Is IPv6 like the oil crisis of the 1970s? Much ado about nothing

It was a moment of unintentional irony when Col. Romel Jaramillo, the Defense Department’s IPv6 lead, said his office was busy implementing the third memo of this century from the Office of Management and Budget to move to the “new” network backbone.

Yes, the federal community has been talking about, and in some cases actually making real progress, moving to Internet Protocol version 6 (IPv6) since 2005.

Deadlines have come and gone. Working groups have stood up and quietly disappeared. Vendors and conference organizers have jumped on the IPv6 bandwagon and then jumped off it as quickly.

It’s almost been 16 years since OMB, the General Services Administration and network experts told us we would soon run out of IPv4 addresses and would be “forced” to move to IPv6.

Much like the oil crisis of the 1970s when we were all told we would eventually run out of oil and had to move to electric or natural gas powered cars, IPv4 continues to underlie most of the government’s network architectures.

But the question that still has yet to be answered, is the time to move to IPv6 with its better security, nearly unlimited IP addresses and all the other potential benefits going to take, or will we be talking about a fourth, fifth and sixth memo as we move later in the 2020s?

Maria Roat, the deputy federal chief information officer, said while new approaches and techniques have kept IPv4 viable over the last 16 years, the growth of devices and users will eventually bring a tipping point.

“In 2015, the last IPv4 address was issued,” Roat said at the recent IPv6 event hosted by GSA. “Today there are more users and devices connected to the internet than there are IPv4 addresses. Driven by the limitation of IPv4 to keep up with the continued growth of the internet, we need the security feature and performance of IPv6.”

Roat and her predecessors surely made similar comments back in 2005 and again in 2010.

It’s not that agencies haven’t made progress. Data from the National Institute of Standards and Technology demonstrates the last 16 years hasn’t been all talk.

Of the 25 CFO Act agencies, 12 have either all their domains IPv6 enabled or are in the process of making them enabled.

Source: NIST

But making a domain IPv6 enabled is one thing — moving totally away from IPv4 is a bigger lift.

Roat said OMB recognized that challenge in its November 2020 memo that detailed new deadlines, including the need to develop an agencywide IPv6 implementation team within 45 days, an agencywide policy within 180 days and to identify at least one pilot of an IPv6-only operational system by the end of fiscal 2021 and report the results to OMB.

The memo has a goal of having 80% of all IP-enabled assets operating in IPv6 only environments by the end of fiscal 2025.

“When you think about that in the planning and budget cycles, we already are moving into fiscal 2023 planning. We are looking at operating in [an] IPv6-only environment by [the] end of 2025 so this will require a multi-year effort,” she said. “This is not a CIO thing. This involves key stakeholders as well as industry, CFOs and others in the planning.”

Source: NIST

DoD and the IRS are among those agencies involving key stakeholders and are in the middle of the planning.

DoD’s Jaramillo said a new implementation memo should be ready in the next few weeks and a new IPv6 strategy should be completed by the end of the fiscal year.

“We are working to identify more pilots and have an IPv6 only pilot under development,” he said. “The implementation guidance and memo has resulted in a strategy, a DoD cybersecurity analysis report, the standup of a virtual project management office and component supported integrated product teams (IPTs), IPv6 language in the component’s planning guidance and some future funding via the component’s program objective memorandums and two DoD IPv6 workshops that develop [plans] for at least two pilots.”

Two of those pilots are with the Defense Logistics Agency and Strategic Command, both of which did limited deployment of IPv6. Jaramillo said the pilot proved tools and personnel can track IPv6 deployment.

The Defense Information Systems Agency also has enabled its core backbone to go IPv6-enabled.

Jaramillo also said all internet access points also are now enabled to support IPv6.

“Our cybersecurity service providers (CSSPs) and our tools are seeing IPv6. The concern previously is we were not ready to support IPv6. But I think the DLA pilot is helping to answer those concerns,” he said. “We are waiting on feedback on how leadership has seen those results. We [will] have more news by the end of the fiscal year.”

A June 2020 report on DoD’s implementation efforts from the Government Accountability Office found the Pentagon was missing three key pieces to its strategy, including a cost estimate, a risk analysis and an inventory of existing IP compliant devices and technologies.

IRS focused on applications

The IRS, meanwhile, has been working on the move to IP6 since at least 2012. A 2014 report from the Treasury Inspector General for Tax Administration found the tax agency struggled with its initial planning.

Scott Morizot, an IRS application developer and technical lead for IPv6 transition, said at the GSA event that since 2016 the agency made significant progress.

“Our internet sites and services are IPv6 enabled. Internal service accessing internet are IPv6 enabled. We have IPv6 deployed throughout our enterprise network, wide-area network and local-area network configuration. Our WAN covers 500-plus sites, both small and large, and that has been deployed since 2016,” Morizot said. “The clients on our network are primarily Windows 10 and they are all dual-stacked everywhere they connect wired and wireless. Our remote virtual private network (VPN) can connect over IPv4 or IPv6, whichever is available for them. They prefer IPv6 if they have it available to establish the tunnel.”

Additionally, the IRS is moving applications and the servers which they are running on. He said this is much more difficult than many believe.

“Every application will behave differently. You need to have your people look at it and prepare for enabling IPv6 on the servers supporting your applications and within your application configuration,” Morizot said. “What we did and have been doing since 2013 is communicating to staff and the contracts they run some of the basic principles of IPv6 requirements.  We have long sessions we have provided to them. We have issued data calls and have then assessed their readiness to implement IPv6. At this point with IPv6 deployed down to the clients, we are now moving into the widespread point where we are enabling IPv6 across our application infrastructure. We will be doing that for the next 18 months.”

Like the IRS and DoD, the next 12-to-18 months will, once again, demonstrate whether agencies are taking this latest deadline seriously. Previously, agencies have struggled because of a lack of real urgency. So OMB must figure out what the pressure points are to make IPv6 more than a futuristic talking point.

Related Stories