An inconvenient truth about IPv6

The Social Security Administration has yet to find one concrete benefit of the upgrade to IPv6

IPv6 has long suffered from the perception that it is a good solution looking for a problem to solve. The Social Security Administration's hands-on experience with this upgrade to the Internet's main protocol does little to change that perception.

In the last two issues of the Service Provider News Report, I've looked at SSA's preparations to support IPv6 on its production network by June 2008. I've also offered tips from SSA officials about getting ready for IPv6. (See parts one and two of this series.)

What I found striking about SSA's five-year experience with IPv6 is that the agency has yet to find one concrete benefit of the technology.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

IPv6 has long suffered from the perception that it is a good solution looking for a problem to solve. The Social Security Administration's hands-on experience with this upgrade to the Internet's main protocol does little to change that perception.

In the last two issues of the Service Provider News Report, I've looked at SSA's preparations to support IPv6 on its production network by June 2008. I've also offered tips from SSA officials about getting ready for IPv6. (See parts one and two of this series.)

What I found striking about SSA's five-year experience with IPv6 is that the agency has yet to find one concrete benefit of the technology.

"We use all the add-ons for IPv4 that are also in IPv6. Right now, we don't know of any benefits of IPv6'' that will help SSA in its mission, says Rich Terzigni, senior network advisor in SSA's Office of Telecommunications and Systems Operations. "Once IPv6 applications become available, it's possible that we can do agency business in less time or more efficiently because of IPv6."

IPv6 was created a decade ago to solve a forecasted shortage in IPv4 address space. IPv6 uses 128-bit addresses that can support a virtually unlimited number of computers and devices connected directly to the Internet. IPv4, on the other hand, uses 32-bit addresses and can support approximately 4 billion systems.

In the United States, many corporations and government agencies like SSA have enough IPv4 address space or use techniques such as network address translation and proxies to stretch their limited number of IPv4 addresses to support many users. For these folks, IPv6 offers ancillary features including built-in security via IPSec, auto-configuration of devices and enhanced mobility.

I asked SSA officials about the main enhancements that IPv6 has to offer, and here is what they said:

What about address space?

SSA has what's called a Class A block of IPv4 addresses, and so far the agency doesn't need any more.

"Right now we manage our resources very well, so right now we don't need extra addresses," Terzigni says. "Who knows if we will in the future? SSA sites haven't been increasing, and neither have our number of employees. But if the desktop requires multiple addresses, that is going to dictate IPv6 right there. If we need more than one IP address per user, we're dead."

What about auto-configuration of devices?

SSA manages its IPv4 addresses centrally and plans to continue doing so with IPv6. SSA has no plans to use auto-configuration and instead will continue running Dynamic Host Configuration Protocol (DHCP) like it does with IPv4.

"We know by the IP address where the physical address is of that system. We have had that capability with our private class A block of IPv4 address space. We're going to do the same thing with IPv6," Terzigni says. "We have to be able to audit everything we do on our network, and that has to go down to the IP address. We won't use any ad hoc networking or auto configuration. We'll use DHCP."

What about QoS?

SSA already runs QOS on its IPv4 network. SSA takes advantage of its MPLS backbone network, and it has converged its voice, video and data traffic onto a single network platform.

"We have had QOS in our infrastructure for the last couple of years, so we are managing our bandwidth," Terzigni says.

What about wireless applications?

SSA has not yet integrated its wireless traffic with its MPLS network infrastructure. Instead, the agency outsources wireless to cellular service providers. Indeed, SSA has strict policies that prevent users from transmitting certain kinds of information on wireless connections.

"We are living in the day and age of the VA laptop scandal," says Mark O'Donnell, executive operations branch chief in SSA's Office of Telecommunications and Systems Operations. "Our CIO has put in place a mandate that prohibits the use of wireless technology for the exchange or transfer of SSA's core data because of too many security vulnerabilities. The IPv6 community may be right in thinking that wireless is going to drive IPv6 usage. But when dealing with organizations like government, banking, hospitals and medical organizations with personally identifiable information, we do not want to start transferring information over wireless technologies because the security is not strong enough."

Surely you need IPv6's end-to-end security model?

SSA uses IPSec, a set of protocols that supports secure transmission of packets via IPv4 or IPv6. SSA also has firewalls and other security mechanisms on its IPv4 network. Indeed, SSA officials say IPv6 will add vulnerabilities to its network rather than improve its security posture.

"IPv6 features such as neighbor discovery and auto configuration bring with them a wide range of additional security vulnerabilities that we don't have to be worrying about with IPv4," O'Donnell says. "The security features of IPv6 continue to evolve...It would be premature at this point to say that IPv6 has security that's far and away better than IPv4. We don't see that."

Although SSA has not identified a concrete benefit of IPv6, SSA officials say they need to support the technology because it will be in use globally across the Internet. If IPv6 is widely deployed, SSA officials say it could provide enhanced network management.

"If we start having technological components with each having their own IP address, that will allow us to monitor the activity of devices on our network, the health of our network and the health of the applications on our a network at a level of granularity that we do not have today," O'Donnell says. "New applications have not yet become available because IPv6 has not been deployed widely enough."

Read more about lans & wans in Network World's LANs & WANs section.