IPv6 Is Coming Whether IT Deparments Are Ready or Not

The only trouble was, hardly anyone in the government—or anywhere else—knew what he was talking about.

IPv6 is the international standard chosen by the Internet Engineering Task Force to replace the current protocol, IPv4 (version 5 never made it out of the gate). It is more secure and can extend Internet connectivity to a nearly infinite number of devices, while at the same time reducing network management costs by as much as a third.

Stenbit’s announcement was designed to give an IPv6 ecosystem a chance to develop gradually within the DoD. “Moving to IPv6 takes a long time,” says Stenbit, who retired from the DoD in 2004. “Within the DoD procurement system, big bucks are bet on [systems] that come out five years later. If the people who are working on those systems don’t know what IP version we will be using [in the future] then they will just build them with today’s protocol and we will lose the ability to move forward.”

To date, however, few U.S. companies have followed in the DoD’s footsteps. Nor, for that matter, have the past three years brought an increase in IPv6 awareness. A recent CIO Executive Council poll on IPv6 adoption had only two responses, and neither of those CIOs was using IPv6. In a sense, that is understandable; the current version of the Internet works just fine, and to date there hasn’t been a lot of pressure to move.

But that’s about to change.

Last-Mover Disadvantage

Outside the United States, the transition to IPv6 is well under way. China, Japan and Korea have all made moving to IPv6 a national priority, as has the European Union. China, in particular, is building a new Internet based entirely on IPv6 that it hopes will allow it to become the world’s leader in all things Internet (see “China Builds a Better Internet,” www.cio

.com/071506).

In the United States, many of the hurdles that have stood in the way of IPv6 adoption are about to disappear, thanks in large part to the DoD’s move and a subsequent rule requiring federal agencies to transition their networks to IPv6 by 2008. Advances in hardware, software and telecommunications have guaranteed that the transition will happen in the United States as well—with or without the cooperation of CIOs.

For example, many network equipment makers, led by Cisco and Juniper, have been selling routers and switches that are IPv6 compatible for several years. On the software front, Microsoft’s upcoming Vista operating system will have IPv6 as its default protocol, and Windows Vista has several collaborative features that work with IPv6. Finally, the major telecom companies are quietly upgrading their networks to carry IPv6 traffic—keeping themselves in the running (they hope) for a General Services Administration telecommunications contract valued at $20 billion over the next 10 years that requires carriers to have IPv6-capable networks.

Not If But When

“The religious war of should we or shouldn’t we move to IPv6 is over,” says Tom Patterson, CEO of the IPv6 consultancy Command Information. “It is a matter of when.” But CIOs can’t afford to just sit back and wait for the new Internet to come swoop them up. They need to actively plan upgrades of everything on their network to IPv6-capable versions if they wish to avoid the complexity, security risks and extra cost of maintaining two protocols over the long haul. Every router, laptop, application and anything else connected to the Internet will continue to work side-by-side with the old, but in a much more efficient manner. The critical question is whether to work the transition into your normal technology refresh cycle, or wait and absorb a massive one-time hit when competitive pressure forces you to move to IPv6.

The good news is that there is no Y2K-like deadline, which means CIOs have time to develop a plan and invest at a gradual pace to avoid the extra costs and risks of a sudden switchover. “If you don’t prepare correctly you will create headaches that you don’t need to have,” says Yanick Pouffary, a technology director of the North American IPv6 Task Force and fellow with the IPv6 Forum.

Good planning starts with viewing IPv6 as more than a tactical issue. “Don’t just look at this as a hardware refresh,” says John McManus, acting CIO of NASA and the cochairman of the federal CIO Council’s IPv6 Working Group. Upgrading to IPv6, he says, will help you reduce network costs and complexity, and facilitate new services that are limited only by your imagination. And while McManus says that “there are 100,000 things that can go wrong if you don’t do this right,” actually doing it right is surprisingly simple. And if you start now, it doesn’t have to be prohibitively expensive. What follows is a six-step guide to help CIOs upgrade to IPv6 with the minimal possible expense and the greatest possible benefit.

Step One

Don’t Miss the IPv6 Boat

The Internet protocol is the Internet’s version of a postal envelope, containing information such as the destination and return addresses, and details about a package’s contents. The current standard, IPv4, was developed in 1976, back when the Internet was inhabited by a small group of government researchers and academics and the prospect of using up the protocol’s total of 4.3 billion addresses seemed wildly improbable. IPv4 also didn’t have any security or mobility features.

IPv6 was intended to fix these shortcomings. It uses a larger-capacity addressing scheme allowing a nearly infinite number of devices to have their own addresses. It also has built-in security and the ability to automatically configure itself onto a network, easing mobility and general network management. As such, it could enable anything from sensor networks that detect meteorological events to refrigerators that e-mail grocery lists to their owners’ cell phones.

That’s the short version. In reality it is impossible to learn everything you need to know about IPv6 from a single article. CIOs need to find out if there is anyone on their staff who knows anything about IPv6. If you’re lucky there might be. But don’t count on it. That means appointing an IPv6 champion who will be accountable, says Lisa Schlosser, CIO of the Department of Housing and Urban Development. “This person should have an executive sponsor and report to the CIO.”

Step Two

Develop a Business Case

Every company in every industry should be able to think of some way that IPv6 can help its business. At the DoD, for example, Stenbit wanted to build a global information grid—a virtual map of communications, processing and storage from which users can pull the data they need to do their job, a vision that continues after his retirement. Most CIOs will find solutions to more ordinary challenges. At HUD, for example, housing inspections after disasters like Hurricane Katrina could be done more easily (with more IP addresses available) by inspectors carrying mobile devices instead of typing field reports into computers back at the office. “More addresses will let us extend our network,” says Schlosser. When you increase your addresses you can collect this information in real-time.”

For a construction company like Bechtel, IPv6 unleashes any number of possibilities that could come from combining IT systems with other systems like security cameras and air-conditioning units. For example, sensor networks made of small, wireless, IP-enabled devices can add new capabilities to the current facility management systems. If Bechtel builds a factory in a hot climate that will be open only 12 hours a day, the sensors can collect real-time climate and temperature information that can be combined with real-time electricity price information to help the company decide when it is most cost-effective to turn on the air-conditioning.

IPv6 can also reduce the cost and complexity of managing IT. In an IPv6 economic assessment released earlier this year, the National Institute of Standards and Technology (NIST) estimated that the new protocol would facilitate a move to voice over IP, which could result in a 20 percent decrease in communications spending for the average company. Furthermore, NIST estimated that IPv6 would save IT departments about 30 percent of their overall IT spend by eliminating the need for network address translation devices and associated practices that companies use to allow IPv4 to extend Internet access to the devices on their internal networks. IPv6 also allows for end-to-end security (more on this in Step 6), which would allow companies to phase out perimeter security tools like firewalls. IPv6 will also save CIOs and their staffs time, since it has the ability to auto-configure itself, which essentially makes an IPv6-capable device—a desktop, a security camera or an IP telephone—plug and play regardless of geography, with obvious advantages for the military and companies like Bechtel, cutting the time it takes to set up an on-location network. Today, Bechtel engineers have to re-terminate the voice and data network every time someone moves a trailer, says Fred Wettling, a fellow in Bechtel’s technology group. That goes away with IPv6. Within a corporation, IPv6 can facilitate better collaboration. Each IPv6 computer is able to act as its own server, meaning that users can connect to one another directly. One application that already takes advantage of this is Windows Vista, which allows IPv6 users to work inside the same Word document, spreadsheet or PowerPoint presentation regardless of physical proximity and without going through a Web host.

Step Three

Inventory Your Network

The next step is to find out what exactly is on your network and determine what is already IPv6 compliant or can be upgraded to the protocol. These devices aren’t limited to routers and switches but include security tools like firewalls, laptops, even printers. “Organizations deploy hundreds of printers and thousands of desktops but don’t maintain a strong accounting of them,” says Vic Berger, lead technologist for the government practice at the consultancy CDW.

McManus, NASA’s acting CIO, says he broke it into two separate tasks, first taking inventory of devices that communicate with the outside world, like routers and firewalls, and doing the internal-facing devices on LANs such as laptops later. This makes the task more manageable. Also, he says, it helps to use network discovery tools as much as possible.

As you identify each device, you need to determine whether it is IPv6 ready, if it can be upgraded to IPv6 or if it needs to be replaced. “There is no IPv6 seal of approval,” says Patterson, so you may end up reading manuals, calling vendors or checking websites to find out. McManus stresses that a full inventory is not an overnight project. “Even with automation it took us three months.” And that was just the external network.

It’s also important to get your vendors’ IPv6 transition plans. “You can’t build your transition plan without knowing your partners’ plans,” says McManus. Those plans may not be well formed yet, warns Wettling. “We are sharing our experiences with our partners,” he says. “We are working with them hand and glove. We learned from what they have done, and they learn from what we are doing.” If the vendor isn’t willing to work with you on a transition plan, find a new vendor.

Step Four

Rethink Legacy Systems and Practices

You can’t always expect outside help in making the transition to IPv6, however. You will need to come up with your own plan to transition older technologies, such as mainframes that are no longer supported, and to upgrade software developed in-house.

CIOs at companies that do a lot of in-house development will need to ensure that every developer builds with IPv6 in mind. For example, Microsoft has a development utility that lets programmers check an application’s source code for places that currently have IPv4 commands. At Bechtel, Wettling has identified what he calls gateway points during development—places in the cycle where a programmer hands off his source code to a quality assurance person, for example. Each of these people is now responsible for making sure that the application is IPv6 capable before it moves to the next stage of production.

Step Five

Make IPv6 Part of the Refresh Cycle

There’s no telling just how expensive upgrading to IPv6 will be. NIST estimated that a midsize company with eight routers and 150 switches and four firewalls would spend just under $2 million to upgrade its network. But that doesn’t include laptops, printers and software charges. A Government Accountability Office audit released at the end of June found that government agencies anticipated spending just under $1 million to more than $20 million on their upgrades.

That’s a hit. But much of the cost can be absorbed as part of the normal technology refresh cycle, says David Powner, director of IT management issues for the GAO. (Provided CIOs come up with a master inventory list and corresponding plan.) Buying the right products at the right time minimizes the extra costs associated with moving to IPv6. “We have our plan down to the single piece of equipment level. We know all the way out to 2010 what we are upgrading and when,” says Schlosser.

Network managers will have to be trained on how to use the new technology, and CIOs will have to establish labs to test the new capabilities and see firsthand how IPv6 works. Bechtel has four such labs running over 200 IPv6 machines today. It gives the company a chance to understand how the IPv6 environment operates before exposing anything to the outside.

Step Six

Assess Your Security Posture

IPv6 shifts the traditional security paradigm for IT from protecting the perimeter with firewalls and intrusion detection to protecting individual devices and applications directly. Eventually this will make security much easier, since CIOs will be able to limit access to their company’s data to approved devices as well as approved users.

But in the short term it also presents a challenge.

Most current network monitoring systems can’t detect IPv6 traffic. And given that network equipment makers have been selling IPv6-capable equipment for years, most companies are probably running some IPv6 that they don’t know about. That means that a hacker with an IPv6 connection could get on your network and theoretically move around undetected. The best defense is to turn off the IPv6 capability in your products until you are ready to offer or consume IPv6 services. Schlosser says part of her job is to monitor HUD’s network to make sure that no one is turning on IPv6 too early.

Flip the Switch Carefully

Just when exactly CIOs should turn on IPv6 functionality depends on both the company and the marketplace. (Bechtel anticipates running IPv6 before the 2008 government deadline.) But that doesn’t mean you can afford to wait before starting to upgrade. “Companies need to understand that this is coming,” says Wettling. “It is inevitable.”

Right now, says Wettling, education and awareness is the single biggest challenge. “It is easy to buy these products now for no additional cost,” he says. “It is beyond me why you would buy products that don’t have IPv6.”