year ago and [Veterans Affairs] is planning something soon for transition support. So it's been spotty ... but in general, the support that agencies get right now comes from the contractor base they already have in place.'
Experts say that could change, in part because agencies are being asked to make changes more quickly than they're used to. But it's also because IPv6 has the potential to affect how government operates in ways no one can yet predict, said Peter Tseronis, director of network services for the Education Department.
'It's like the Internet was back in 1993,' Tseronis said. 'Back then, you'd never have imagined you'd be using it to do your banking. IPv6's mobility, end-to-end security and ad hoc networking capabilities sound wonderful, but the truth is, we don't really know yet what it will ultimately enable us to do.'
DOD is leading the pack in IPv6 adoption. But some agencies are struggling to meet OMB's unfunded mandate. Transitioning to IPv6 involves more than merely refreshing network infrastructure; it touches everything from training and testing to consulting services and software development. In fact, IPv6 could impact every technology RFP an agency writes for the next 10 years.
Observers say the money to accomplish agencies' immediate IPv6 goals is just starting to shake loose. 'I don't see agencies having the expertise to do this themselves,' said Dave Nelson, a consultant for Input Inc. of Reston, Va., and former deputy CIO at NASA. 'Even DOD has found it's a little harder than they thought.'Gearing up
Major networking vendors such as Cisco and Juniper have been shipping IPv6-compatible gear for several years now. Microsoft Corp.'s upcoming Vista operating system is designed with it in mind. But other hardware and software might not be ready yet. And even if a vendor's routers and switches run IPv6, its hardware firewalls and security appliances might not.
'There's still a lot of brochure-ware out there,' said Tom Patterson, CEO of Command Information, an IPv6 services company in Herndon, Va. 'A number of companies advertise their products as v6-capable, but when you try to buy them, you find out that v6 support is still in the pipeline.'
Several groups have tried to help agencies define 'IPv6-capable' as it applies to the products they must be using. Juniper Networks published a report in May, IPv6 Capable: A Guide for Federal Agencies [GCN.com/647]. That same month, DOD released a detailed document, IPv6 Standard Profiles for IPv6 Capable Products.
If the hardware you're buying today isn't IPv6-compatible, you'd better have an agreement with the vendor to include the upgrade in the purchase price, said Tseronis.
But the transition from today's IPv4 to IPv6 won't happen overnight. Agencies will need to operate dual IPv4 and IPv6 networks for many years to come, until all their hardware and applications is IPv6-compliant. Even then, they'll need to communicate with devices on the Net that still use IPv4'either by translating from IPv6 to IPv4 and back again, or 'tunneling' IPv6 packets through the older network.
Many agencies will likely run a dual stack, where both protocols run simultaneously on the same equipment, Grabowski said. But agencies shouldn't assume all IPv6 networking gear can run two stacks right out of the box.
'If I were acquiring network equipment, I'd ask the vendors to demonstrate that their systems can operate in a dual-stack environment,' Grabowski said. 'I'd ask what's required to run in a dual stack. Do I need to increase router memory because of the dual stack? Will they work with my existing devices? Show me that upgrading my device is not going to lead me to a dead end in a v6 world.'
Another key issue is interoperability among IPv6 devices from different manufacturers, said Grabowski.
Though various agencies may have lists of approved IPv6 equipment, there's no guarantee an IPv6-compliant router from Company A will work seamlessly with a switch from Company B.
'It's not that vendors want to be incompatible,' he said. 'It's just that whenever you have a new standard, vendors have to interpret what it is, and sometimes they do it differently. Most v6 devices should be almost interoperable, but 'almost' isn't where an agency wants to be.'
So far, a handful of vendors have qualified under the IPv6 Ready logo program, bestowed by the IPv6 Consortium and the University of New Hampshire's Interoperability Lab [see GCN.com,
, GCN.com/645]. The logo signifies that a vendor's equipment conforms to IPv6 requirements and can interoperate with at least two other hosts or routers.No guarantees
'There's not a 100-percent guarantee all of the boxes on our list will interoperate, but I'd be surprised if they didn't,' said Benjamin Schultz, managing engineer of UNH's Interoperability Lab.
Compliance and compatibility testing will need to be a key part of any transition plan, and agencies will probably need help in testing products and making sure everything works together.
Whether they choose their networking vendors, system integrators, outside consultants or some combination of the three help depends largely on the vendor agreements already in place, said Tim LeMaster, director of systems engineering for Juniper Federal Systems.
'Some agencies may find their maintenance support contracts with Integrator X or Service Provider Y already provide v6 transition services,' LeMaster said. 'If they don't, they may want to look toward an outside consultant.'
System integrators may also offer ad hoc software development'providing the 'glue code' that allows everything to work seamlessly, Patterson said. For example, Command Information recently completed a universal translator for DOD that allows any Net-enabled remote device'whether it's a mobile phone or a sensor embedded in the walls of a warehouse'to tunnel across the IPv4 network and communicate with DOD's IPv6 backbone.
According to a June 2006 survey by Cisco Systems and Market Connections Inc., roughly half of 200 government IT managers surveyed said they wouldn't be moving to IPv6 if OMB weren't forcing the issue. In other words, they either don't see the benefits of IPv6 or don't believe the benefits are worth the costs.
'I think a big problem right now is that program managers are in compliance mode,' said Gunderson. 'There's probably a standard clause in every RFP that says the vendor's products must be IPv6 compliant. But instead of making it merely a compliance issue, they should go to the technologists in their organizations and ask, 'How do we expand the RFP?' '
In fact, a search of the contract database of market research firm Input Inc. turns up only about 25 vehicles, either in the proposal or execution phases, that spell out IPv6 requirements. Only one contract, a Veterans Affairs Department RFP that's due out next year, deals specifically with the current IPv6 migration.
In the meantime, agencies would do well to set aside a portion of their budget for IPv6 training and education, and not just for network administrators, said Command Information's Patterson, whose firm also operates an IPv6 education center.A high-speed education
Agency managers need to get up to speed on IPv6 so they can plan for applications that take advantage of the benefits the next-generation Internet will bring. And other personnel need to know what the new network will look like so they can do their jobs better.
The key is finding instructors who have experience working with actual IPv6 networks, said Patterson. And that means looking overseas, where IPv6 development is generally much further along.
'This is not something you can just read out of a book and go teach,' Patterson said. 'The good news is that other parts of the world have been doing v6 a lot longer than we have. We've hired a number of people who worked on IPv6 projects in Korea, China, Japan and France.'
A mistake many organizations make is trying to create an RFP based on generic requirements, or things they've read about but don't really need, said Juniper's LeMaster.
'The most important part of creating an RFP is to understand your network and write requirements that support it,' he said. 'Don't add requirements just because Agency X is planning to deploy a certain service.'
Agencies should look for vendors who take a lifecycle approach to the IPv6 transition and will support them over the long haul, said Prem Jadhwani, senior product manager for GTSI, a systems aggregator in Chantilly, Va.
Because moving to IPv6 typically involves a long-term investment, he suggests cash-strapped agencies might even ask vendors if they're willing to help with financing.
Most important, agency managers must understand that making their backbones IPv6-compliant is only the beginning of a long process that will eventually bring their networks into the 21st century.
'This isn't going to end on June 30, 2008, and it's a mistake to think it will,' warns Tseronis. 'We've got at least 10 more years of development to go on IPv6. We've got to get the energy behind it.'Dan Tynan is author of Computer Privacy Annoyances (O'Reilly Media, 2005).