Sep 26 2007

IPv6 Upgrade

Now is the time to start planning your organization's migration from IPv4. Know what challenges you'll encounter and how to tackle them.

Internet Protocol version 6 is here. The rollout of Windows Vista was a critical piece of the puzzle, paving the way for state and local agencies to adopt this next generation of Internet infrastructure.

From a federal standpoint, the transition date mandated by the Office of Management and Budget and the Department of Defense is quickly approaching. What’s more, the American Registry for Internet Numbers and Internet Engineering Task Force have both issued warnings for consumer adoption of IPv6 networks by 2011.

As IT professionals roll out this networkwide infrastructure upgrade, there are several pitfalls and problems to anticipate and plan around in order to guarantee a successful transition. You have to know where to start, what to look out for and perhaps most important, what should be left alone when embarking on the network migration.

Get the Lay of the Land

Before developing an IPv6 transition strategy — and certainly before buying anything — conduct a network inventory of hardware, operating systems and applications. This might seem like a significant investment of time and money. However, the baseline assessment will be helpful in several ways:

  • Acts as a baseline measurement for comparative purposes and demonstrating progress to IPv6 compliance;
  • Provides information needed to improve network management and standardization — for example, a recent assessment of a relatively small agency network highlighted that 45 different internetworking operating system versions were running on 250 switches;
  • Provides data for security auditing purposes — what is online and what programs are running? Do the administrative credentials work?

Don’t stop with the infrastructure and application inventory. Perform a human resources inventory as well. IPv6 is not simply IPv4 with additional addresses; it offers many tangible benefits. The protocol is feature-rich and enables networks and applications with enhanced features (see sidebar).

However, one of the great challenges with IPv6 is misinformation. There will be many good internal resources who simply have not been trained in the benefits and implications of deploying an IPv6 network and its related applications. Understand IPv6 thoroughly and establish a plan to develop an IPv6 skill set.

Once there is a baseline understanding of how IPv6-ready your current environment is — then develop the appropriate strategy and prioritizations of impending IPv6 network and application investments.

Start Planning and Securing

The potential for trillions of devices that can now be easily and securely connected to the Internet (sensors, cameras, cell phones, radios, and so on) changes the manner in which the network is built to support these emerging applications, such as first responders, environmental controls, surveillance and social networks.

Most IPv4 networks have been designed to minimize the consumption of addresses; with IPv6 this rationale is no longer relevant. The massive IPv6 address pool, combined with a networking paradigm where everything will be connected, warrants a completely new IP address allocation and security strategy.

One significant change with IPv6 is in security. At a high level, the introduction of IPv6 into the network (by the way, it’s already there) will mandate a change in current security policy. The physical security model with firewall and penetration prevention at the edge will shift to a policy security model.

The policy model is a defense in-depth strategy to security wherein individual devices or classes of devices will connect, most likely in an ad hoc, mobile way, and establish a trusted relationship on the network based on credentials, virus protection and authentication. Additionally, because IPv4 and IPv6 will coexist for a long time, security policy will need to address this coexistence in specific ways to defend against all the prior IPv4 threats and account for the new IPv6 threats.

A new IP address allocation plan combined with a policy-driven security plan will clearly require a new and different network architecture — particularly for the multitude of state and municipality wireless networks that are emerging throughout the country.

Focus on One App at a Time

Every organization is complicated, and so are the networks that have evolved with years of history and business rules built into most applications running on these networks. Many applications will never make the transition to IPv6 — think old, unsupported, seldom-used applications with little internal or constituency impact. Don’t waste time migrating these applications to IPv6. As you know, the IPv4 network won’t entirely disappear for many years.

However, do spend the time prioritizing existing services and applications and choose one out of this prioritized list to truly IPv6-enable. This will take some work and might require support or guidance from a partner with deep IPv6 networking and application expertise. Yet this builds a foundation for future network and application transitions.

Being realistic and focusing on one new service or application at a time will generate success and confidence throughout your organization, which should translate into future successes as the plan is executed.

Make It Repeatable

Any IPv6 integration effort will require testing of new architectures, hardware and applications before attempting to deploy those solutions in a production environment. The development of an IPv6 test environment will help build IPv6 expertise and experience that greatly reduces the impact on IT services during deployment. Setting up a test environment should be a part of the first service/application implementation.

By keeping these key features in mind, IT professionals implementing an IPv6 migration at the state or local level will be able to avoid many problems usually incurred during first-time transitions.

IP Enhancements

There are several key enhancements afforded by using IPv6 network architecture. One is the expanding of the existing 32-bit header to a 128-bit header. This will result in a near-infinite supply of IP addresses for the future — 340 trillion trillion trillion addresses.

Another benefit is the need for fewer firewalls, which will result in improved operational efficiencies of the network. However, the most compelling benefit is the new IPv6 applications layer (see figure).

In the past, the application layer design put too much of the network intelligence at the core. In the new design, IPv6 sensors will have increased capabilities that will push power to the edge of the network where end-user devices are located.

This technical shift will further increase the openness of networks.

Traditional operations and applications that were previously hindered in communicating openly will now be able to talk to one another because of the net-centric, autoconfiguration features made possible by an IPv6 network architecture. The result: greatly enhanced operational efficiencies that will generate immediate, significant cost savings for state and local government.