Kevin Jones, NASA IPv6 ­Transition ­Manager, says agencies should widely deploy the new protocol to facilitate turning off IPv4 internally.

Agencies Move to Adopt IPv6 as Demand Grows for New Devices

Long on the back burner, IPv6 adoption is reaching a slow boil as the stock of current IP addresses runs dry.

In a world of change, one thing remains ­consistent: Agency adoption of IPv6 moves at a ­glacial pace. Migration to the new internet address protocol isn’t easy, given budget ­realities that keep organizations from ripping and replacing current network investments.

However, in light of the fact that the American Registry for Internet Numbers is running out of IPv4 address space, agencies have begun the transition to IPv6. Most have started to ensure their public websites are accessible via IPv6 using dual-stack environments, while a smaller number have implemented dual stack internally so that their user systems can reach the internet via IPv6. Agencies are also buying IPv6-compliant devices as older ones reach the end of their lifecycle.

“For a long time, people have said, ‘Why be bothered? We have plenty of IPv4 address space,’” says Kevin Jones, IPv6 transition manager at NASA and chairperson of the Federal IPv6 Task Force. “But now, moving to IPv6 is becoming a matter of business continuity. We don’t have the luxury of kicking the can down the road anymore.”

IPv4, the current internet protocol, can assign about 4 billion 32-bit addresses, the familiar decimal address that underlies every URL. IPv6 uses a 128-bit hexadecimal address that looks like this: 3ffe:1900:4545:3:200:f8ff:fe21:67cf. That creates 340 undecillion addresses — or 340 followed by 36 zeroes. (The experimental IPv5 was not released publicly.)

The Office of Management and Budget issued its first mandate on IPv6 adoption in 2005 and set a deadline of June 2008 for agencies to be able to pass IPv6 traffic. National Institute of Standards and Technology statistics show that, as of April 16, only 40 percent of federal domains are fully operational with IPv6.

FT_Q218_F_Joch-elpunto.jpg

Four of the world’s five regional internet registries have already run out of IPv4 space (the fifth, covering Africa, is running low) and have been allocated IPv6 addresses by the organization that coordinates them.

Even if agencies don’t fear running out of addresses, they risk being left out in the communications cold as constituents and other organizations use new devices and web servers that support IPv6 by default. IPv4-only devices are not able to communicate with IPv6 addresses natively.

“We need to make sure we don’t find ourselves in a situation where we cannot communicate with mission partners that are exclusively IPv6,” says Jill Place, supervisory IT specialist at the Defense Information Systems Agency and chief of the Defense Department’s Network Information Center, which manages IP addresses for its personnel.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Increasing Demand from IoT Drive IPv6 Adoption

The rush for addresses started as more individuals began to connect to the internet and as enterprises connected new types of devices.

“As the Internet of Things grows, we’ll see an order of magnitude increase in the number of connected devices,” says Zeus Kerravala, principal analyst at ZK Research.

Adding to the demand are always-on devices such as routers and broadband modems. Apple and Microsoft operating systems support IPv6; Apple requires IPv6-only support in new apps.

FAA, DISA Move Ahead on IPv6 Migrations 

Because agencies don’t receive funding earmarked for IPv6 migration, many use refresh cycles as the impetus for ­adoption. “It’s important that every time we buy a device that is IP-capable, it is also IPv6 compliant,” Jones says.

The Federal Aviation Administration, whose officials say they have enough IP addresses to meet their needs, has been moving incrementally to IPv6 adoption.

“We are enabling IPv6 at locations scheduled for bandwidth upgrades,” says James Stroiney, acting deputy CIO. “In many cases, that involves replacing the existing hardware with equipment that is IPv6-compatible.”

DISA follows a similar strategy, installing IPv6-compliant products as equipment reaches the end of refresh cycles, typically after five years.

FT_Q218_F_Joch-quote.jpg

Fortunately, it’s easy to find compatible networking devices. Switches and routers from Brocade, Cisco, Hewlett Packard Enterprise, Netgear and others support IPv6. But IT managers don’t take product specifications at face value.

“Different vendors achieve IPv6 compliance in different ways,” Jones says. “Agencies are encouraged to obtain Supplier’s Declaration of Conformity for their IT purchases and do their own testing to determine whether the vendor’s implementation meets their IPv6 requirements.”

For example, some IPv6 devices still rely on IPv4 during initial network configuration. NASA runs a dual-stack IPv4 and IPv6 network environment in parallel, but the ultimate goal is eventually to move to IPv6-only.

“Before you start turning off IPv4, you really want to know your IPv6 infrastructure is solid,” Jones says. “IPv6-capable devices that require IPv4 to operate hamper efforts to move to IPv6-only.”

Agencies Must Consider IPv6 Network Security Issues

Security implications are another focal point. IT managers should examine their full networking environment, including firewall configurations, before introducing devices that support IPv6.

“Determine how IPv6 might change your configurations or how they may differ from how they handle IPv4,” DISA’s Place says. “Make adjustments now that a new protocol will be part of the traffic ­moving through your equipment.”

The analyses should consider security software to make sure existing applications are compatible with the new protocol. Network engineers may need additional training specific to IPv6.

“Now that we know the technical details of the protocol, we know it doesn’t just offer a bigger IP address,” Place says. “There are also inherent differences within the latest request for comment, which defines the protocol.”

The Internet Engineering Task Force has issued a series of draft standards over the past 18 years, culminating in RFC 8200, which for the first time defines a full internet standard.

“There are differences in the latest RFC that make proper training an important consideration,” Place says.

Why IPv6 Management Tools Are Critical 

Finally, IPv6 is making it simultaneously more difficult and more important to closely manage networks.

Agencies that haven’t adopted IP address management tools, or that rely on older applications, may need to make new investments as IPv6 rollouts increase.

“Managing IPv6 addresses is significantly more complicated than with IPv4 because of the longer addressing scheme,” says Kerravala.

The management tools perform a number of vital functions, including monitoring overall network performance, uncovering security flaws and tracking connected devices.

But many enterprises overlook those resources; 55 percent of the IT organizations Kerravala surveyed weren’t confident they knew what devices were attached to their networks.

“It’s becoming mandatory to have an IP address management infrastructure in place to accurately understand where your networking inventory is,” he says.

Network managers have many options to choose from, including IP address managers from Infoblox, Ipswitch, SolarWinds and Windows Server 2016.

“My advice is to put the management infrastructure in place today,” Kerravala says, “so you’ll be ready when the complete transition to IPv6 happens.”

John Lee
May 08 2018