The Blog

DOD’s IPv6 transition lags

http://fcw.com/articles/2015/04/07/ipv6-migration.aspx

http://www.dodig.mil/pubs/documents/DODIG-2015-044.pdf

  • By Adam Mazmanian
  • Apr 07, 2015

The Department of Defense first laid out plans to convert its network to the Internet Protocol Version 6 standard in 2003. While DoD has hit several milestones along the way, a lack of a coordinated effort on the part of the CIO office and U.S. Cyber Command prevented an enterprise-wide switchover, according to an inspector general report from December 2014 that was recently made public.

As a result of the delay, DoD is losing the benefits of IPv6, such as embedded IP security, mobility and the ability to create dynamic IP addresses for devices such as sensors, smart munitions, weapons systems and plug-and-play networks, all of which offer a technological advantage to IT-equipped forces on the battlefield. According to the report, “the delay in migration could increase DoD’s costs and its vulnerability to adversaries.”

While DoD IT leaders apparently see the need to adopt a more rigorous schedule for IPv6 deployment, in their reply comments senior leaders questioned the urgent tone of the report, and stated that the IG’s conclusions didn’t fully take into account security risks associated with the transition and with running a “dual-stack” environment that supports both IPv6 and its predecessor, IPv4.

There are some considerable barriers to transition, both financial and in terms of human capital and equipment. Hardware and software interoperability can be challenging, especially for an enterprise supporting out-of-date stacks and legacy code. It may be difficult for IT leaders to push to make transition a priority when they support a base of working IPv4-compatible gear and applications.

According to the report, IPv6 transition  and testing activities weren’t centrally coordinated. For example, according to the report, Cyber Command officials reported a “lack of knowledge about IPv6 and the need for pilot testing before implementation.” At the same time, Cyber Command did not take advantage of testing and certification done by the Army Technology Integration Center on IPv6-enabled equipment — as of July 2014 the center had issued 88 separate interoperability certifications. According to the report, Cyber Command faced competing challenges and was, “focused on defense of the IPv4 network because of a significantly increased threat environment.”

The IG report also criticized DoD for missing key deadlines on a government-wide directive issued by the Office of Management and Budget in 2010, including converting public facing email, web and DNS systems to IPv6 by the end of fiscal 2012, and DoD applications and networks to IPv6 by the end of fiscal 2014.

The IG report recommends jump-starting the conversion effort with a DoD-wide IPv6 transition office led by the DoD CIO to include staffers from the Defense Information Systems Agency, U.S. Cyber Command, the Defense Research and Engineering Network and the CIOs of the military services. The IG report also wants an updated transition plan, with procedures in place to monitor progress. Additionally, the IG wants defense agencies and services to be able to work from common sets of component testing results.

In his reply comments, then-Acting Principal Deputy CIO David DeVries said that DoD was taking IPv6 seriously, but an “expensive transition from an IPv4 to an IPv6 environment is not cost effective nor warranted.” DeVries said DoD has pushed out IPv6 where necessary, but also maintains a “sufficient IPv4 address space to support future operations.”

But DeVries largely concurred with the IG recommendations. While he doesn’t want a dedicated IPv6 office, he supports an existing steering group led by the CIO to coordinate transition, including cybersecurity issues put forth by Cyber Command. Additionally, a project team at DISA plans to take the lead in integrating component and implementation testing, and will share IPv6 test results in the third quarter of fiscal 2015.