Realizing the benefits of IPv6 will take time

There are a lot of reasons for using version 6 of the Internet Protocols: Expanded address space, simplified management, improved security. But for federal network managers, all these arguments have been trumped by commandments handed down from the Defense Department and the Office of Management and Budget: Thou shalt move to IPv6.So, now that you're committed, how do you take advantage of the benefits offered by the new protocols after you've made the move? It's a question that has not been adequately answered and will persist throughout the year as agencies begin migrating their infrastructure. Where is the low-hanging fruit?'There's not a lot of it,' said Tony Hain, senior technical leader at Cisco Systems Inc. 'Most of the fruit is long-term.' This comes from a company that stands to benefit from widespread network overhauls.'In the near term, you're not going to see any efficiencies,' said Leslie Allen, a senior associate with Booz Allen Hamilton Inc. of McLean, Va., who is advising agencies on the transition. 'That will be five or six years down the road.'At the Commerce Department, the transition team is keeping its focus on that long term.'The primary benefit now is being ready for the future,' said Commerce project manager John Gavin. As yet, there is no killer application for the new protocols. But, 'we don't want to wait until we have to support an application. We want to be ready when the application is there.'Being ready will require more than just turning IPv6 on in the equipment you've installed. 'You can end up building the same network you have today, with the same networking issues you have today,' Hain said. 'You have to step back and say, 'What kind of network do I want to have?''Planning your IPv6 network is complicated by the fact that the new protocols still are a work in progress. The Internet Engineering Task Force has completed more than 100 standards defining the protocols and six active IETF working groups are still producing new standards.And there is the fact that legacy technologies, including the current IP version, won't disappear overnight.'We are contemplating an Internet that for the next 10 to 20 years, and maybe indefinitely, both IPv4 and IPv6 will coexist,' said Sheila Frankel, a computer scientist at the National Institute of Standards and Technology.Operating a dual-stack network to accommodate both versions will be more expensive and probably require more people than running either version alone. As functionality shifts from IPv4 to IPv6, network architecture will have to evolve, network management must be redesigned and routing protocols changed. This will put a strain on many organizations, said John Feeney, principal at Booz Allen.'Most IT organizations are staffed for steady-state operations,' rather than for change, Feeney said. 'Tech refresh can provide the infrastructure, but taking advantage of it will require effort.'IT experts say that the primary costs of moving to IPv6 will be in training and manpower for testing and operations, rather than in equipment.Some of the folks with the most practical experience in IPv6 are at the University of New Hampshire's Interoperability Lab, which operates Moonv6, a test bed billed as the world's largest native IPv6 network. Moonv6 is a collaborative effort between the university, the Defense Information Systems Agency's Joint Interoperability Test Command and the North American IPv6 Task Force. Moonv6 tests have focused so far on the network infrastructure, said Ben Schultz, a managing engineer in the lab.'We know these things are working between hosts and routers,' Schultz said. 'How do we extend that?'The answer is: very carefully. Little is known about the actual performance of network devices and applications running IPv6 in the real world.'The more I test it, the more I see that people need to be conservative,' Schultz said. 'If they are conservative in deploying IPv6, there will be a minimum of problems in the short run.'Will IPv6 be ready for prime time by 2008, when government backbones are scheduled to be using it?'I think that it will be for many pieces,' Schultz said. 'As the market demand increases, the development speed will increase.'Because of the nearly unlimited number of addresses available in IPv6, simplifying addressing schemes and routing policies offers the possibility of early returns on IPv6 investment.'I think that is going to be a huge benefit to IT managers,' Feeney said. 'This is going to help them clean up the convoluted addressing schemes they now have, which are probably ad hoc composites that they inherited rather than planned.'But advantages will be offset by the fact that the old schemes are going to have to be maintained as long as you have applications living in the IPv4 world.Autoconfiguration also offers some near-term benefits. In Japan, where a broad move to IPv6 already is under way, savings have been realized by users of voice over IP, in which telephone systems use IP data networks.'They saw their network management costs go down because they didn't have to configure each phone,' Schultz said.Autoconfiguration is a potentially powerful function in IPv6. It can be implemented using version 6 of the Dynamic Host Configuration Protocol, which automatically assigns IP addresses when devices sign on to the network, Feeney said.'You have to design your network and plan for that to be embedded,' he said.No one would like to promote VOIP more than Cisco, which sells VOIP phones and networking devices. But Cisco's Hain warns that autoconfiguration can come at a price. Existing network security policies might not allow autoconfiguration, so security policies might have to be adjusted before that feature can be used.'You can operate it either way, but the planners have to be thinking about these things fairly early on,' he said.IPv6 could also make it easier to use peer-to-peer connections for applications such as videoconferencing and training, freeing the network from its current reliance on client-server architecture.'Application developers have been artificially limited' by client-server architectures, Hain said. In many cases, this is an efficient approach, but applications can be revisited to see if there are more efficient options.Once again, there could be trade-offs. Peer-to-peer applications of- ten are prevented or complicated by network address translation, a technology used to stretch limited IPv4 address space. IPv6 could theoretically make NAT unnecessary. But some administrators like NAT because it helps shield networks from outside observation, and taking away NAT could make the network more visible to unwelcome visitors.IPv6 offers ways to make your network less visible without NAT, but once again, there are trade-offs. Because of the huge address space available in IPv6, it could take 5,000 years for a worm or hacker to scan a small subnet if addresses are assigned randomly, rather than sequentially, within that space.'You essentially neutralize attacks that do brute force scanning of the subnet,' Hain said. 'The downside is that your management tools that scan to see if unauthorized spaces are being used will take 5,000 years, too.'In time, both legitimate and illegitimate tools will be developed to overcome this and other hurdles, experts say. But there still is a lot of work to be done on IPv6 applications and tools before you will be able to take full advantage of a simpler network infrastructure and greater functionality with the new protocols.'IPv6 from the networking point of view is no big trick. We've been doing it for years,' said Marlin Forbes, vice president of international markets for MCI Inc. 'The real kicker is going to be at layer 7, the gee-whiz apps. Once version 6 is out there and has proven its worth, it will take off like gangbusters.'But between the initial switch to IPv6 and the realization of its full potential, Schultz said, 'there is a barrier of entry that will have to be crossed.' n