Mar 18 2021
Internet

How to Make Progress on Implementing IPv6 in Government

Agencies should be moving to IPv6-only environments and shutting off IPv4 devices and networks.

Every internet-connected device a federal agency deploys, whether a smartphone, tablet, laptop or sensor, needs to have an IP address. Increasingly, such devices have IP addresses that run on the IPv6 protocol, the most recent version of the Internet Protocol defined by the Internet Engineering Task Force.

For more than 15 years, the federal government has been aiming to transition agencies from the older generation of IPv4 onto IPv6. The push on an IPv6 government mandate picked up some urgency in November, when the Office of Management and Budget issued a memorandum on completing the transition.

“OMB previously issued policy discussing the expectation for agencies to run dual stack (IPv4 and IPv6) into the foreseeable future; however, in recent years it has become clear that this approach is overly complex to maintain and unnecessary,” the memo states. “As a result, standards bodies and leading technology companies began migrating toward IPv6-only deployments, thereby eliminating complexity, operational cost, and threat vectors associated with operating two network protocols.”

The memo lays out specific guidance for agencies. As FedScoop reports:

The memo requires every agency to create a team of acquisition, policy and technical staff or another governance method within 45 days to enforce IPv6 efforts, issue and publicize a policy within 180 days, and ensure all new systems are IPv6-enabled by fiscal 2023.

The memo followed OMB directives from March 2020 that laid out specific goals for transitioning to IPv6-only environments. As Nextgov reports, OMB mandated that agencies develop plans to have at least 20 percent of IP-enabled assets on federal networks using IPv6-only by the end of fiscal 2023, at least 50 percent by 2024 and at least 80 percent by 2025.

Doug Montgomery, manager of internet and scalable systems research at the National Institute of Standards and Technology (NIST), says those goals are “aggressive, but they are realistic.”

IPv6 vs. IPv4

IPv6 is a “new, reasonably ground-up design of a replacement for IPv4,” Montgomery says. Back in the early 1990s, those watching the nascent internet grow were quick to discern that IPv4 would exhaust the available IP addresses, he says.

As Juniper Networks notes on its website, there are numerous technical differences between IPv4 and IPv6, including “more efficient routing without fragmenting packets,” built-in quality of service to distinguish “delay-sensitive packets,” elimination of network address translation to extend address space from 32 bits to 128 bits, built-in network-layer security, “stateless address auto-configuration for easier network administration” and “improved header structure with less processing overhead.”

In 2005, OMB set June 2008 as the date by which all agencies’ network backbones would need to use IPv6 and mandated that agency networks must interface with the new infrastructure. In 2010, OMB directed agencies to “upgrade public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) to operationally use native IPv6” by the end of fiscal year 2012 and “upgrade internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014.”

In 2010, Montgomery says, the government was an early adopter of the IPv6 transition. “We really pushed the envelope back in 2010 to have the government be the catalyst in the IPv6 deployments initiative,” he says.

IPv6 has numerous advantages over IPv4, making it something of a no-brainer for agencies and other organizations to transition to the newer technology. As Nextgov notes, IPv6 enables more than 340 undecillion IP addresses, an exponentially larger amount than the roughly 4.3 billion supported on IPv4.

IPv6 is where innovation is happening in the IP space, since IPv4 is a legacy protocol that no one is investing in anymore. “If you’ve wanted to enable innovation and do things with the Internet of Things, for example, in sensors and mobile devices and really have a modern networking component as part of your agency’s mission, you really need to get to IPv6,” says Vijay D’Souza, a director in the Government Accountability Office’s IT and cybersecurity team.

Running two IP stacks is also complex and can introduce security risks, Montgomery says, because it increases the attack surface for malicious actors to target. D’Souza notes that transitioning to IPv6 is not a panacea in terms of cybersecurity.

“There are some characteristics of IPv6 where certain aspects of security can be built in, but I wouldn’t say as a blanket statement that moving to IPv6 increases security, because you still have to know how to configure all those things,” he says. “They don’t arrive preconfigured in the most secure manner.”

Another reason to move to IPv6, D’Souza says, is interoperability. The rest of the world is moving to IPv6, and federal agencies need to communicate with agencies and organizations across the rest of the world.

EXPLORE: What security controls are needed for 5G networks?

What Is the Government Mandate on an IPv6 Transition?

The November OMB memo on IPv6 called for agencies to designate an agencywide IPv6 integrated project team, including personnel from acquisition, policy and technical areas, or some other governance structure, “to effectively govern and enforce IPv6 efforts.”

Vijay D’Souza
If you’ve wanted to enable innovation and do things with the Internet of Things ... and really have a modern networking component as part of your agency’s mission, you really need to get to IPv6.”

Vijay D’Souza Director, Government Accountability Office’s IT and cybersecurity team.

Agencies were also told to issue and make available on their websites an agencywide IPv6 policy that requires that, no later than fiscal 2023, “all new networked Federal information systems are IPv6-enabled at the time of deployment, and state the agency’s strategic intent to phase out the use of IPv4 for all systems.”

In addition to developing a plan for the aforementioned milestones, OMB required agencies to “identify opportunities for IPv6 pilots and complete at least one pilot of an IPv6-only operational system by the end of FY 2021 and report the results of the pilot to OMB upon request.”

The memo directed agencies to “work with external partners to identify systems that interface with networked Federal information systems and develop plans to migrate all such network interfaces to the use of IPv6.”

Agencies must also “complete the upgrade of public/external facing servers and services (e.g., web, email, DNS, and ISP services) and internal client applications that communicate with public Internet services and supporting enterprise networks to operationally use native IPv6.”

What will make the transition easier, Montgomery says, is that all new laptops, smartphones, servers and other IP-connected devices come with IPv6 capabilities installed.

The step that involves turning off IPv4-enabled devices and equipment is aggressive, Montgomery says. However, before the memo was introduced, NIST had been reaching out to device vendors, ISPs, cloud service providers and others to let them know that it was the government’s intended direction. The goal is to reduce complexity and costs, and NIST received positive feedback from the IT community, including large vendors such as Cisco SystemsMicrosoft and IBM, which are themselves pushing for a transition to IPv6.

MORE FROM FEDTECH: How does DNS security help agencies protect themselves?

Transition Strategies from IPv4 to IPv6

According to NIST, 41 percent of U.S. government IPv6-enabled domains are operational, and an additional 45 percent are in progress. About 64 percent of U.S. government IPv6-enabled services are operational.

The first step in a successful transition to IPv6, Montgomery says, is to make sure all services and systems are IPv6-enabled and to operate in a dual-stack, IPv4/IPv6 environment. Then, IT leaders and managers need to make sure it is technically feasible to turn off the IPv4 capability.

Such changes cannot be synchronized all at once with a “magic wand,” Montgomery says. Some pockets of users and devices may still be running on IPv4 even after agency systems move to IPv6.

D’Souza says agency plans for IPv6 are realistic, and the plans consider not just technical issues but nontechnical ones, including training and procurement. The General Services Administration has an IPv6 transition best practices website that agencies can use.

In terms of procurement, a 2020 OMB memo calls for agencies to “continue to include explicit requirements for IPv6 capabilities in all acquisitions of common networked information technology and services.” That includes “specifying the need for hardware and software to be capable of operating in an IPv6-only environment (as opposed to dual-stack) in acquisitions going forward.”

Agencies should also leverage NIST’s USGv6 profile, which “includes a forward-looking set of protocol specifications published by the Internet Engineering Task Force (IETF), encompassing basic IPv6 functionality, and specific requirements and key optional capabilities for routing, security, multicast, network management, and quality of service.”

kanawatvector/Getty Images
Close

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.