This tip is a part of the SearchSecurity.com mini learning guide, IPv6 tutorial: Understanding IPv6 security issues, threats, defenses.
The heat is on federal agencies to transition to Internet Protocol version 6 (IPv6) within the next 18 months as IPv4 address exhaustion approaches. That also means agency managers have to think about security vulnerabilities and threats as they migrate from IPv4 to IPv6.
We have to do something technical now. It's time for execution and deployment.
associate CIO at the Energy Department and chairman of the federal CIO Council's IPv6 task force
"The Internet protocol pervades every aspect of computer communications, so deploying IPv6 is a major task," said Sheila Frankel, lead author of the National Institute of Standard and Technology's just released Guidelines for the Secure Deployment of IPv6 (SP 800-119) (.pdf). "Organizations will be running two protocols, [and] that increases complexity, which in turn creates security challenges." Because IPv6 isn't backwards compatible with IPv4, agencies will have to dual stack their systems to run both protocols during the IPv6 transition.
Agencies have faced government milestones on IPv6 since 2005, when the Office of Management and Budget issued its first mandate on transitioning to the new protocol. That same year, the Government Accountability Office cautioned in a report that agencies must address security issues and manage security risks in the transition to IPv6.
While agencies largely met OMB's 2008 deadline to enable their network backbone routers to handle IPv6, progress since then has been desultory. Some agencies have made significant strides in deploying the new protocol, other have lagged behind.
IPv4 address exhaustion coming
After the 2008 milestone, many assumed that IPv6 transition would gather momentum on its own," said Doug Montgomery, manager of the Internet and Scalable Systems Research Group at NIST. "In truth, for most [agencies], the criticality of address exhaustion from 2005 until now probably wasn't high on their radar screen. Most people were dealing with much more short-term issues."
But the government effort has taken on a new urgency as experts predict IPv4 address exhaustion within two years. As a result, agencies are staring into the teeth of newly mandated OMB deadlines on IPv6, which dramatically increases the available Internet address space.
In a memorandum last September to chief information officers, federal CIO Vivek Kundra ordered agencies to upgrade external or public-facing servers and services—such as Web, e-mail and domain name system services—to operationally use IPv6 by the end of fiscal year 2012, or September 2012. Moreover, by the end of fiscal 2014, agencies must have upgraded internal client applications that communicate with public Internet servers and supporting enterprise networks to the operational use of IPv6.
Kundra also explained that the stepped-up transition to IPv6 is imperative in order to enable "ubiquitous" cybersecurity services for end-to-end network communications that will serve as the foundation for securing future federal IT systems.
Peter Tseronis, associate CIO at the Energy Department and chairman of the federal CIO Council's IPv6 task force, said the time for talking about the transition is over. "They have a clear mandate to meet by 2012," he said. "We have to do something technical now. It's time for execution and deployment."
"The onus is on the agencies, the carriers and the service providers to make it happen," he told a recent meeting of the Association for Federal Information Resource Management. "The onus is on the agencies, the carriers and the service providers to make it happen."
It's also up to agencies to take a hard look at security issues generated by the transition. While most agencies aren't ready for operational deployment IPv6, hackers have been IPv6 ready for years, sources warned.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in February 2011