Feds strike deal on IPv6 testing

Cisco pushed for self-certification, while labs wanted third-party testing requirement

The U.S. government has reportedly struck a compromise between network vendors and independent test labs with its plan to launch a comprehensive product testing program for IPv6, the next-generation Internet Protocol.

The USGv6 Test Program, run by the National Institute of Standards and Technology, requires all network hardware and software vendors to pass IPv6 compliance and interoperability tests before they can sell their wares to the U.S. federal government, which is the world’s largest IT market.

The target date for network vendors to conform with NIST’s IPv6 test suite is July 2010.

Network vendors such as Cisco were pushing for the ability to certify their own products as complying with the USGv6 Test Program, while independent test labs such as the University of New Hampshire InterOperability Laboratory and ICSA Labs wanted a role in the program.

NIST has decided that vendors will be allowed to run IPv6 compliance tests in their own labs as long as the labs are accredited by NIST, but they must run IPv6 interoperability testing in someone else's lab.

``There's been a lot of discussions with vendors about what they will be required to do, what needs to be done in-house versus in outside labs,’’ says Erica Johnson, Director of UNH-IOL. ``The way that the NIST profile is going to work is that conformance testing can be done in an accredited first-party [vendor], second-party [buyer] or third-party [independent] lab...But the interoperability testing must be done in a second-party or third-party lab.’’

NIST will use the ISO 17025 accreditation process for vendor, buyer and independent labs.

``The compromise is that NIST will allow self-certification for conformance testing as long as the vendor becomes accredited to maintain the integrity of the testing,’’ Johnson said. ``They’ll use the same test spec and will be getting the same results.’’

NIST is expected to publish this week [July 31] the final version of its IPv6 test specifications – known as Special Publication 500-273 -- which will include this delineation of testing duties between vendors and outside labs.

IPv6 is the long-anticipated upgrade to the Internet's main communications protocol, known as IPv4. IPv6 features vastly more address space, built-in security and enhanced support for streaming media and peer-to-peer applications. Available for a decade, IPv6 has been slow to catch on in the United States. Now that unallocated IPv4 addresses are expected to run out in 2011, the pressure is on U.S. carriers, corporations and government agencies to deploy IPv6 in the next few years.

The compromise on the U.S. federal government’s IPv6 testing requirements is good news for vendors such as Cisco, which has been pushing for self-assessment in the USGv6 Test Program.

``The simpler it is for vendors to meet the requirements, the better,’’ said Dan Kent, director of systems engineering for Cisco Federal. ``We're for self-assessment. We have ways of validating that.’’

```We test, validate and self-assess around IPv4,’’ added Dave West, director of systems engineering for Cisco's Public Sector group. ``I do believe there’s tremendous value in allowing, with the right procedures and oversight, vendors to have those kind of test labs so they can, in fact, self assess around IPv6.’’

Cisco says vendors can certify their own products for IPv6 compliance faster than third-party labs.

``With NIST's encryption testing, it takes three to 12 months to get certified,’’ Kent said. ``We're just going to create a funnel if we don't allow self-assessment that could limit the availability of products by the July 2010 deadline.’’

For years, Cisco has worked with the Defense Department’s Joint Interoperability Test Command to have its products tested for IPv6 compliance. That’s why Cisco believes it will meet the July 2010 deadline for the USGv6 Test Program.

``We've been tracking [NIST's IPv6 testing program], and we feel most of our products will be meeting those requirements by the end of the calendar year,’’ Kent says.

The timeframe for the USGv6 Test Program is tight. NIST expects to finalize its test plan in November, with labs being accredited before the end of the calendar year.

Network vendors will have six months to get their routers, operating systems, firewalls and other security systems through IPv6 testing prior to the federal government’s July 2010 acquisition deadline.

By July 2010, federal agencies will be required to purchase only hosts, routers and network security systems that have been tested for IPv6 compliance. Vendors must issue a ``Suppliers’ Declaration of Conformity” that states host and router products have been tested for IPv6 compliance and interoperability, while security products must undergo functional IPv6 testing. All of the testing must be done in NIST-accredited labs.

The USGv6 Test Program’s timeline ``is very condensed,’’ Johnson said, pointing out that NIST needs to finalize its IPv6 test suite and certify vendor and independent labs by January.

Among the third-party labs seeking to conduct IPv6 interoperability testing under the USGv6 Test Program are UNH-IOL, Command Information and ICSA Labs.

``In November, NIST will be done with Version 1 of these test for network protection devices and conformance and interoperability for routers and hosts,’’ says Guy Snyder, secure communications program manager with ICSA Labs. ``At that point, the labs that are accredited …will be allowed to start testing and taking in vendors. We don’t call it certifying, but we will be running the tests and passing or failing products.’’

Synder says the overall goal of the USGv6 Test Program is to ensure that federal agencies can acquire IPv6-compliant products by the July 2010 deadline. That's why the initial versions of the tests aren't too stringent so as not to serve as a barrier to the U.S. government’s adoption of IPv6.

``NIST has made it very clear that these tests are more of a low bar,’’ Snyder says. ``NIST made a concerted effort to get the test program out and not make it very difficult to pass the tests because it is for product acquisition.’’

The NIST IPv6 test suite is similar to the conformance and interoperability testing used by the IPv6 Forum’s IPv6-Ready Logo Program. As of June 30, 2009, nearly 400 network products were approved as having minimum IPv6 support through Phase 1 of the IPv6-Ready Logo Program, while another 250-plus products were approved for the more stringent Phase 2 testing of extended IPv6 support.

The NIST IPv6 test plan covers basic IPv6 functionality as well as related standards such as: IP Security (IPsec), Internet Key Exchange (IKEv2), Dynamic Host Configuration Protocol (DHCPv6), Open Shortest Path First (OSPFv3), Border Gateway Protocol (BGP4+) and multicast requirements in MLDv2.

``The USGv6 Test Program is less stringent for certain protocols,’’ says Timothy Winters, senior manager at UNH-IOL. ``The IPv6 Ready program requires all the 'musts' and 'shoulds' in the IPv6 standards, while the USGv6 only includes the 'musts.' But overall, the USGv6 is inclusive of more protocols like IPsec and IKEv2.’’

Winters said products that have passed the IPv6-Ready Logo Program ```should be one run and be done’’ on the USGv6 tests. ``It shouldn’t take more than a couple weeks’’ to get an IPv6-Ready product approved, he added.

Nonetheless, UNH-IOL and ICSA are expecting a flood of network products to pass through their facilities and be tested for the USGv6 Test Program in the first half of next year.

``There will be a rush on the labs in the first six months of next year,’’ Snyder predicts. ``We think the main testing that will be done in the first several months of the year is for routers, switches and operating systems….The security devices will come later, in the second half of the year.’’

Synder encourages corporate CIOs to buy network products that pass the USGv6 Test Program even though they aren’t required to do so.

``It’s a good program,’’ Synder says. ``I think this program is going to be driving IPv6 in the direction that a lot of us have really wanted it to go for a long time and haven’t had any success in moving it forward.’’

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies