Step Five

Make IPv6 Part of the Refresh Cycle

There’s no telling just how expensive upgrading to IPv6 will be. NIST estimated that a midsize company with eight routers and 150 switches and four firewalls would spend just under $2 million to upgrade its network. But that doesn’t include laptops, printers and software charges. A Government Accountability Office audit released at the end of June found that government agencies anticipated spending just under $1 million to more than $20 million on their upgrades.

That’s a hit. But much of the cost can be absorbed as part of the normal technology refresh cycle, says David Powner, director of IT management issues for the GAO. (Provided CIOs come up with a master inventory list and corresponding plan.) Buying the right products at the right time minimizes the extra costs associated with moving to IPv6. "We have our plan down to the single piece of equipment level. We know all the way out to 2010 what we are upgrading and when," says Schlosser.

Network managers will have to be trained on how to use the new technology, and CIOs will have to establish labs to test the new capabilities and see firsthand how IPv6 works. Bechtel has four such labs running over 200 IPv6 machines today. It gives the company a chance to understand how the IPv6 environment operates before exposing anything to the outside.

Step Six

Assess Your Security Posture

IPv6 shifts the traditional security paradigm for IT from protecting the perimeter with firewalls and intrusion detection to protecting individual devices and applications directly. Eventually this will make security much easier, since CIOs will be able to limit access to their company’s data to approved devices as well as approved users.

But in the short term it also presents a challenge.

Most current network monitoring systems can’t detect IPv6 traffic. And given that network equipment makers have been selling IPv6-capable equipment for years, most companies are probably running some IPv6 that they don’t know about. That means that a hacker with an IPv6 connection could get on your network and theoretically move around undetected. The best defense is to turn off the IPv6 capability in your products until you are ready to offer or consume IPv6 services. Schlosser says part of her job is to monitor HUD’s network to make sure that no one is turning on IPv6 too early.

Flip the Switch Carefully

Just when exactly CIOs should turn on IPv6 functionality depends on both the company and the marketplace. (Bechtel anticipates running IPv6 before the 2008 government deadline.) But that doesn’t mean you can afford to wait before starting to upgrade. "Companies need to understand that this is coming," says Wettling. "It is inevitable."