Pentagon scraps IPv6 testing program that provided enterprise guidance

Routers, firewalls will no longer be deemed IPv6-cabable by military engineers

The U.S. Defense Department is halting a five-year-old effort to test off-the-shelf network hardware and software products for compliance with IPv6, the next-generation Internet protocol.

Instead, the Defense Information Systems Agency (DISA) is folding IPv6 testing into its regular IT product evaluation process, which is dubbed Unified Capabilities Requirements.

Beginning in April, DISA will test for IPv6 compliance along with all the other military-specific requirements that commercial IT products need to meet before they can be installed on Defense Department networks.

"The IPv6-capable testing has been phased out," says Kris Strance, the Defense Department's lead for IP policy. "Our emphasis now is on interoperability and information assurance testing to include IPv6."

Strance says the Pentagon's new policy regarding IPv6 testing applies to all voice, video and data products that the military plans to buy.

DISA's Joint Interoperability Test Command (JITC) at Fort Huachuca, Ariz., which conducted the IPv6 tests, will continue testing commercial IT gear under the Unified Capabilities Requirements.

"We were testing IPv6 just for IPv6 sake, without much filter of whether these products were going to be immediately brought into the DOD inventory because it was a new technology," explains Rick Meador, chief of the Battlespace Communications Portfolio at JITC. "But now IPv6 is a little more prevalent, and we're seeing it in products ready to be fielded in DOD, so we're merging two separate but related processes. Now we're only going to look at those products that have immediate DOD need, and we're going to look at IPv6 as one of a subset of many requirements."

The Pentagon is canceling its IPv6-capability testing effort to increase efficiency. Instead of running IT gear through a separate IPv6 test suite, military engineers will run a streamlined IPv6 test at the same time they check for other military IT requirements.

"We never had an IPv4-specific test process, and we want to mainstream IPv6 so that it is just one more requirement," Strance says.

The elimination of the U.S. military's IPv6-capability testing effort is a loss for the IPv6 community because the Pentagon provided one of the few IPv6-related seals of approval for use by ISP and enterprise customers.

Over the last few years, 380 networking products including routers, switches, operating systems and firewalls passed JITC's IPv6 Capability test. Vendors marketed these wares as having passed rigorous set of tests by the Pentagon to ensure compliance with the full set of IPv6 standards.

For example, Juniper certified its routers and firewall VPN products as being IPv6-capable through JITC.

Tim LeMaster, director of systems engineering for Juniper Federal, says passing JITC's IPv6 test mattered to the Defense Department, intelligence community and civilian agency customers. "It was widely recognized as a key differentiator for us," LeMaster says.

LeMaster says of the Defense Department's new policy requiring vendors such as Juniper to go through IPv6 testing as part of the Unified Capabilities Requirements: "It probably makes sense to do it that way, and it is one less set of tests that vendors have to support from a resource standpoint … but it may limit the buzz you can generate from it."

Why IPv6 certification matters

IPv6 product testing and certification are significant because the next-generation Internet Protocol covers such a broad range of capabilities outlined in many standards documents known as Requests for Comments.

IPv6 is a long-anticipated upgrade to the Internet's main communications protocol, which is known as IPv4. IPv6 was created by the Internet Engineering Task Force, the Internet's leading standards body.

IPv6 is needed because the Internet is running out of IPv4 addresses. IPv4 uses 32-bit addresses and can support approximately 4.3 billion individually addressed devices on the Internet. IPv6, on the other hand, uses 128-bit addresses and can support so many devices that only a mathematical expression -- 2 to the 128th power -- can quantify its size.

Experts predict IPv4 addresses will be gone by 2012. At that point, all ISPs, government agencies and corporations will need to support IPv6 on their backbone networks. Today, only a handful of U.S. organizations -- including U.S. military and civilian agencies -- have deployed IPv6 across their networks.

The JITC IPv6 test lab was established in 2004 after the U.S. military mandated that all of its backbone networks must be capable of supporting IPv6 traffic by 2008.

"The lab was stood up out at the JITC to be able to assess where the technology was at the time and to verify vendors' claims that they were IPv6 capable," Strance says. "Frankly, we found a wide variety of folks who claimed to be IPv6-capable, but when we did the assessment testing, there was a wide variety of IPv6 capabilities."

Alan Stultz, business development manager at Datatek Applications Inc. in Somerset, N.J., says his company ran a prototype IPv4-to-IPv6 transformer through JITC's IPv6 testing last year. The IPv6 testing process -- which took several months and cost around $10,000 in engineering time and travel -- was worth it because it was the most demanding IPv6 test Datatek could find, Stultz says.

"Using the DOD test profiles, which are more stringent than the commercial profiles, we were able to develop our own internal IPv6 testing suite so that we were able to make sure that we did all the testing and due diligence on our product," Stultz says.

Stultz says it's too soon to tell if the JITC stamp of approval will help Datatek sell its transformer, which takes any IPv4 legacy device and transforms it into a dual-stack IPv4/IPv6 device.

"We haven't tested the waters on that," Stultz says. "It'll be commercially available next spring."

From now on, JITC will put IT products that pass its tests on the Unified Capabilities Approved Products List. The Defense Department is required to buy IT products from this list.

"The motivation for vendors is if they want to sell to the DOD, they need to be tested and certified by JITC," Strance says.

Strance says APL is a better fit for the military's needs than designating products as IPv6-capable.

"IPv6 is not the end goal for us," Strance says. "The goal is for interoperable and secure products."

The APL list may be of less value to commercial network managers than the Defense Department's IPv6-capable list because it includes so many other military requirements.

"We're trying to focus on those products which are most likely to be integrated into the DOD environment," Meador says, adding that IT vendors need a military sponsor to bring their products to JITC for testing under the Unified Capabilities Requirement.

One benefit for IT vendors is that they don't have to put their products through two different military test suites: IPv6 and the Unified Capabilities Requirement. Now they'll just go through the Unified Capabilities Requirement process, which takes around six weeks.

The Defense Department's IPv6 roll-out

In related news, Defense Department officials say they are still a year or more away from being able to run IPv6 in production mode on military networks.

"To date there is no one out there expressing a desire for IPv6," Strance says. "So our focus is to build the infrastructure. On the unclassified network NIPRNET, we have the core that is IPv6-capable, and we demonstrated that for [the Office of Management and Budget] last year. We are working from the core out in terms of customer edge routers through tech refresh efforts, and we'll be good to the edge probably in the 2010 time frame. Then, of course, to have an operational network, we're going to need proven security devices."

Strance says the Defense Department is seeing more security products including firewalls, intrusion-detection systems and intrusion-protection systems going through the Unified Capabilities Requirements testing process, which now includes IPv6. 

"My opinion is we're not ready for prime time," Strance says. "I'm guessing 2010 is when we may be viable."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.