One could feel the excitement building as June 6, 2012, approached. This was to be World IPv6 Launch Day, the day the Internet Society would replace the old IPv4 with a new, permanent Internet address protocol. While heavy hitters like Bing, Facebook, Yahoo, Google, Comcast and AT&T joined the parade, few others noticed the event.
How could that be? In 2011 and early 2012, the government world was abuzz with concerns about the impending need for a new protocol. As June 6 approached, “there was a feeling that we were going to be cut off,” said Alan Shark, executive director of the Public Technology Institute, a nonprofit that focuses on using IT to improve government services.
But the big day came and went quietly. “And when the hype evaporated, things just continued on,” Shark said. “We found out that the world is still round. We did not fall off.”
With the world still turning, the sense of urgency has cooled — but that doesn’t mean state governments are ignoring the issue. Some are taking steps to migrate to the new protocol.
Playing the Numbers
What exactly is the issue?
For a long time it seemed IPv4’s 4.3 billion available addresses would be ample enough to identify any Internet-enabled device that might come along. This turned out not to be true: By 2011, virtually every IPv4 address had been assigned for distribution by various world bodies. Many of these numbers are still available, but no one is making any more.
The run on addresses was partly due to the proliferation of devices — all the phones, tablets, elevators, intercoms and so on that have been plugging into the Internet in recent years. As the replacement protocol, IPv6 promises to accommodate all these and more, bringing to the scene 18 quintillion blocks of 18 quintillion possible addresses.
Once the IPv4s are gone, users will begin receiving addresses in the new protocol, and herein lies the problem for governments and other organizations. There’s concern that if a body does not upgrade its infrastructure to accommodate IPv6, users with the new addresses won’t be able to access public websites running on the IPv4 protocol.
Delaware still has enough IPv4 addresses to meet immediate needs, but that doesn’t make the problem go away.
“We have the capacity for the foreseeable future. We will still use IPv4 internally, but we realize we are going to have to deal with the rest of the world on a different level,” said William Hickox, chief operating officer of the Delaware Department of Technology and Information.
During this transitional period, Hickox is planning for a twofold system: IPv4 internally, and IPv6 for everything outside the firewall. This will involve implementing translation mechanisms that can navigate between the two protocols.
Without such a dual-capable system, users could encounter roadblocks as they try to navigate state websites. “The challenge becomes, if you are reaching out to someone who no longer supports IPv4, you wouldn’t be able to reach the person,” he said. “It’s not going to happen anytime soon, but we want to be prepared in the event that gets to be the case.”
Some say they are already prepared. Utah got a jump on the issue, with planners beginning to sort out their strategy five years ago. It was the education sector that got the ball rolling, as officials in that arena realized that their IPv4 allotment from the American Registry for Internet Numbers wouldn’t last forever. Leaders from public and higher education sat down with state and local government representatives to chart a course.
The state still had hundreds of thousands of IPv4 addresses to use overall, but some entities were starting to run low. “Some of our school districts and universities were getting close to using up what they had been allocated,” said Utah CTO David Fletcher.
Getting to IPv6
What should organizations do to prepare for the transition to IPv6? Here’s the lowdown from the Internet Society, a global body that guides Internet policy, technology standards and development.
Audit. Assess present IPv6 capabilities and readiness. Look at the level of IPv6 technical knowledge on hand and make plans for staff development and training to support IPv6 implementation.
Prioritize. Which of your services will lose business if they are only accessible to IPv4 users? (Think front-end Web server.) These should become a priority for IPv6 capability.
Clear a path. Identify obstacles to enabling IPv6, including any legacy systems that can’t be upgraded. Locate a solution such as an application-level proxy that can support both IPv4 and IPv6.
Look ahead. Do you have a key system dependency that is not IPv6 capable? Plan upgrades to clear this hurdle.
Shop. Ask vendors about IPv6 support in their current and future releases. Also ask your Internet service provider about its plans to support IPv6.
The move toward the new protocol began with the development of new policies. Planners took a full year to determine how addresses would be allocated and managed, including management of the remaining IPv4 numbers. Given the vast supply of new addresses under IPv6, Fletcher imagines these policies could govern state actions for at least a century to come.
The rest of the conversion has been more a matter of people than policies. “You do have to be able to configure your routers and address tables with these larger addresses, but that’s not something that’s giving us a lot of concern,” Fletcher said. “It is just about making the time and putting together the people. If you have good people in place, you are going to be ahead of the game.”
In the California Office of Technology Services, Director Ron Hughes considers himself well ahead of the game.
Over the past two to three years, every scheduled equipment replacement has led to a new IPv6-capable tool entering the fold. All routers, for example, have now tested IPv6 compliant. “We’re ready to make the change,” Hughes said. (The full implementation of IPv6 will come in two to three years when the remaining few hundred thousand IPv4 addresses in Hughes’ office have been used.)
The change is inevitable, he said. “It is becoming an issue because of the use of mobile devices, as those become more prevalent in the workplace.”
By taking a phased approach, timed to coincide with an existing four- to five-year refresh cycle, Hughes said he incurred no extra costs in transitioning his systems to IPv6-ready capacity. “If you’re trying to do it in a hurry, there is going to be a cost to replacing perfectly good gear with gear that is IPv6 compliant. We chose not to do it that way,” he said.
There may be other costs down the road, such as training, upgrades to custom software, documentation and administrative expenses. But for Hughes, the only major challenge to implementation has been the sometimes time-consuming business of testing. “It’s not a seamless thing where you put in IPv6 equipment and suddenly you are up and running,” he said.
There undoubtedly will be growing pains as IPv6 gains traction, said John Curran, president and CEO of the address distribution entity American Registry for Internet Numbers. “The Internet is growing with IPv6, and that requires changes,” he said.
Take, for instance, a typical scenario in which a provider sets up a bridge using temporary IPv4 addresses in order to allow IPv6-enabled visitors to fully access a government’s IPv4-based website. It works, in so far as granting access, but the site’s operators lose crucial transparency. With the “fake” address located in the carrier’s hub, “now you see all your customers coming from one location in Virginia,” Curran said.
Such temporary-address schemes also can muddle customer validation. The system may legitimately validate one customer, but that approval may open the floodgates for others on the same temporary address. “Unless you are very careful, you may find out that when one person logs into your application, you have now allowed 1,000 cellphones to log on,” Curran said.
Provider-deployed temporary addresses aren’t the only way to bridge the gap between users operating in the IPv6 world and a system still functioning in the IPv4 paradigm. Another common solution lies in “dual stacking,” said Richard Jimmerson, director of deployment and operationalization at the Internet Society. This involves creating essentially redundant systems that can simultaneously accommodate either protocol.
For those looking to go this route, the general idea is to take a phased approach in which one first enables TCP-IP protocol stacks on core routers. Next come the routers on the perimeter, followed by data center routers and eventually desktop-access routers. “You want to do it in stages,” Jimmerson said. “You don’t go into your entire network and replace the address in every device. You maintain your IPv4 infrastructure, but you add access to IPv6.”
While dual stacking has been proven successful, it has its hazards. Some have noted, for example, that much VPN client and server software is not yet ready to adapt to IPv6. As a result, dual-stacked hosts may be vulnerable to security breaches, for example, through VPN traffic leaks.
Despite such hurdles, Jimmerson predicted that dual stacking will be the most popular solution for the foreseeable future. “We are moving into the world where we are going to have a dual-stacked Internet,” he said. “If I was an agency inside a state government, my priority would be to at least take my primary forms of network communications that my citizens use and make those IPv6 capable.”
The alternative scenario: A citizen cannot access government systems for vital services or information. “You certainly don’t want to have that happen,” Jimmerson said.
That’s one reason to make the switch: user/provider incompatibility. Another more basic driver is the simple fact of IPv4 running dry. Together these were enough to raise a hue and cry a couple of years ago. So why have things gone so quiet? Whither the crisis?
Easing the Tension
Delaware’s Hickox sees a few reasons for the echoing silence. In the first place, cloud computing and software as a service (SaaS) are taking the pressure off by reducing the number of devices needed in government. “The industry is going to SaaS-type solutions, and in the SaaS model you are replacing internal servers, internal infrastructure, with a single address point,” he said. His department has begun signing SaaS contracts, “and we are looking to have a lot more.”
In addition, Hickox noted that a seemingly endless recession also has taken the heat off. “It is driven by economics. If you have economies that are booming, businesses that are starting or businesses that are growing, there will be an increased need,” he said. Government too would feel the pressure of economic expansion, however, he said that hasn’t happened yet.
More to the point, the world keeps turning, despite having nominally run out of IPv4 addresses. The fact is that many of the addresses already out there still have not been put into use. There’s still a long way to go before the last IPv4 address has actually been assigned to a device.
As a result, the Internet still works; devices still work. Government IT is functioning as well as ever. “So people feel like they still have time,” Jimmerson said. “They are still hedging their bets about when they have to do it.”