While the vast majority of networks today are based on the IPv4 protocol, the U.S. government is mandating that defence and civilian agencies are ready to accept IPv6-based traffic as well by June 2008. Those guiding the effort know the transition won't be easy, especially given the lack of IPv6-based security products.
"Unfortunately, we're set to be the guinea pig," says Sheila Frankel, senior computer scientist at the National Institute of Standards and Technology (NIST). "Business will seriously be watching the government experience." Frankel is co-author of "A Profile for IPv6 in the U.S. Government -- Version 1.0," a NIST document that draws attention to the lack of IPv6-based security products, including firewalls, intrusion-detection systems and vulnerability-assessment tools on the market today.
With its charter to set standards for non-classified systems, NIST expects its role will be to set up a conformance-testing regime where independent accredited labs would review network-infrastructure equipment, such as routers and switches for IPv6 support. NIST also wants to set specific requirements for IPv6-based security equipment.
By this summer, says Frankel, NIST will issue for public comment a document titled "Secure Transition to IPv6." The NIST document would be intended to offer guidance to agencies about making the transition into what will be a new world where IPv4 and IPv6 must coexist. It will be a world of dual-stack protocols, IPv4-to-IPv6 and IPv6-to-IPv4 tunnelling. "For the civilian agencies, we have to express this coexistence," Frankel says. "Each carries a burden in terms of processing and security, and there are pros and cons of each approach."
It hasn't been determined whether it will be mandatory for vendors to pass IPv6-related conformance tests in order to sell to the federal agencies, or whether agencies would have to adhere to any proposed NIST IPv6/IPv4 coexistence approach. The final word on that would come from the White House Office of Management & Budget and the General Services Administration, Frankel notes.
The Defense Department has a product-testing regime in place for IPv6 interoperability at the Joint Interoperability Test Command (JITC) at Fort Huachuca, Ariz. The DoD's stated plan is to transition to IPv6 as a core protocol during 2008 and to purchase only IPv6-capable products.
"The DoD just grabbed 248 billion IPv6 address," says James Collins, research-and-development engineer at the Air Force Information Operations Center, who spoke on the topic at the RSA Conference in February. "The DoD needs the address space in support of the war fighter and 'net-centricity' on the battlefield, where everyone and everything has a network address." Collins said the military has a goal to be IPv6-ready in 2008, but he acknowledged it's a race against the clock.
The JITC has approved the first round of IPv6-capable products for host software, routers, Web browsers and mail clients, with Microsoft in the lead on applications and Juniper in routing (see chart). But nary a single evaluated security product has yet to appear.