Lost in Transition

Agencies are entering largely uncharted territory as they make plans for transitioning network backbones to the next version of the Internet Protocols. But they are making progress.Throughout February, the Federal CIO Council's IPv6 working group met with various transition leaders to help clarify what the Office of Management and Budget expected to see in documents due at the end of that month. OMB had asked agencies to submit transition plans and status updates, using enterprise architecture as a planning framework.Just a day before the Feb. 28 deadline, NASA chief technology officer and head of the IPv6 working group John McManus said questions still lingered about what OMB wanted.'I think most agencies are starting to close the gap,' McManus said. 'But some agencies were hard pressed about what they had to deliver to OMB.'Still, they delivered. And the transition to IPv6 rolls on. An OMB official said 25 of 26 scorecard agencies submitted the required documents on time.'There were several small agencies that did not submit their IPv6 transition plans and progress reports,' the official said. But some of that is due to the fact that some small agencies don't actually own their networks. 'A number of the small agencies receive their network access and support through service providers, and OMB is working to provide additional guidance to these agencies.'The variety of ways agencies can provision network services underscores the complexity of spelling out IPv6 transition programs. But although there may still be short-term confusion, 'we have a much better understanding of what is required for 2008,' McManus said. In that year, according to OMB, network backbones must be running IPv6.Not everything is crystal clear. There still is debate about just what 'backbone' means, said Walt Grabowski, senior director of telecommunications for SI International Inc. of Reston, Va., the company managing the Defense Department's transition. And if they aren't sure what backbone they must transition, the definition of success in 2008 remains fuzzy.The consensus in government and industry is that the 2008 deadline is aggressive but doable.'OMB has been positively relentless in pushing forward with Version 6,' Grabowski said. 'At the end of the day, if you don't put a date out there, nothing would happen.''It's hard to gauge at the beginning of 2006' whether the three-year process is on track, said Tom Patterson, CEO of Command Information Inc. of Herndon, Va., which provides IPv6 training and planning. But there is time, he added.The Internet Protocols are a set of rules defining how networked computers communicate. IP networks have become essential for government and private-sector operations. But weaknesses in the current IPv4 have led to a growing interest in IPv6, which promises improved security, simplified network operations and easier mobile connections.Karen Evans, administrator of OMB's Office of E-Government and IT, announced in June 2005 that agencies would have to be running IPv6 on their backbones by June 2008. DOD had made a similar commitment two years earlier.'OMB is in the process of reviewing the Feb. 28 submissions,' the OMB official said. 'We may release certain information as necessary once the review is complete.'Experts say plans at this point are not likely to be very detailed, but there are paths agencies could take as they migrate networks.'I think we are starting to narrow it down to a reasonable range of options,' McManus said.Because IPv4 is not expected to disappear anytime soon, agencies have three basic goals they can shoot for:'These are pretty common, but agencies get their network services in a number of ways,' McManus said. Some larger agencies such as NASA provide their own networks, while some smaller agencies buy network access from an Internet service provider.'The steps we need to take are different from those agencies buying managed services,' he said.Agencies also are supposed to be considering how they will actually use IPv6 once it is available. This is an important step, but one that many find difficult in the rush to make the transition.Ciprian Popoviciu of Cisco Corp.'s network solutions integration test engineering group, calls the transition to IPv6 an inflection point that will determine the structure of IT infrastructures well into the future.'You should think of migration in terms of building your network as you would like it to be,' advised Popoviciu, co-author of the book Deploying IPv6 Networks.Administrators also need to benchmark existing network performance to ensure that performance from IPv6 is at least that good in the short term. 'These kinds of considerations will define what you need in your next purchase order.'Failure to do this planning is one of the significant risks identified in a recent Commerce Department report on the technical and economic impact of IPv6.Adopting IPv6 without 'adequate technical and business-case planning could result in unnecessary costs and reduced IT security,' the report warned.The National Institute of Standards and Technology and the National Telecommunications and Information Administration concluded in the report that 'all things being equal, IPv6-based networks would be superior to IPv4-based networks.'But all things are not equal, and this complicates the task of creating a business case for the transition. The lack of a killer application to drive the adoption of IPv6 and the added administrative overhead of running both IP versions leave many in government doubting the value of transition.'It still is important to get the idea of the benefits across,' said Alan Sekelsky, director of IP engineering for SI International. One of the strongest drivers for adopting Version 6 will be IP convergence'the merger of voice, video and data on a single network for access through a single device. 'I don't think a lot of people have made the connection of how fundamental IPv6 is to that.''Our networks will be ready at 2008,' NASA's McManus said, but beyond that, each agency will have to make its own decision on how the new networks will be used. 'The business case of when to turn on IPv6 and how quickly it replaces Version 4 will be done on a network-by-network basis.'Many benefits, included avoidance of lost opportunities, are hard to quantify, he said.But if the benefits are still hazy, some risks are better defined.'Address space allocation and management is going to be a challenge, and doing the transition securely is going to be a challenge,' McManus said.Managing addresses is complicated by the fact that there are so many of them under IPv6. Techniques used to manage IPv4 networks do not work well, and maybe not at all.'Managing IP inventories becomes a huge problem,' said David Berg, director of product management for BlueCat Networks Inc. of Toronto.The company recently announced the Proteus IP Address Management Appliance, which helps enterprises manage Domain Name Services and Dynamic Host Configuration Protocol in the IPv4 environment. But customers already are asking for help with the new protocols.'We're starting to see more and more bids where we're being asked to offer an IPv6 road map,' Berg said. 'We're currently working with our accounts in the military and the Asia-Pacific region to implement the IPv6 module.'The problem is not only in managing the new IPv6 network; keeping track of what is on the current network is also a challenge. Agencies must now buy only IPv6-capable products, and the NIST/NTIA report estimated that one-third of desktop PCs now deployed in the United States are IPv6 capable. Identifying and managing this equipment is a crucial early step in planning a transition.Lumeta Corp. of Somerset, N.J., provides network discovery tools for infrastructure management. Chief architect Karl Siil was recently tasked by a federal CIO with finding the agency's IPv6 equipment.'His concern was, 'What's running Version 6 right now that I'm not aware of?'' Siil said. 'This is the first time we've been asked to do this.'Because of the huge address space, the kind of brute-force scanning used in IPv4 discovery is not practical, and new techniques have to be found for IPv6.'The routers know what they're routing, so the key is to ask the routers,' Siil said.All of which points to the need to train network administrators, operators and end users to deal with the new protocols. According to NIST and NTIA, the cost of labor will dwarf hardware and software costs in the transition, accounting for 70 percent of transition costs in large enterprises. Training probably will account for most of the labor costs. But this need not create a budget crisis.'Training and education is critical,' said Patterson of Command Information. 'But it is not necessarily a new budget item,' because training should be an ongoing activity.DOD is already using Command Info courseware. The company plans to expand by opening a full-time IPv6 training center in the Washington area this year.'We want to go into an agency that doesn't have new education money and offer them what they need,' Patterson said. 'Security officers always have to get training for any new technology, so we don't think it needs to be a new appropriation from Congress.'McManus said the amount of training required would vary greatly from agency to agency, depending on size, network services and how quickly IPv6 is phased in.But an emerging generation of mobile products makes delaying the switch to the new protocols risky, he said. He pointed to the rapid adoption of handheld mobile e-mail devices in NASA's Washington headquarters as an example. He said he's already worried about the next hot product.'The first one that shows up IPv6-only is going to cause me an issue if I'm not ready to handle IPv6 traffic,' McManus said. 'If the next hot device is IPv6-only, I'm going to be telling my users my network can't support it. I don't want to be the person who has to say that.'