With the pool of IP version 4 (IPv4) addresses about to run out, the federal government expected its agencies to be much further along in their deployment of IPv6 infrastructure. After all, most new Internet users access government resources via IPv6. However, many agencies, flush with IPv4 addresses but tight on staffing and budget, still don’t feel the urgency.
“We are going to run out of IPv4 address blocks in the next few months, and only about half of government servers are reachable by IPv6 today,” says John Curran, president and CEO of the American Registry for Internet Numbers, an organization that, among other things, manages Internet number resources.
IPv6, introduced in the 1990s, was created to run parallel to and then replace IPv4 as the primary way that devices are identified and located on the Internet. Compared with IPv4, IPv6 has a much larger pool of address blocks and is meant to give each device its own unique identifier for better security and greater routing efficiency. For years, IT teams have used network address translation (NAT) as a way to extend the life of IPv4 addresses. But NAT makes it difficult to provide end-to-end security or to optimally route traffic.
In 2010, federal CIO Vivek Kundra issued a mandate that by the end of fiscal year 2012 all public/external facing servers and services (web, email, DNS, ISP services, etc.) must operationally use native IPv6. Kundra also expected that by the end of FY 2014 internal applications that communicate with public Internet servers and supporting enterprise networks would be outfitted with IPv6.
As of May 26 though, only 444 web servers, 141 mail servers and 250 DNS servers had been IPv6 enabled. Compare that with the 833 web servers, 464 mail servers and 571 DNS servers that currently use IPv4.
Curran acknowledges that the U.S. government has been a leader in IPv6 deployment but says that more needs to be done. “The federal government is progressing at a very solid rate, but they need to continue their efforts,” he says.
Agencies that are more advanced, such as the Defense and Commerce departments, should share expertise with colleagues who are further behind. “IPv6 is not a big job; it just needs to be properly planned for,” Curran observes.
Charles Sun, co-chair of the technical subcommittee of the Federal IPv6 Task Force, agrees but notes that because many agencies have plenty of IPv4 addresses, it has been difficult to push IPv6 forward. “The U.S. federal government is the most influential authority in the IPv6 transition initiative and by far the largest adopter of IPv6 in the U.S.,” Sun says. Yet, like Curran, he believes that much more needs to be done in order for IPv6 to replace IPv4 within agencies.
“Major agencies do not have a shortage of IP addresses,” Sun says. So instead of hanging IPv6’s future on that factor, deployment of this version should be seen as a competitive advantage. “The rest of the world has embraced and deployed IPv6. For the U.S. to maintain its leadership role in the Internet, we have to do likewise.”
IPv6 is essential for future innovations such as the Internet of Things and smart cars, which require unique IP addresses, according to Sun. “A lot of our new initiatives feature machine-to-machine communication and need a huge block of IP addresses to support them.”
Making the transition
For agencies to properly transition to IPv6, they must run a dual-stack network with IPv4 and IPv6. But running them simultaneously can increase the threat vector, so the goal should be to quickly wind down IPv4, Sun says.
The biggest problem with IPv6, he believes, is that legacy hardware and software within agencies do not support the newer protocol. Refresh cycles will alleviate that to some extent, though. “While some legacy servers will never be able to transition to IPv6, we must make sure new investments related to IP are IPv6-compliant,” Sun says. Once agencies have up-to-date hardware and software, “IPv6 comes down to a simple configuration change.”
He encourages agencies to communicate their desire for IPv6 to their contractors. “Many agencies have multiyear contracts that have prevented them from making a change, but now is the time to have those discussions,” Sun says. For instance, some agencies cannot honor the mandate because contractors are running encryption servers that don’t support IPv6.
IPv6 is not just a nice-to-have upgrade, according to Sun. “We must be able to communicate with all the new Internet users around the world. That is how we’ll get to the next generation of the Internet.”