Agencies, don't forget to turn off IPv4 on your way out
Connecting state and local government leaders
As agencies prepare for the IPv6 deadline, the Veterans Affairs Department plans to avoid one security problem by turning off IPv4 the day after, something other departments could watch and learn from.
Shutting down IPv4 is the logical next and final step in the government’s transition to IPv6, and at least one agency is making plans for it. The Veterans Affairs Department has alerted IT managers that unless they get a waiver from the CIO, they will have to stop using IPv4 on Oct. 1, 2014, the day after the deadline for enabling the new Internet Protocols.
“Leaving IPv4 on forever is going to introduce a security problem,” VA transition manager Steve Pirzchalski said at a recent conference sponsored by the Digital Government Institute.
Effective enterprise security requires a single set of security policies and services that can only be applied across a single, unified network. Maintaining two sets of protocols effectively means operating and securing two networks
Related coverage:
All-in: VA sets date to shut down IPv4
It is a bold step and one that agencies need to plan for, but agencies also need to understand that simply turning off IPv4 will not ensure security. It will be merely one step in a challenging process of securing a new set of protocols for which there is precious little real-world experience at the moment and which will require close collaboration between agencies and their IT vendors.
VA is drawing a line in the sand now that gives it three years to gain experience and to bring users, administrators and vendors up to speed on the challenges and requirements for using and securing IPv6.
Although it is not new, IPv6 is only now beginning to be forced into general use by the exhaustion of the old IPv4 address space. Even those enterprises that still have plenty of the old addresses available will have to adopt the new protocols to effectively accommodate the growing number of users who will be on IPv6.
The two protocols are likely to coexist for some time, but if IPv6 does not achieve parity with the older protocols — both in deployment and efficiency — the gateways where traffic is tunneled or translated are likely to become bottlenecks.
Many vendors, particularly for networking equipment, have been making their products capable of handling IPv6 for years.
“To a large extent the infrastructure is ready,” said Cisco’s Alain Fiocco, head of the Network Operation Systems Technology Group’s IPv6 program. “It’s a matter of turning it on and doing the architecture.”
But in reality there is more to it than that. Even if products can handle IPv6, nobody really knows how it will work in the real world under heavy demand. So far there has been little real-world deployment and no heavy demand. IPv6 packets represent much less than 1 percent of Internet traffic today. Laboratory and test-bed trials are necessary and useful for the new infrastructure, but there are likely to be many bugs and idiosyncrasies that will not reveal themselves until the protocols are in general use.
And for every switch or router that is IPv6-ready, there are scores of devices that aren’t. “Many are making progress, but vendors are lagging behind with IPv6 compatibility and we need that to change,” said Interior Department transition manager Tim Quinn. “Vendors need to be involved” with agency transition plans.
As far as can be told from laboratory work and large-scale tests such as last summer’s World IPv6 Day, the new protocols work. But there are bound to be some surprises as they are put into general use. Gaining as much experience with them now will make the task of securing IPv6 networks easier.
Not every agency will or should plan to go cold turkey in the switch to IPv6 on Oct. 1, 2014. But VA’s efforts to live in and secure this new networking environment should help to provide a body of experience and best practices that other agencies should take advantage of.