The United States government has been striving to deploy IPv6 for many years. October 1st was the date that the government wanted to have functional IPv6-enabled Internet applications. Some agencies were able to configure some of their systems to use IPv6, but many systems did not achieve the goal. We should check how many of these systems are using IPv6 and what the government will do in the coming years as they move to deploy IPv6 inside their IT environments.
IPv6 Mandates:
The transition to Internet Protocol version 6 (IPv6) has been mandated by the Office of Management and Budget (OMB) and federal departments and bureaus within the U.S. government have been asked to start planning for the transition to IPv6. The OMB issued a memorandum M-05-22 that was published on August 2, 2005 mandating that U.S. organizations start working on their IPv6 transitions.
Years passed, June 2008 came and went, yet many federal organizations were still not transitioning. The Office of Management and Budget (OMB) issued a new mandate for IPv6 support. Vivek Kundra, the Federal Chief Information Officer, issued a memo on September 28, 2010 stating this objective for all federal organizations to transition to IPv6 in the coming four years. The mandate specified that all federal public-facing web servers will be IPv6-capable by September 30, 2012 and all internal computers will be IPv6-capable by September 30, 2014. Now that the October 1, 2012 date has come and passed, where do things stand and what are the government's goals moving forward?
In response to these mandates, the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) created the U.S. Government IPv6 (USGv6) Profile and Testing Program. In May of 2009 the Federal CIO Council published the first version of their "Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government." In July of this year, the Federal CIO Council, in collaboration with the American Council for Technology (ACT) and the Industry Advisory Council (IAC), published the second version of this "Roadmap." This Roadmap provided valuable guidance to federal organizations planning their IPv6 deployments.
Some government groups took this 2012 mandate seriously and put forth a lot of effort to get their systems IPv6 enabled. Other organizations knew early on that they did not have the energy to accomplish the goal so they did not even try. Many federal organizations saw this as another "unfunded mandate" and prioritized it accordingly. There were a few organizations that just dove in and IPv6 enabled some of their web systems. These smaller agencies thought "how hard can it be" and proceeded without much of a plan. Some of the organizations in this category failed to secure the IPv6 communications and have no way to manage the IPv6 deployment they now operate.
At the recent gogoNET LIVE! 3 IPv6 conference in San Jose, California, there was a government panel discussion titled "Small steps for USGv6 a giant leap for Internet-kind?" that covered the progress that the U.S. government departments have made on IPv6 and the lessons learned through the process. This government panel was lead by John Lee (Internet Associates) and included presentations by Ron Broersma (DREN/SPAWAR), Kevin Jones (NASA) and Dale Geesey (Auspex Technologies, speaking about the Veteran's Administration). This blog goes over many aspects of their presentations and what the next steps are for these U.S. government organizations.
IPv6 Deployment Data:
The National Institute of Standards and Technology (NIST) Advanced Network Technologies Division (ANDT) group maintains a website that tracks the USG IPv6 & DNSSEC External Service Deployment Status. This website provides a glimpse into how the government is doing with its IPv6 deployment. The graphs show the number of domains that use IPv6 and have DNS entries for web and e-mail services.
This first graph shows the number of U.S. government domains and how many, of those being tracked, have IPv6-capable DNS, e-mail and web services.
This second graph shows the growth of the U.S. government IPv6 deployment and the rapid rise in IPv6-capable web services in September and October.
This third pie chart shows that the majority of the 1446 tested domains still have work to do or have made no progress on IPv6.
From these graphs we can see that the U.S. government groups were making slow and steady progress on IPv6-enabling their DNS systems ahead of the mandate. The graphs also show that many government groups IPv6-enabled their web systems for World IPv6 Launch with the largest growth of IPv6-capable web services coming in October. These numbers have reached a plateau in some respects, but hopefully they continue to grow over the coming year.
Challenges and Lessons Learned:
The gogoNET LIVE! 3 government panelists each covered some of the challenges, lessons learned, and gotchas that they encountered during their IPv6 deployments. Those who did not attend the conference in person are encouraged to view the video broadcast when it is made available on the event web site.
Each of the panelists mentioned the lack of industry knowledge and experience with IPv6 addressing that caused them delays in their implementation efforts. Some organizations got bogged down with IPv6 addressing plans and were hesitant to deploy IPv6 because of concern that the IPv6 addressing play may change. Kevin Jones said that NASA took two years with their IPv6 addressing plan and there are still changes to be made. If an organization cannot get their IPv6 addressing plan partially finalized then it paralyzes them from making progress on IPv6. Large organizations need to realize that IPv6 will be a continual "work in progress" but the good news is that there is plenty of address space to make changes in the future easily. Many IPv4 addressing plans are still evolving and we should expect that IPv6 addressing plans will similarly change over the next decades.
Many government groups have admitted issues with the Networx contract and not being able to get IPv6 services. The Networx GSA contract is a 10 year contract to provide telecom services to government organizations at a competitive rate structure. The Networx contract explicitly mentioned that the service providers were to be capable of providing IPv6 services to the government clients, but few of them have been able to deliver. Even if a federal organization had migrated their systems into a Trusted Internet Connection (TIC), they may still not have had IPv6 Internet connectivity. This, among other issues, have lead many to consider the Networx contract to be "dud".
Many federal organization experienced challenges meeting the mandates because their security vendors did not have robust IPv6 support in their products. The government agencies were hesitant to deploy IPv6 if they were not able to properly secure the Internet systems. An example of this is the fact that many E-mail content filtering systems did not provide IPv6 capabilities in time for the October mandate. Therefore, many government organizations did not enable inbound IPv6 e-mail for fear that they would not be able to defend against IPv6 spam, malware and phishing attacks. Another example would be Web Application Firewalls (WAFs) that do not have IPv6 capabilities. The other security-related issues that caused delays in the government IPv6 deployment were security teams who "put the brakes on" IPv6 because they failed to prepare for it. The gogoNET presenters mentioned how their security teams did not have visibility into IPv6 communications and did not have the ability to perform proactive security testing so they were resistant to have it deployed.
Akamai provides Internet Content Delivery Network (CDN) services to many U.S. federal organizations. Akamai worked diligently to be able to provide dual-protocol services in early 2012. Akamai was able to participate in World IPv6 Launch and has a site that shows their IPv6 traffic volume statistics. Some federal organizations achieved their IPv6 Internet deployments solely through Akamai and their services. Many government departments were able to get some of their Internet content to function with IPv6 through Akamai and did not actually IPv6-enable their own equipment at their own sites or data centers.
What Comes Next?
Now that the U.S. government has achieved some level of external IPv6 capability, what is next on the task list? For one, there will need to be additional effort to get the rest of the Internet-facing applications to become IPv6-enabled. Secondly, anywhere corners were cut on security and IPv6 was deployed ahead of the ability to secure it; these protection measures will need to be upgraded. There will be work required to gain better security and management visibility into the systems that are now running IPv6. These two activities will add to the work required to meet the October 2014 mandate to IPv6-enable the internal systems. The shortfall in meeting the 2012 mandate will just add to the workload to achieve the 2014 mandate.
On the horizon there could be additional mandates or revision on mandates for IPv6 capabilities. In order for there to be more progress and for government departments to continue to strive for 100% compliance with the mandate it needs to be more than an "unfunded mandate". There will need to be some rewards for those who achieve 100% compliance and penalties for those who fail to make any progress. One such proposals is to mandate that all ".gov" domains must show progress on IPv6 and DNSSEC in order to have the domain name renewed. This would certainly be a substantial call-to-action on both of these critical issues that have been long-term works-in-progress.
Conclusions:
The U.S. government has been discussing, planning and working on IPv6 for almost a decade now. It can take a long time to make any direction changes to an extremely huge organization. It takes a tremendous amount of effort to transition to IPv6 for organizations as large as the U.S. government. Smaller organizations and even mid-sized enterprises will be more nimble and be able to deploy IPv6 much quicker. Because the U.S. government IPv6 transition will take a decade or more, it made sense for the U.S. government to start sooner than commercial enterprises. Hopefully the 2014 mandate will have some "teeth" to help motivate departments to continue to make progress on IPv6. If there are no significant motivations for IPv6, it is likely that the government will fall short of their own 2014 goals.
Scott