US Feds: We will meet June IPv6 deadline

Officials cite security, budget and other hurdles to full-fledged IPv6 deployment

US federal government officials are confident they will meet a June 30 deadline to support IPv6 on their backbone networks, but they see challenges ahead in transitioning their production networks to this long-anticipated upgrade to the Internet's main communications protocol.

Challenges cited by federal IPv6 leaders include the lack of IPv6-enabled security devices and software applications available in the commercial marketplace as well as budgetary constraints and training hurdles.

IPv6 represents a major upgrade to the Internet. It replaces the current version of the Internet Protocol, known as IPv4, with a new and improved version that features vastly more IP addresses along with built-in security and network management enhancements. The Internet Engineering Task Force, the Internet's premier standards-setting body, created IPv6 in 1995.

The Office of Management and Budget (OMB) issued a requirement in 2005 that all US federal agencies must be capable of passing IPv6 packets on their backbone networks by June 30, 2008.

Karen Evans, OMB administrator for E-Government and Information Technology, said in March that she expects agencies to meet the June 30 deadline. She wouldn't comment on penalties an agency would face if it missed the deadline.

Evans is encouraging federal agencies to continue working toward production-level IPv6 deployments despite the challenges they have expressed meeting the June deadline.

"We want agencies to take advantage of the business opportunities afforded to their missions with the implementation of IPv6,'' Evans said in a statement. "We feel it is important for agencies to modernize their network infrastructure to support emerging IPv6 applications and technologies and to minimize the risk associated with the products [that] are already IPv6 enabled.''

Pete Tseronis, co-chair of the Federal CIO Council's IPv6 Working Group, says OMB's June 30 IPv6 deadline is more of a recommendation than a mandate.

"We don't like the term mandate,'' Tseronis says. "It's what agencies should be doing as part of their tech refresh anyway. The federal government took an initiative by way of OMB to rally support for IPv6 and to get all the federal agencies engaged in the discussion about IPv6. June 30 is the first real milestone of what we hope will be a successful deployment of IPv6.''

Agencies are required to submit quarterly reports to OMB that include their IPv6 progress. "To date, there have been no agencies that appear to be saying: We will not be meeting the June deadline,'' Tseronis says.

Meeting the OMB requirements for IPv6 is a pass/fail process. Among the agencies that have already achieved compliance with OMB's IPv6 requirements are the Internal Revenue Service, Department of Education and the Social Security Administration, Tseronis says.

"I'm very optimistic'' that most federal agencies will meet OMB's IPv6 deadline, Tseronis says. "Are people going to do it at the 11th hour and stay up all night? Possibly.''

The US Department of Defense is working under a similar deadline to migrate to IPv6. The department issued a memorandum in 2003 outlining a five-year transition to IPv6. By September 2008, the department has vowed to have all of its core networks able to process IPv6 traffic.

The Defense Department first will transition its unclassified IP backbone network -- dubbed NIPRNET -- to IPv6, followed by its classified IP network, which is called SIPRNET.

"We will meet the OMB mandate,'' says Kris Strance, who leads IPv6 transition for the Defense Department and works in the Office of the Secretary of Defense CIO. "The OMB mandate only requires that you pass IPv6 packets across the network. It does not require the infrastructure, for example the DNS servers, the security devices and such, to be IPv6 capable.''

Strance says the Defense Department could have met the OMB mandate several years ago when it upgraded all of its routers to IPv6-capable devices.

"Frankly, the OMB's bar is much lower than we have been working toward in DOD,'' Strance says. "We are working toward a true IPv6 capability.''

Strance says NIPRNET will not be an operational IPv6-capable network by June 30, despite the agency having worked on IPv6 transition for five years. The big holdup is the lack of IPv6-capable security devices, including firewalls and intrusion-detection systems that meet the National Security Agency's requirements.

"We're going to see certain vendors come in this spring to test security devices. These are beta versions, so I suspect there will be some time before we have production of security devices that meet our requirements,'' Strance says.

Federal CIOs have been focused on getting their network infrastructures ready for IPv6. But one challenge for full-fledged IPv6 deployments is the lack of IPv6-enabled applications.

"The honest truth is that applications have not been our focus,'' Strance admits. "Our focus has been the networks. Without the networks, the applications don't have any transport. So that's next. We recognize right up front that the applications are where you achieve the advantages of IPv6. The core doesn't do anything for you, but the core has to come first.''

"Applications need to be developed . . . but you have to put the cart before the horse,'' Tseronis says, explaining why federal agencies have been focused on enabling core networks with IPv6. "Most agencies have the attitude -- right or wrong -- that when it comes to their networks, if it ain't broke, don't fix it. . . . The IPv6 applications that are going to wow you, first and foremost, require you to upgrade your infrastructure.''

Strance says the first IPv6-enabled application that the Defense Department will roll out is VoIP.

"We've been working with the vendors now for several years to get IPv6-capable VoIP products, and starting this January we began evaluating these products,'' Strance says, adding that the Defense Department will run an IPv6-enabled VoIP pilot on its voice network in 2009. "We have a fairly large amount of VoIP on SIPRNET. We started that as a pilot, and it's been very successful in places like Iraq and Afghanistan. . . . It's IPv4, but there's a potential there to move it to IPv6.''

Another hurdle to full-fledged IPv6 deployment is budget constraints. Agencies have paid for the upgrades required to meet the OMB IPv6 mandate through their tech-refresh budgets.

"IPv6 will be phased into the agencies' infrastructure and applications through their life-cycle management,'' Evans says. "Over the next few years, the majority of network operating systems, hardware and network-enabled software packages will include IPv6 capabilities. As many federal agencies continue to refresh their network architecture components, the new and improved hardware and software components are expected to support IPv6 capabilities.''

The Defense Department, which is furthest along in IPv6 deployment, says tech-refresh funding isn't enough to cover the upgrade.

"What we've learned is that there are additional resources that are required to do engineering, integration, testing and evaluation activities to prepare for IPv6, and frankly we hadn't planned for that initially,'' Strance says.

Some of that additional funding needs to go to training.

"Training is an important part of the integration process, and agencies should invest in recruiting and training their staff in how to architect, manage and secure IPv6 networks,'' Evans says.

Tseronis says federal agencies need to have the right technical people to manage IPv6 deployments.

"IPv6 is all about end-to-end security and not doing network address translation,'' Tseronis explains. "It's about having the right people, recruiting the right people and developing the skill sets you need.''

The Defense Department, however, says that the training component was less expensive than the integration and testing required for IPv6 deployment.

"Our experience with the Defense Research and Engineering Network (DREN) is that training is not a huge issue,'' Strance says. DREN has been running IPv6 for three years.

Overall, Strance says the challenges agencies face in deploying IPv6 in production mode are numerous.

"Nothing has been easy about this,'' Strance says. "Maintaining interoperability is a significant challenge, and that's something we're very mindful of. Security has been the biggest challenge, I would say. Understanding the vulnerabilities that IPv6 brings when you implement it. . . . Lastly, we have to accommodate a huge legacy in DOD. Being able to do that isn't easy.''

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CIO CouncilCore NetworksFederal CIO CouncilInternal Revenue ServiceInternet Engineering Task ForceMilestoneNational Security AgencyOffice of Management and Budget

Show Comments