The only trouble was, hardly anyone in the government\u2014or anywhere else\u2014knew what he was talking about.IPv6 is the international standard chosen by the Internet Engineering Task Force to replace the current protocol, IPv4 (version 5 never made it out of the gate). It is more secure and can extend Internet connectivity to a nearly infinite number of devices, while at the same time reducing network management costs by as much as a third.Stenbit\u2019s announcement was designed to give an IPv6 ecosystem a chance to develop gradually within the DoD. "Moving to IPv6 takes a long time," says Stenbit, who retired from the DoD in 2004. "Within the DoD procurement system, big bucks are bet on [systems] that come out five years later. If the people who are working on those systems don\u2019t know what IP version we will be using [in the future] then they will just build them with today\u2019s protocol and we will lose the ability to move forward."To date, however, few U.S. companies have followed in the DoD\u2019s footsteps. Nor, for that matter, have the past three years brought an increase in IPv6 awareness. A recent CIO Executive Council poll on IPv6 adoption had only two responses, and neither of those CIOs was using IPv6. In a sense, that is understandable; the current version of the Internet works just fine, and to date there hasn\u2019t been a lot of pressure to move.But that\u2019s about to change.Last-Mover DisadvantageOutside the United States, the transition to IPv6 is well under way. China, Japan and Korea have all made moving to IPv6 a national priority, as has the European Union. China, in particular, is building a new Internet based entirely on IPv6 that it hopes will allow it to become the world\u2019s leader in all things Internet (see "China Builds a Better Internet," www.cio.com\/071506).In the United States, many of the hurdles that have stood in the way of IPv6 adoption are about to disappear, thanks in large part to the DoD\u2019s move and a subsequent rule requiring federal agencies to transition their networks to IPv6 by 2008. Advances in hardware, software and telecommunications have guaranteed that the transition will happen in the United States as well\u2014with or without the cooperation of CIOs.For example, many network equipment makers, led by Cisco and Juniper, have been selling routers and switches that are IPv6 compatible for several years. On the software front, Microsoft\u2019s upcoming Vista operating system will have IPv6 as its default protocol, and Windows Vista has several collaborative features that work with IPv6. Finally, the major telecom companies are quietly upgrading their networks to carry IPv6 traffic\u2014keeping themselves in the running (they hope) for a General Services Administration telecommunications contract valued at $20 billion over the next 10 years that requires carriers to have IPv6-capable networks.Not If But When"The religious war of should we or shouldn\u2019t we move to IPv6 is over," says Tom Patterson, CEO of the IPv6 consultancy Command Information. "It is a matter of when." But CIOs can\u2019t afford to just sit back and wait for the new Internet to come swoop them up. They need to actively plan upgrades of everything on their network to IPv6-capable versions if they wish to avoid the complexity, security risks and extra cost of maintaining two protocols over the long haul. Every router, laptop, application and anything else connected to the Internet will continue to work side-by-side with the old, but in a much more efficient manner. The critical question is whether to work the transition into your normal technology refresh cycle, or wait and absorb a massive one-time hit when competitive pressure forces you to move to IPv6.The good news is that there is no Y2K-like deadline, which means CIOs have time to develop a plan and invest at a gradual pace to avoid the extra costs and risks of a sudden switchover. "If you don\u2019t prepare correctly you will create headaches that you don\u2019t need to have," says Yanick Pouffary, a technology director of the North American IPv6 Task Force and fellow with the IPv6 Forum.Good planning starts with viewing IPv6 as more than a tactical issue. "Don\u2019t just look at this as a hardware refresh," says John McManus, acting CIO of NASA and the cochairman of the federal CIO Council\u2019s IPv6 Working Group. Upgrading to IPv6, he says, will help you reduce network costs and complexity, and facilitate new services that are limited only by your imagination. And while McManus says that "there are 100,000 things that can go wrong if you don\u2019t do this right," actually doing it right is surprisingly simple. And if you start now, it doesn\u2019t have to be prohibitively expensive. What follows is a six-step guide to help CIOs upgrade to IPv6 with the minimal possible expense and the greatest possible benefit.Step OneDon\u2019t Miss the IPv6 BoatThe Internet protocol is the Internet\u2019s version of a postal envelope, containing information such as the destination and return addresses, and details about a package\u2019s contents. The current standard, IPv4, was developed in 1976, back when the Internet was inhabited by a small group of government researchers and academics and the prospect of using up the protocol\u2019s total of 4.3 billion addresses seemed wildly improbable. IPv4 also didn\u2019t have any security or mobility features.IPv6 was intended to fix these shortcomings. It uses a larger-capacity addressing scheme allowing a nearly infinite number of devices to have their own addresses. It also has built-in security and the ability to automatically configure itself onto a network, easing mobility and general network management. As such, it could enable anything from sensor networks that detect meteorological events to refrigerators that e-mail grocery lists to their owners\u2019 cell phones.That\u2019s the short version. In reality it is impossible to learn everything you need to know about IPv6 from a single article. CIOs need to find out if there is anyone on their staff who knows anything about IPv6. If you\u2019re lucky there might be. But don\u2019t count on it. That means appointing an IPv6 champion who will be accountable, says Lisa Schlosser, CIO of the Department of Housing and Urban Development. "This person should have an executive sponsor and report to the CIO."Step TwoDevelop a Business CaseEvery company in every industry should be able to think of some way that IPv6 can help its business. At the DoD, for example, Stenbit wanted to build a global information grid\u2014a virtual map of communications, processing and storage from which users can pull the data they need to do their job, a vision that continues after his retirement. Most CIOs will find solutions to more ordinary challenges. At HUD, for example, housing inspections after disasters like Hurricane Katrina could be done more easily (with more IP addresses available) by inspectors carrying mobile devices instead of typing field reports into computers back at the office. "More addresses will let us extend our network," says Schlosser. When you increase your addresses you can collect this information in real-time." For a construction company like Bechtel, IPv6 unleashes any number of possibilities that could come from combining IT systems with other systems like security cameras and air-conditioning units. For example, sensor networks made of small, wireless, IP-enabled devices can add new capabilities to the current facility management systems. If Bechtel builds a factory in a hot climate that will be open only 12 hours a day, the sensors can collect real-time climate and temperature information that can be combined with real-time electricity price information to help the company decide when it is most cost-effective to turn on the air-conditioning.IPv6 can also reduce the cost and complexity of managing IT. In an IPv6 economic assessment released earlier this year, the National Institute of Standards and Technology (NIST) estimated that the new protocol would facilitate a move to voice over IP, which could result in a 20 percent decrease in communications spending for the average company. Furthermore, NIST estimated that IPv6 would save IT departments about 30 percent of their overall IT spend by eliminating the need for network address translation devices and associated practices that companies use to allow IPv4 to extend Internet access to the devices on their internal networks. IPv6 also allows for end-to-end security (more on this in Step 6), which would allow companies to phase out perimeter security tools like firewalls. IPv6 will also save CIOs and their staffs time, since it has the ability to auto-configure itself, which essentially makes an IPv6-capable device\u2014a desktop, a security camera or an IP telephone\u2014plug and play regardless of geography, with obvious advantages for the military and companies like Bechtel, cutting the time it takes to set up an on-location network. Today, Bechtel engineers have to re-terminate the voice and data network every time someone moves a trailer, says Fred Wettling, a fellow in Bechtel\u2019s technology group. That goes away with IPv6. Within a corporation, IPv6 can facilitate better collaboration. Each IPv6 computer is able to act as its own server, meaning that users can connect to one another directly. One application that already takes advantage of this is Windows Vista, which allows IPv6 users to work inside the same Word document, spreadsheet or PowerPoint presentation regardless of physical proximity and without going through a Web host.Step ThreeInventory Your NetworkThe next step is to find out what exactly is on your network and determine what is already IPv6 compliant or can be upgraded to the protocol. These devices aren\u2019t limited to routers and switches but include security tools like firewalls, laptops, even printers. "Organizations deploy hundreds of printers and thousands of desktops but don\u2019t maintain a strong accounting of them," says Vic Berger, lead technologist for the government practice at the consultancy CDW.McManus, NASA\u2019s acting CIO, says he broke it into two separate tasks, first taking inventory of devices that communicate with the outside world, like routers and firewalls, and doing the internal-facing devices on LANs such as laptops later. This makes the task more manageable. Also, he says, it helps to use network discovery tools as much as possible.As you identify each device, you need to determine whether it is IPv6 ready, if it can be upgraded to IPv6 or if it needs to be replaced. "There is no IPv6 seal of approval," says Patterson, so you may end up reading manuals, calling vendors or checking websites to find out. McManus stresses that a full inventory is not an overnight project. "Even with automation it took us three months." And that was just the external network.It\u2019s also important to get your vendors\u2019 IPv6 transition plans. "You can\u2019t build your transition plan without knowing your partners\u2019 plans," says McManus. Those plans may not be well formed yet, warns Wettling. "We are sharing our experiences with our partners," he says. "We are working with them hand and glove. We learned from what they have done, and they learn from what we are doing." If the vendor isn\u2019t willing to work with you on a transition plan, find a new vendor.Step FourRethink Legacy Systems and PracticesYou can\u2019t always expect outside help in making the transition to IPv6, however. You will need to come up with your own plan to transition older technologies, such as mainframes that are no longer supported, and to upgrade software developed in-house.CIOs at companies that do a lot of in-house development will need to ensure that every developer builds with IPv6 in mind. For example, Microsoft has a development utility that lets programmers check an application\u2019s source code for places that currently have IPv4 commands. At Bechtel, Wettling has identified what he calls gateway points during development\u2014places in the cycle where a programmer hands off his source code to a quality assurance person, for example. Each of these people is now responsible for making sure that the application is IPv6 capable before it moves to the next stage of production.Step FiveMake IPv6 Part of the Refresh CycleThere\u2019s no telling just how expensive upgrading to IPv6 will be. NIST estimated that a midsize company with eight routers and 150 switches and four firewalls would spend just under $2 million to upgrade its network. But that doesn\u2019t include laptops, printers and software charges. A Government Accountability Office audit released at the end of June found that government agencies anticipated spending just under $1 million to more than $20 million on their upgrades.That\u2019s a hit. But much of the cost can be absorbed as part of the normal technology refresh cycle, says David Powner, director of IT management issues for the GAO. (Provided CIOs come up with a master inventory list and corresponding plan.) Buying the right products at the right time minimizes the extra costs associated with moving to IPv6. "We have our plan down to the single piece of equipment level. We know all the way out to 2010 what we are upgrading and when," says Schlosser.Network managers will have to be trained on how to use the new technology, and CIOs will have to establish labs to test the new capabilities and see firsthand how IPv6 works. Bechtel has four such labs running over 200 IPv6 machines today. It gives the company a chance to understand how the IPv6 environment operates before exposing anything to the outside.Step SixAssess Your Security PostureIPv6 shifts the traditional security paradigm for IT from protecting the perimeter with firewalls and intrusion detection to protecting individual devices and applications directly. Eventually this will make security much easier, since CIOs will be able to limit access to their company\u2019s data to approved devices as well as approved users.But in the short term it also presents a challenge.Most current network monitoring systems can\u2019t detect IPv6 traffic. And given that network equipment makers have been selling IPv6-capable equipment for years, most companies are probably running some IPv6 that they don\u2019t know about. That means that a hacker with an IPv6 connection could get on your network and theoretically move around undetected. The best defense is to turn off the IPv6 capability in your products until you are ready to offer or consume IPv6 services. Schlosser says part of her job is to monitor HUD\u2019s network to make sure that no one is turning on IPv6 too early.Flip the Switch CarefullyJust when exactly CIOs should turn on IPv6 functionality depends on both the company and the marketplace. (Bechtel anticipates running IPv6 before the 2008 government deadline.) But that doesn\u2019t mean you can afford to wait before starting to upgrade. "Companies need to understand that this is coming," says Wettling. "It is inevitable."Right now, says Wettling, education and awareness is the single biggest challenge. "It is easy to buy these products now for no additional cost," he says. "It is beyond me why you would buy products that don\u2019t have IPv6."