The Next Internet
Agencies are ready for the next-generation Internet, which could revolutionize the delivery of public services. But will they take advantage of it?
For 25 years, the federal government has led the world in advancing what many consider to be the greatest communications innovation of our time: the Internet. But now that lead is at risk.
The Internet is facing its most significant upgrade ever, but many federal agencies are hesitating to take the costly and time-consuming steps required to exploit the next-generation Internet.
At issue is the deployment of Internet protocol version 6, or IPv6, the long-anticipated upgrade to the way information is sent across the Internet. Currently, the most widely used communications protocol is IPv4. With IPv6, agencies will have more Internet addresses, better security and increased automation-all of which federal IT experts predict will lead to cheaper and better online services and applications, most of which haven't been imagined yet.
By June 30, all federal agencies must prove that they have upgraded their networks' connections, or backbones, to be capable of carrying IPv6 data traffic, as mandated three years ago by the Office of Management and Budget.
Luckily for federal officials, the OMB mandate is easy to meet. All leading routers can support IPv6, and it isn't hard to pass information based on IPv6 across a network to meet the agency's requirements, experts say.
The bigger issue is what happens after the IPv6 deadline has passed. Federal agencies face a significant amount of engineering, integration and testing to deploy IPv6 across their networks. They must train IT staff, upgrade operating systems and applications to support lengthy IPv6 addresses, and continue to support operation of IPv4. And they also have to think creatively about the new ways of doing business that IPv6 enables.
The questions now are whether and how quickly federal agencies will move beyond the OMB mandate and begin running IPv6. Agencies are "in front of IPv6, fueled by the OMB mandate," says Paul Girardi, director of engineering for AT&T Government Solutions. "The trick for feds is not to lose ground. They need to continue to keep IPv6 in their planning and buy IPv6 as they replace things for obsolescence. They need to pick a couple [of IPv6] applications they want to focus on and do some cost-benefit analysis around those."
The risk for federal agencies that don't take advantage of IPv6 is they "will become technologically stagnant," says Jerry Edgerton, chief executive officer of Command Information, a Herndon, Va., provider of IPv6 services to carriers, enterprises and governments. Edgerton warns that federal agencies have three years at most to transition to production-quality IPv6 before they fall behind other nations. "If you're going to do collaboration and use wireless devices and secure them on your network, you need IPv6," he says.
What Is IPv6?
The Internet protocol, the main standard underpinning the Internet, is due for an overhaul. IPv4 is running out of address space-those series of numbers and dots that identify each computer on the Internet. Conventional wisdom says the world will use up all the available IPv4 addresses by 2011 or 2012.
IPv4 uses 32-bit addresses and can support 4.3 billion devices with individual addresses on the Internet. With the world's population estimated to be about 6.5 billion-and with many people possessing multiple electronic devices such as PCs, cell phones and iPods-there simply will not be enough IPv4 addresses to meet the demand, let alone support the anticipated influx of new Internet users from developing countries. Also on the horizon are newfangled IP-enabled devices and appliances that will drive up the number of IP addresses per person.
That's why the Internet Engineering Task Force, the Internet's premier standards setting body, created IPv6 in 1995. IPv6 uses 128-bit addresses and can support a virtually limitless number of globally addressable devices. (The actual number of IPv6 addresses is 2 to the 128th power, or 340,282,366,920, 938,463,463,374,607,431,768,211,456. That's enough for every man, woman and child on Earth to receive 5 times 10 to the 28th power.)
"If you believe that you will want your cell phone to be reachable along with your [personal digital assistant], your home network and your car . . . you will need all of the address capacity of IPv6," says Diana Gowen, senior vice president and general manager of Qwest Government Services in Fairfax, Va. "Every North American business and government needs to make the conversion."
IPv6 provides other advantages over IPv4, including built-in security, network management enhancements such as autoconfiguration and improved support for mobile networks. But in the decade since IPv6 was created, many of its extra features have been added to IPv4. So, the real motivator for most network operators to upgrade to IPv6 is that it offers unlimited IP address space.
The IPv4 address crunch is most severe in Asia, which is why carriers there such as NTT Communications Corp., Japan's largest communications company, have led the way in developing commercial IPv6 service. NTT, for example, has several thousand residential customers using its IPv6-enabled DSL service in Japan. The Chinese have built a new Internet backbone that uses IPv6 to support the Olympics.
The address problem is not as severe for U.S. agencies, which is why federal IT managers have run into a dilemma. Most agencies have enough IPv4 address space, so they are not as motivated to transition to IPv6 as their counterparts worldwide.
The original research that created packet switching, the technology that allows users to send data over the Internet, as well as the Internet protocol was funded by the Defense Department. Naturally, when the Internet became operational, Defense agencies snatched up a huge amount of IP address space. In the early 1990s, IPv4 space was doled out in blocks of 16.7 million addresses. Defense took 12 of those blocks, or more than 200 million addresses, about 6 percent of the total available space. Civilian agencies such as the U.S. Postal Service also received large blocks of address space.
Typically, network operators don't upgrade their technology infrastructure unless they have to do so to avoid outages. Until now, upgrading to IPv6 hasn't been a necessity because agencies have had enough IPv4 address space. That means the only incentive IT managers have to deploy IPv6 is to meet OMB mandates.
"If this mandate wasn't there, there would be pockets of interest in testing IPv6, but there wouldn't be widespread adoption," says Bill White, acting vice president of federal sales for Sprint.
From App Killer To Killer App
While it might be difficult to see now, agencies that invest in IPv6 will put themselves in position to improve public services, proponents say. "I don't know what the killer app will be for IPv6, but I know for a fact that IPv4 is an app killer," says Charles Lee, chief technology officer for Verizon Federal. "With IPv4, it's impossible to deliver global reach, mobility and security. I like to think of it as: 'It's not what do I get by moving to IPv6, but what do I give up by not moving to IPv6.' "
Experts say agencies that migrate to IPv6 will benefit from enhanced security and reduced network management costs. The next-generation protocol ultimately will mean better security, which will mean fewer security breaches and the associated costs to respond to them, AT&T's Girardi says. IPv6 also means more automation, making it less costly to set up Web sites, he adds.
The most savings, however, will come from the new applications and services that IPv6 will provide. "The greatest advantage in ensuring their networks are IPv6 capable is that agencies will be positioned to leverage new applications that become available as a result of the IPv6 protocol suite," says Karen Evans, administrator for e-government and information technology at OMB. "The federal government deployment is focused on enabling new services and improving the performance of applications to benefit federal government operations and services to the public."
Defense is focused on the ubiquity, mobility and built-in security features of IPv6. The department needs IPv6 to make its vision of netcentric warfare (the ability to tie together networks and sensors to deliver a stream of integrated real-time data to the battlefield and commanders) a reality, says Kris Strance, head of architecture and interoperability at the Office of the Secretary of Defense for the Chief Information Officer. Although it has more IPv4 address space than anyone else, Defense says it needs the vast space that IPv6 offers.
With IPv6, "everything can be addressable, from a soldier to a sensor to an aircraft to a tank," he says. "With IPv6, we have unlimited address space. . . . We could have a sensor network of hundreds of thousands of nodes. When you scale that, address space becomes important."
Defense also needs the end-to-end security that IPv6 offers as well as the ability to prioritize packets of data sent over the Internet and to create ad hoc networks in the field. "In Iraq, when we initially went in, it took weeks or sometimes months to get networks up and running," Strance says. "With IPv6, it would take hours or at most days to do the same task. We need to be able to move from theater to theater, region to region, and to build seamless networks without network administration issues."
'Let's Get Real With It'
OMB's IPv6 mandate is twofold: It requires federal agencies to acquire IPv6-capable network gear and to have their core networks IPv6-enabled by June 30. Industry experts predict that most agencies will meet the requirements. OMB's Evans says, "We don't anticipate agencies missing the deadline at this time." Evans says she has no plans to issue further protocol requirements or deadlines other than to "work with agencies to move toward an IPv6 environment and continue to look for opportunities to bring new services and capabilities."
Pete Tseronis, director of network services for the Education Department and co-chairman of the federal Chief Information Officers Council's IPv6 working group, says it's important for agency CIOs to start looking beyond the OMB requirements now. "We don't want people to pass IPv6 traffic through their intranets, reach out to a partner through the Internet . . . and declare a short-term victory," he says. "IPv6 is a marathon, and June 30 is mile marker 1. This is not Y2K, where you hold your breath and say, 'We survived.' IPv6 is so critical that it needs to have a larger life beyond June 30."
Once the OMB deadline has passed, the focus for IPv6 in the federal market will be on the National Institute of Standards and Technology. NIST is working on an IPv6 standards profile for the federal government. The NIST profile builds on an IPv6-ready logo program run by the IPv6 Forum. The institute also will help establish a lab accreditation and product testing program that will allow public and private testing labs to certify products for conformance with its profile.
"This publication provides a technical basis for federal government IPv6 adoption in the years beyond the June 2008 requirement and is intended to assist federal agencies in developing plans to acquire and deploy products that implement IPv6," Evans says. The profile is "one of the most significant steps toward global integration of IPv6 standards to date."
Despite all this, officials at companies that sell IPv6 hardware, software and services to the federal market say agencies aren't doing enough to get their networks ready to take advantage of everything the latest version can offer. "People are coming up with shortcuts" to meet the OMB's IPv6 requirements, Command Information's Edgerton says. "They can demonstrate that they can send an IPv6 packet and return it. It's just a perfunctory passing of the mandate. But what's not there is the in-depth approach of, 'How are we doing to manage this IPv4 and IPv6 environment? How are we going to address security concerns? How are we going to make sure that all the underlying equipment is IPv6 compatible?' "
Vendors do not recommend a second OMB mandate requiring agencies to fully deploy IPv6. But they encourage federal chief information officers to be more aggressive about its deployment. "The big reason [OMB] was pushing the government toward IPv6 is so the government could be a trailblazer and they would drag American industry with them, and because the government believes that the security capabilities of IPv6 are good and necessary," Qwest's Gowen says. "We've got the mandate, everybody has checked that box. Now let's get real with it."
Tseronis says the June 30 deadline is more of a kickoff date for IPv6 transition, and now agency CIOs need to take over. "It would be a sad state of affairs if agencies say, 'I got my checkmark on IPv6. Now I can stop thinking about it.' That can't happen," he says.
Even if an agency wants to deploy a production IPv6 network today, it can't because several key components are missing. Network management tools have been slow to enable IPv6, so it's missing from key applications, including e-mail, databases and enterprise resource planning packages like accounting and human resources.
The Security Problem
But the biggest worry federal IT managers have about the protocol is security. "That's currently what's lagging in IPv6," Girardi says. "That's the hesitancy among agencies for widely adopting it."
For Defense, the biggest holdup to migrating its unclassified IP network (the Nonclassified Internet Protocol Network, or NIPRNet) to IPv6 is the lack of available firewalls, intrusion detection systems and deep packet inspection systems that support the latest version and that meet stringent National Security Agency requirements. Migrating its Secret Internet Protocol Router Network, Defense's classified IP network, called SIPRNet, to IPv6 requires top-grade encryption devices.
Defense is prodding vendors to develop IPv6-enabled security devices to meet its needs, OSD's Strance says, but the department will still have to test, evaluate, and set configurations and security guidance for the devices. "The bottom line is that although we'll meet the OMB mandate, it will be some time before the unclassified network will have real operational IPv6 capability," he says.
Strance estimates that it will take another year until NIPRNet can run version 6, and it will probably be 2010 before Defense can transition its classified networks, including SIPRNet, to IPv6. "That's the situation for all the federal networks," he says. "No one in their right mind would transition a network without security devices that can protect the network. We're all in the same situation."
Holding back CIOs from focusing on IPv6 are other policy directives, such as the Trusted Internet Connections initiative to reduce the number of external connectivity points that workers use to gain access to the Internet, and Networx, a telecommunications contract that agencies are supposed to use to select a new carrier by September. Complying with the 2002 Federal Information Security Management Act and Homeland Security Presidential Directive 12, which mandates that agencies issue high-tech identification cards to employees and contractors, also have diverted agencies' small security staffs' attention away from IPv6. "There are so many competing initiatives and directives that they have to be compliant with," Sprint's White says. "How much can they do all at once?"
But experts say agencies can do some preliminary work. Federal IT managers should begin reserving IPv6 address space, developing an addressing plan, and creating a migration strategy that includes extensive product testing and evaluation. So far, 37 agencies have requested IPv6 address space from the American Registry for Internet Numbers. Some have asked for the number of addresses equal to 2 to the 96th power and some have requested 2 to the 80th power.
Tseronis says federal CIOs should assemble all their key IT people-those responsible for security, information assurance, enterprise architecture and business applications-to work together on IPv6 transition after they have met the OMB mandate. Procurement and finance departments should be included in the conversation, too. "It's about getting people to understand how an investment in the next-generation Internet will have a cause-and-effect on the applications that end users will want to buy," he says. "That's the kind of leadership we need."
Carolyn Duffy Marsan is a technology business reporter based in Indianapolis who has covered IPv6 since 1999.