5 critical steps on the road to IPv6

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Connecting with the rest of the world could soon require the use of IPv6, and agencies should begin preparing now to use the new protocols.

Most government agencies don’t have a dire need to implement the next generation of Internet protocols internally in the near future, but maintaining full connectivity with the rest of the world could soon require the use of IPv6, industry experts say.

With large allocations of IPv4 addresses still available in much of the .gov domain and the use of Network Address Translation as a way to extend the life of IPv4, there is unlikely to be a shortage of address space in the enterprise. But outside the enterprise and especially outside North America, IPv6 soon will be used to enable a multitude of new devices and services that will comprise a growing portion of the global Internet.

“The government is faced with a real need to address the shift externally,” said former National Security Agency Deputy Director Bill Crowell.

Agencies will need to enable infrastructure that connects to the Internet for IPv6 to ensure that outside users of the protocols will continue to have access to public resources available on the Web and ensure that agencies have access to outside resources.

Related stories:

Why bother moving to IPv6?

Navy offers IPv6 lessons learned

Report outlines IPv6 security challenges

“We would expect to see most organizations deploying it on the Internet side of the network before implementing it internally,” said Cricket Liu, vice president of architecture at Infoblox. “That is where you are going to see the rollout begin. You want to make everything accessible.”

Government officials have known for some time that the depleting pool of available IPv4 addresses will eventually require a shift to IPv6, with its much larger address space. The pool is expected to be exhausted by the end of 2011, according to most estimates, and possibly as early as the end of this year, according to others. But the move to IPv6 has been slow to take off, said Crowell, who sits on a new technical advisory board established by BlueCat Networks for its federal customers.

Preparing for the adoption of IPv6 is one of the board’s primary concerns.

“In some respects, the transition from IPv4 to IPv6 is like Y2K, except that the date keeps slipping,” Crowell said. Y2K presented the threat that computers would not function properly when the calendar flipped from 1999 to 2000, but it had the advantage of a firm deadline for fixing possible problems. Not so with IPv6. “From 2004 to 2009, it slipped quite dramatically,” Crowell said.

The IPv6 transition is being delayed by the number of elements in the networking infrastructure, both hardware and software, that must adapt to the new protocols. Vendors are making IPv6-compliant products available, but many of the products still must make their way through the acquisition process and onto networks, and agencies don't have a specific budget for that process.

“They are doing it as budget permits,” said former CIA CTO Bob Flores, another member of the BlueCat advisory board. That will take time to complete the acquisitions. “Absent something breaking, they are not likely to replace it” outside of the normal refresh cycle just to get IPv6 capability. “It’s coming. But anything that is budget-related is hard to predict.”

Change might be slow in coming, but there are steps that agencies can take now to ease the way for the inevitable transition.

1. Audit

“One of the things they will have to do early on is an audit of their equipment” to see what is and is not ready to handle IPv6, Liu said.

Most up-to-date desktop and server operating systems support IPv6, as do core networking equipment, such as routers. That will help the first stages of transition, which will focus on Internet-facing portions of networks. However, many elements inside the enterprise, such as printers, probably are not ready.

“The hardest part is to identify the parts of the network that are not compatible and realize that, at some point, you will have to jettison them,” Flores said.

One of the most troublesome areas for IPv6 compatibility is likely to be with network security tools. Those tools are starting to include functionality for the new protocols, but performance of the next-generation tools might not match that of tools already in use.

“That will change gradually” as vendors wait for demand to grow, Liu said. “They are not making a lot of revenue from the IPv6 features of their products.”

2. Handle Diversity

IPv4 is not going away. Even when the new functionality becomes available, “you won’t be doing IPv6 only,” Liu said.

There are three primary techniques for handling both sets of protocols on a network: dual stacking, which allows equipment to handle both protocols; translating, which converts one set of protocols to another; and tunneling, which encapsulates packets from one set of protocols inside packets of the other.

Liu, Crowell and Flores agree that most organizations are looking at dual stacking as the preferred method of handling diversity.

You will need to select management tools for your IPv6-enabled network. Those tools will need to understand and work with the new protocols. And ideally, they would be able to work with both sets of protocols so that you can have a single view of the segments that are using both IP versions.

3. Deal With Schemes and Deployment

Organizations not only will need to acquire IPv6 addresses but also come up with a plan for allocating them throughout the enterprise.

“The Internet as we know it today is going to be a vastly different place five to 10 years from now,” Flores said. As the private sector moves to add devices and services to online offerings, more applications will be using IPv6. Administrators will need to decide where to deploy their IPv6 addresses to accommodate new needs.

Whether IPv6 is used internally or externally, agencies need to create a plan for implementing the protocols. Administrators will need to decide how organizations will use IPv6, what subnetworks will accommodate it and how it will be phased in.

4. Conduct Training

Training is an area that is perpetually underfunded at most agencies and can be an unexpected expense after the hardware and software is in place. It also puts a burden on staffs that already are stretched thin, so waiting until the last minute is not a good idea.

“Right now, we need to start learning about IPv6,” even if it will not be implemented for a while, Liu said. “I’m going to take more training myself. There is a lot more to IPv6 than just a longer address space.”

Training will depend on staff members' roles. Desktop administrators working in a Windows environment might need only a day or two of instruction, Liu said. But “if you’re a network administrator, you’re going to need longer than that.”

5. Apply Security

Adoption of IPv6 will bring both opportunities and problems for network security.

“Moving to IPv6 is being touted as a good move from a security standpoint,” Flores said. “But it can also be a bad move.”

IPv4 will not be replaced by the new protocols but will be operating alongside or on top of them. So administrators will continue to face all the vulnerabilities and threats that they already know, in addition to those created by IPv6 that they do not yet know. Many of the same lessons painfully learned will have to be relearned.

The availability and quality of IPv6 security tools remain in question, and the effects of new types of traffic on existing firewalls, intrusion detection and prevention systems, antivirus, and other tools are vague. For example, the new protocols require the use of IPSec for end-to-end encryption of traffic, which is intended to be a security enhancement. But it could also interfere with requirements for monitoring traffic.

And then there is the sheer scope of the transition, “all of which is occurring at the same time they are having to update the networks with limited funding to address security threats,” Crowell said.

It is not all bad news for network security. “Once the conversion is done, we will see some major leaps in network security,” Flores said.

But in the meantime, “there are some real advantages to being in the IPv6 space,” Crowell said. “And there are also concerns.”

NEXT STORY: 9 things feds should know about secure international travel

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.