DOD is developing a roadmap for getting to IPv6
Connecting state and local government leaders
DOD networks will have to demonstrate that they are capable of running securely and reliably under IP Version 6.
Defense Department networks will have to demonstrate that they are capable of running securely and reliably under IP Version 6 before receiving approval to use the new protocols.
The deadline for moving to the new version of the Internet Protocol is 2008. Until then, IPv6 will be restricted to early adopter environments and will not be allowed on operational DOD networks. The DOD IPv6 Transition Office is developing guidelines to help networks get approval to operate.
Networks will receive authorizations to run at two levels before proceeding to the first level of operational capability, said James Schifalacqua, part of the Transition Office support team from SI International Inc. Information assurance will be a key element in receiving authorization to operate, Schifalacqua said Thursday at the U.S. IPv6 Summit in Reston, Va.
Developing a process for risk management will be the key element in getting authorization to operate with IPv6, he said.
'It's not the technology, it's the process,' he said. Not all risk on the network has to be eliminated, but administrators must be able to document how risks are analyzed and managed.
Much of the process will be standard risk management, applied to IPv6, Schifalacqua said. Some elements will be specific to the features of the new protocols, such as mobile networking.
'Mobility has a lot of possible vulnerabilities,' he said. 'Most of them involve integrating and authentication.'
The first level of authority to operate will be for isolated IPv6 enclaves that will not be sending packets to the outside. The rule of thumb for this level is 'do no harm,' Schifalacqua said. These enclaves must have the same basic information assurance features as an IPv4 network, including packet filtering, firewalls and network intrusion detection.
The next level of authentication will be for Version 6 enclaves that will communicate with other network elements. These will require more extensive information assurance features, including methods of mitigating risk in dual stacks running both IP versions 4 and 6 and for tunneling packets from one version through another.
The first level of operational capability, which must be reached by 2008, was described as parity with IPv4. The new version will be running, but with essentially the same capabilities as current IPv4 networks. Additional capabilities unique to IPv6 will be added in the second level of operational capabilities.
The Transition Office plans to offer help to networks in achieving authorization. Staff member Marty Beckman said the office is readying a testbed network that DOD agencies will be welcome to connect with. It will have DNS servers with dual stacks for both IPv4 and IPv6 for the ipv6.mil domain. It also will enable voice over IPv6.
The service will be free, but agencies will have to pay for their own connections to the node. The initial testbed core will be at Falls Church, Va. Plans call for extending it with cores at Scott Air Force Base in Illinois, Peters Air Force Base in Colorado, and the Marine Corps base in San Diego.
The Transition Office also plans to establish an IPv6 training center for DOD and other government personnel, Beckman said. Cost is expected to be about $250 per person for a week of instruction, he said.
NEXT STORY: Treasury calls AT&T to build its next-gen net