At Defense, the Time for IPv6 Is Now

The Defense Department broadly recognizes the advantages Internet Protocol version 6 (IPv6) in achieving netcentric operations, the ability to provide global end-to-end security for all military information exchanges. However, the department's major challenge in implementing IPv6 is the lack of an immediate operational imperative.

Defense gives highest priority to incremental improvements that immediately satisfy wartime requirements, such as those in Iraq and Afghanistan, using existing systems. This limits resources for planning, implementing and mitigating the risk of inserting new capabilities, such as IPv6, that have long-term benefits.

Netcentric operations require secure, available and interoperable communications for all levels of command, communications on the move, information sharing and collaboration, all of which leads to increased situational awareness, and a common understanding leading to decentralized and synchronized operations. Additionally, Defense must be able to work directly with ad hoc, federal interagency, joint, allied and coalition partners to rapidly deploy forces for regional contingencies and to share information with these partners. IPv6 is the critical enabler for interagency unclassified networks to support the government's Information Sharing Environment Implementation Plan, released in 2006 to set out a strategy to improve the culture of information sharing to fight terrorism.

IPv6 enhancements over Internet Protocol version 4 (IPv4) in support of netcentric operations include:

  1. Significantly increased capability for deploying large numbers of networks and connected nodes;
  2. Improved mobility and ad hoc networking;
  3. Integrated strong confidentiality, integrity and authentication for Information Assurance (IA);
  4. Improved real-time communications;
  5. Simpler network administration;
  6. Significantly easier integration of data from disparate systems and sensors;
  7. More efficient use of bandwidth for real-time services (such as voice and video); and
  8. Reduced complexity for implementation of future advanced capabilities.
A Compelling Need

Future planned systems and constructs cannot fully transform to netcentric operations without Defense's transition to IPv6. Defense networks, enabled by IPv6, will provide superior information sharing to enhance decision-making and common situational awareness resulting in increased military effectiveness. IPv6 supports dynamic netcentric operations by providing network ubiquity, scalability, quality of service, auto-configuration, ad hoc networking, mobility, multicast, end-to-end security and network management.

Military units must be ready to deploy at a moment's notice and quickly establish superiority of force. Typical operations today consist of a collection of individual networks connected through inconsistent requirements and security rules based on the network owner's perceived security and operational environment. Continuing to use IPv4-based information sharing and collaboration requires units moving from service-owned garrison networks to combatant command-owned theater networks to reconfigure their network devices and security settings. This process can take several weeks or months. IPv6 could reduce unit deployment times to days or even hours. Additionally, it would allow warfighters and commanders to maintain situational awareness during deployment and battle maneuvers by allowing units to move from one wireless network to another, regardless of owner, while maintaining security and reducing points of failure.

Secure ad hoc networking and mobility provided by IPv6 autoconfiguration, improved end-to-end security and simplified network management capabilities enables individuals and entire units to disconnect from garrison networks, travel into a theater, and quickly establish communications. Additionally, IPv6 capabilities will allow warfighters and commanders to maintain situational awareness during deployment and battle maneuvers by providing in-theater mobility that allows units to move from one wireless network to another, regardless of owner, while maintaining security and reducing single points of failure.

IPv6 Capabilities

Secure and available communications: Secure autoconfiguration and discovery, an advanced feature of IPv6, takes advantage of the expanded IPv6 address header to apply cryptography for network access authentication without infrastructure servers, which is not possible with IPv4. The unique IPv6 addresses will allow Defense to audit security end-to-end, which is required for firewall, intrusion detection and intrusion prevention analysis. The IPv6 header structure has integrated support to prevent disclosure of data (confidentiality), ensure data is not modified in transit (integrity) and verify the identity of the user at end points (authentication).

The application of IPv6 to Public Key Infrastructure provides a standards-based approach for secure management and dynamic user policy assignments. The combination of capabilities improves information sharing and the availability of information to authorized users based on the access privileges of the user and the mission.

Communications on the move: Wireless technologies, coupled with IPv6 node and network mobility, enable the wireless warfighter to roam the battlefield and use any available network infrastructure to remain connected. Unlike IPv4 mobility, IPv6 mobility does not require specialized configurations at every network access point. Mobile IPv6 is more efficient than mobile IPv4 because it reduces protocol overhead and direct routing between end systems and users. IPv6 has demonstrated improved compression efficiency over IPv4, thereby reducing bandwidth, power and battery requirements, which means lighter loads for the warfighter.

Network mobility, another unique IPv6 advanced capability not supported by IPv4, allows an entire network (battle group, division, wing or brigade) to move as a unified group from one location to another without reconfiguring individual network elements. This mobility eliminates network service reconfiguration, such as updating Domain Name Service entries, which ensures the network remains available, reachable and secure without complex administrative procedures.

Increased situational awareness: IPv6 capabilities described above provide dynamic user access and secure access management controls needed to share information and improve situational awareness, both at home and on the move. IPv6 improves information delivery and situational awareness through converged services that provide the warfighter with a unified network connection to access information in the most beneficial multimedia format, whether that is voice, video or data. IPv6 offers improved quality of service support over IPv4 through simplified priority and preemption recognition that ensures critical information gets through and real-time services are delivered without delay.

Situational awareness will be improved through the use of IPv6-enabled sensor networks consisting of small, low-power sensors deployed in large numbers on the battlefield to collect real-time data. The vast IPv6 address space allows commands to assign a unique address to every sensor node, which is not possible with IPv4, because sensor networks would expand to possibly hundreds of thousands of nodes-too many for IPv4 to support. Unique IPv6 addressing allows warfighters to retrieve data directly from the sensors, and individual sensors can be remotely and dynamically retasked to collect additional or different information as new requirements emerge.

Decentralized and self-synchronized operations: IPv6 security features, autoconfiguration and ad hoc networking capabilities enable those entities on the edge (tactical elements or units) to form secure network communications as needed without relying on centralized services, including joint, allied and interagency operations. Decentralized autoconfiguration is a unique IPv6 capability that simplifies network administration and reduces the time to connect or reconnect to the network for collaboration and situational awareness. IPv6 ad hoc networking enables self-forming, self-healing networks that react to communication path changes during the conduct of operations. IPv6 converged network services permit the evolution to provide "back-pack" networks versus "shelter" deployments.

Why Start IPv6 Transition Now?

The primary benefits of IPv6 capabilities will be realized in tactical edge systems as IPv6 applications are developed for mobility, sensor networking and peer-to-peer sharing. However, to support IPv6-capable tactical systems, these enterprise infrastructure systems must first be in place across Defense. As an analogy, when a satellite is launched, the ground infrastructure and terminals must be in place first to benefit from the investment.

The Defense IPv6 implementation strategy leverages commercial technology, which must be available and mature to sustain implementation. Customer demand drives what commercial products are available, and product maturity is driven by customer testing and deployment. The initial 2003 Defense chief information officer IPv6 policy memorandum signaled demand to commercial vendors, which accelerated the development of IPv6 products. Near-term IPv6 implementation within the enterprise infrastructure will benefit future mission critical systems by improving and maturing IPv6 products through operationally realistic test and evaluation and deployment experience. Without Defense's continued commitment to deploy and use IPv6, the pace of U.S. commercial innovation and product developments will languish, while other countries, notably China and Japan, will forge ahead with native IPv6 implementations.

The need to implement IPv6 immediately is further driven by Defense's move toward information convergence over IP, which is expanding the installed base of IP-aware devices. IPv4 systems deployed today will need to implement IPv6 in the future, and the longer IPv6 implementation is delayed, the more embedded IPv4 will become in critical mission systems, resulting in a more difficult, complex and costly transition.

IPv6 Implementation Challenges

The transition to IPv6 will be challenging from several key perspectives.

Information Assurance: In the long term, the end-to-end security capability enabled by IPv6 is expected to improve Defense's overall security. However, in the interim the transition to IPv6 must be carefully evaluated and managed to ensure that no additional security risks are introduced, either through inadequate availability or configuration of IPv6 capable security products and devices, or through the introduction of new IPv6 features such as neighbor discovery or auto configuration.

The widespread use of IP security capabilities across Defense is the basis for meeting information assurance requirements for an improved security posture in the future. The challenges in accomplishing this include the availability of Type 1 IPv6 capable encryption. Successful transition to IPv6 will require an aggressive Defense program to address policy, architectural and configuration issues. This can only be achieved by addressing a wide range of technical issues from product requirements and capabilities to detailed technical analyses of potential vulnerabilities and recommended mitigations.

Maintaining Interoperability During Transition: During the transition period, Defense users will have a mix of IPv4 and IPv6 addresses, and networks must support both IPv4 and IPv6 traffic. Maintaining interoperability and security across Defense during this period will be a challenge. Additionally, the introduction of IPv6 on an enterprise-wide scale will introduce a number of challenges including scalability, integration and security. Consequently, an overall time-phased IPv6 network architecture needs to be developed that addresses end-to-end interoperability, performance and security.

Evolution of IPv6 Standards and Products: While the base IPv6 protocols are stable and mature, and some product implementations are available, many of the standards supporting value-added IPv6 features are still evolving. Therefore, Defense must ensure that IPv6 systems and programs bought today can be upgraded for future advanced IPv6 features.


Despite significant challenges and risks, on balance, the advent of IPv6 brings important enhanced capabilities to the warfighter. Defense must incorporate IPv6 in enterprise infrastructure and applications now to prepare for netcentric operations.

Although IPv6 implementation in Defense introduces significant challenges and risks, on balance, the advent of IPv6 also brings important enhanced capabilities to the warfighter. To achieve these needed capabilities, Defense must implement IPv6 in enterprise infrastructure and applications now to prepare for future capabilities required for netcentric operations.

Defense backbone networks must lead the IPv6 transition to provide a Defense-wide foundation for other networks, services, applications and programs. The changeover involves more than acquiring IPv6-capable network devices. Defense must prepare to "turn on" IPv6 by developing plans that detail engineering, integration, test and evaluation, deployment and training. IPv6 implementation plans also must contain elements and activities to support network operations such as network services (DNS and address management), network management, and information assurance (certification and accreditation, firewalls, intrusion detection and prevention tools). Finally, Defense must develop IPv6 implementation plans for application transition and development to achieve end-to-end netcentric operations.

Kris Strance is Defense lead for Internet protocol policy at the Office of the Assistant Secretary of Defense for Networks and Information Integration/Defense Chief Information Officer. Alan Sekelsky is director of IP engineering at SI International.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec